Fork me on GitHub

TinyCTF - Rev 200

1

Finally with Rev200 I was able to get into the more challenging flags! I really enjoyed this one as it let me reflect on my glory Android developer days, if you could consider it as such!

Running file on the challenge file indicated it was a zip archive, but considering the context of the challenge, it was an Android apk package (essentially just a zip archive). The apk contents contained the set of files and resources that make up a typical Android application (Figure 1). A quick peek at AndroidManifest.xml and the resources didn't reveal anything juicy, so I set my eyes on the file classes.dex. I used the d2j-dex2jar tool to transform classes.dex into a jar file I could later further decompile to java code (Figure 2).

2

3

Now that I had a Java jar file, I was able to decompile the jar into actual Java classes, where I was hoping to find some code to reveal a flag! To accomplish this, I used CFR, which is just an ordinary jar -> java decompiler. As the decompiler worked, I saw some class names that looked exactly like what I should be targeting in the decompiled Java code (Figure 3).

4

Sure enough, FlagActivity.java contained some code which looked like it displays a string to the activity view. From here, it was trivial to take the numeric values and perform a transformation to convert those numeric values to their respective ASCII values (Figure 4), revealing the flag!

/*
 * Decompiled with CFR 0_87.
 * 
 * Could not load the following classes:
 *  android.app.Activity
 *  android.os.Bundle
 *  android.view.Menu
 *  android.view.MenuInflater
 *  android.view.MenuItem
 *  android.view.View
 *  android.widget.TextView
 */
package ctf.crackme;

import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.MenuItem;
import android.view.View;
import android.widget.TextView;

public class FlagActivity
extends Activity {
    protected void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        this.setContentView(2130903040);
        String string = "";
        int[] arrn = new int[]{102, 108, 97, 103, 123, 119, 52, 110, 110, 52, 95, 106, 52, 114, 95, 109, 121, 95, 100, 51, 120, 125};
        int n = 0;
        do {
            if (n >= 22) {
                ((TextView)this.findViewById(2131230721)).setText((CharSequence)string);
                return;
            }
            string = string.concat(String.valueOf((char)arrn[n]));
            ++n;
        } while (true);
    }

    public boolean onCreateOptionsMenu(Menu menu) {
        this.getMenuInflater().inflate(2131165184, menu);
        return true;
    }

    public boolean onOptionsItemSelected(MenuItem menuItem) {
        if (menuItem.getItemId() == 2131230724) {
            return true;
        }
        return super.onOptionsItemSelected(menuItem);
    }
}

5

Flag: flag{w4nn4_j4r_my_d3x}

Comments