PicoCTF_2023 /

timer

Figure 1: The challenge description.

The challenge involves decompiling an apk file. Its hints suggests to use either mobsf or jadx tool (figure 1). The skills involved here, namely decompiling APK to Java is new to me as up till this challenge, as C is the low level language I’m more familiar with.

GeeksforGeeksexplains that in order to run a java code, it is first compiled into bytecode and class files similar to C, however it has the extra step involving a Java Virtual Machine to generate the machine code for execution of the program. This lends to Java’s strength in portability across operating systems. [1]

However, ARM based Android devices have limited battery life, memory and processing capacity compared to desktops. These requirements means special compilers and VMs need to be used for compilation and execution of Java in Android systems, namely DEX and Dalvik Virtual Machine or DVM. The file extension of the final executable is also .apk instead of .jar [2]

First, let’s inspect the file. It is indeed an APK file for Android OS and its shown to be signed. (Figure 2)

Figure 2: Inspection of file type for timer.apk

The official github repository for Mobile Security Framework, or Mobsf describes the tool as an all-in-one security suite but designed as a web app for use on Android, iOS or Windows systems [3], making it unsuitable in this use-case involving Kali Linux as the Guest OS testing environment. Thus the next step would be to research the process of Java code compilation on Android then use jadx to obtain timer’s source code.

jadx

The official Kali Linux describes jadx as a tool for reverse engineering .apk files or output of DEX compiler back to the human readable java source code. It comes in both CLI and GUI options. Jadx does not ship with Kali Linux by default and needs to be installed through the usual apt package manger [4] :

sudo apt install jadx

From jadx CLI’s help page the syntax of usage is:

jadx [options] <input files>

From the help page the GUI option for jadx can be accessed with the command:

jadx-gui

timer.apk was subsequently opened in the graphical interface and the flag is shown to be hidden as the version name of the timer app, in the BuildConfig class of the example.timer package. (Figure 3)

Figure 3: The flag revealed in jadx ‘s graphical user interface.

References

[1] “Compilation and Execution of a Java Program,” GeeksforGeeks, Apr. 16, 2018. https://www.geeksforgeeks.org/compilation-execution-java-program/

[2] “Difference Between JVM and DVM,” GeeksforGeeks, Dec. 27, 2020. https://www.geeksforgeeks.org/difference-between-jvm-and-dvm/

[3] “Mobile Security Framework (MobSF),” Mobile Security Framework (MobSF). https://mobsf.github.io/Mobile-Security-Framework-MobSF/

[4] “jadx | Kali Linux Tools,” Kali Linux. https://www.kali.org/tools/jadx/.

Related Topics

You Might Also Like

No Picture

who is it

No Picture

HideToSee

No Picture

Two Sums

Leave a Reply