I'd like to begin this post by saying that I do not like Andriod development. In college I decided to do summer class where I had to build an Android application that used OCR to read a menu and then query a database for nutrition information. It sucked and I haven't really touched Android development since.
Suffice to say, Android apps and their development are not in my wheel house. So, when I saw that the November MiniCTF was an apk, I almost immediately closed my laptop and returned my attention to the speaker. I'm not sure why, probably some mixture of masochism and something...something...never give up (actually it was the $50 gift card. Definitely that.), but I opened my laptop back up and decided to give it a shot. I figured that if I hit a wall, I could at least learn more about it when the solution was presented later in the evening.
After spending some time attempting to just run the apk in an Android emulator (I have a mac) and failing miserably, I decided to just convert it to a zip and unzip it to view the files inside.
APK FILE CONTENTS: AndroidManifest.xml classes.dex kotlin/ META-INF/ res/ resources.arsc
- AndroidManifest.xml is standard and mandatory across all android apps. It has basic information about your app, including a few fields you're required to declare.
- classes.dex is the compiled code for the android application
- kotlin is a programming language so that folder contains all of the supporting files for it
- META-INF contains metadata and other java related information
- res contains the resources for the application
- resources.arsc is the compiled resources used by the application.
Whenever I'm working on a challenge that I've never faced before, I figure out what kind of challenge it is and then I google around for similar ctf challenges in the same category. In this case, my browser history says I looked up "ctf android apk". My search led me to the github page for the SECCON Quals CTF from 2015 challenge: Reverse-Engineering Android APK 1 which in turn led me to the Ascope CTF team wordpress site with a post detailing a solution to the reverse engineering challenge they were tasked with solving. The first step they take after extracting the files is opening the jar in JD-GUI. But...hold up. What jar? Remember the classes.dex file? That has to be converted to a jar before you can view it in JD-GUI. A quick skim of a post on Stackoverflow and the rest was pretty easy from here.
Note: I wasted a lot of time trying to get dex2jar to work. Don't use the link on the Stackoverflow post. Get it from here instead. Your life will be easier.
Run the command
sh d2j-dex2jar.sh -f -o output_jar.jar [location of classes.dex]
And open the resulting jar file in JD-GUI where we see that there's a CheckFlag class with a function to generate the flag.
I copied the function into my own java program
After compiling and running it, I got the output:
According to my browser history, this whole process took me about an hour and half. Considering my own inexperience with Android apps and reverse engineering, I submitted my flag to the miniCTF creator and asked him how many people finished before me. To my dismay, he told me I was the first. And with that, please join me at the December SecDSM on December 20 for my miniCTF.