Morty’s New Tool : Android Application Based CTF Challenge Walkthrough

Morty’s new tool is an intermediate level Android application CTF challenge. The basic aim of this CTF challenge is to learn the dynamic transformation in the code at run time, reverse engineering of native libraries and much more.

It will give an atmosphere of real time scenarios which will teach us the working of an application, its process and data flow.

Let’s take a minute to thank Moksh for creating this challenge. If someone wants to try and solve the challenge before going through the walkthrough, the link for the CTF can be found [here] and the application can be downloaded from [here].

Tools Used :

Connecting the device with a USB cable and entering command for checking proper connectivity.

The above command will list down all the connected devices/emulators.

The above exhibit shows the list of devices connected to the system

After downloading the application from the above given link, the application can be installed in device/emulator by a very simple command.

The above exhibit shows that the application has been successfully installed in the device

We can run the application in the device/emulator

The above exhibit shows the first page after running the application in the device

Here, we can see there is a button named “LOGIN”.

On a single click we got a message..

The above exhibit shows the action performed after clicking in LOGIN button

The message says..

Request Sent : { “algo” : “SHA256” , “challenge” : “lab3” , “flag” : <value-of-the-flag> }

So from here, we can grab the information that the

We just have to break the hash and we have the flag..

How much time will it take to break a SHA-256 hash ?

Well! We need to find an alternative for this.

So for reverse engineering entering a simple command

Reading the code from MainActivity.java

The above code snippet shows that the source code is obfuscated and JSON object being created

On reading further code…

The above code snippet shows the function call for capturing the value of the flag

Let’s have a look at class t

The above code snippet shows the application source code having Class t and function a()

Let’s have a look at them.

The above source code shows the declaration of two functions k1() and k2() in source code
The above code snippet shows that the native library named “local” is loaded in application source code

So now for reading a native library we need a binary analysis reverse engineering tool i.e Ghidra.

The above code snippet is from ghidra for native function k1()

Here, we can see the function k1() is of no use to us as it returns nothing (void), we need to monitor k2().

The above code snippet is from ghidra for native function k2()
The above code snippet is from ghidra for native function k2()

So, after trying to read the code we got an understanding that is very dynamic and we cannot directly capture the flag straight from the binaries by just reading the native code.

We have an alternative approach to this, which is runtime hooking.

For doing this we have a tool named FRIDA, a dynamic instrumentation tool.

A short script in JS for hooking the return value of function k2().

The above code snippet shows the frida script used to hook the function k2() at run time.

Running the above written JS script for hooking using FRIDA

The above exhibit shows the return value of the function k2() captured by hooking it by FRIDA

We got a string, as a return value of function k2() in Original arg parameter.

Now we can replicate the code written in class t and compile it to find the flag.

The above exhibit shows the value of flag

You got your new dynamic analysis tool i.e FRIDA

Takeaways :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store