Morty’s New Tool : Android Application Based CTF Challenge Walkthrough
Morty’s new tool is an intermediate level Android application CTF challenge. The basic aim of this CTF challenge is to learn the dynamic transformation in the code at run time, reverse engineering of native libraries and much more.
It will give an atmosphere of real time scenarios which will teach us the working of an application, its process and data flow.
Let’s take a minute to thank Moksh for creating this challenge. If someone wants to try and solve the challenge before going through the walkthrough, the link for the CTF can be found [here] and the application can be downloaded from [here].
Tools Used :
adb : command line tool that lets you communicate with device
apktool : command line tool for reverse engineering android applications
jadx-gui : tool for producing Java source code from Android Dex and APK files
Android Studio : official Integrated Development Environment (IDE) for Android app development
Device : Android Device/Android Studio Emulator/Genymotion Emulator
Ghidra : Open source reverse engineering tool
Frida : dynamic code instrumentation toolkit for native applications
Connecting the device with a USB cable and entering command for checking proper connectivity.
adb devices
The above command will list down all the connected devices/emulators.
Note : Make sure to connect the android phone with debugging mode enabled for initiating the application installation process.
After downloading the application from the above given link, the application can be installed in device/emulator by a very simple command.
adb install <apk-name>
We can run the application in the device/emulator
Here, we can see there is a button named “LOGIN”.
On a single click we got a message..
The message says..
Request Sent : { “algo” : “SHA256” , “challenge” : “lab3” , “flag” : <value-of-the-flag> }
So from here, we can grab the information that the
Algorithm used for hashing is SHA-256
Value of the flag is stored in the flag parameter
We just have to break the hash and we have the flag..
How much time will it take to break a SHA-256 hash ?
So, basically I need a supercomputer with very high computational power for brute forcing a hash function which will take approximately (2^128) operations and will consume only a million years.
Well! We need to find an alternative for this.
Let’s get back to our reverse engineer technique. We have the jadx-gui, reverse engineering tool for reading the application source code.
So for reverse engineering entering a simple command
jadx-gui <apk-name>
Reading the code from MainActivity.java
JSON object named f1004a is being created and two parameters are being hardcoded.
On reading further code…
We can grab that, there is a class named t() which has a function a() which is returning SHA-256 hash value of the flag
Let’s have a look at class t
After reading the function a(), we can grab a bit of information that two functions k1() and k2() are playing some role.
Let’s have a look at them.
Here, k1() and k2() are two native functions which are being defined in a native library named “local”
So now for reading a native library we need a binary analysis reverse engineering tool i.e Ghidra.
function k1() opened in ghidra
Here, we can see the function k1() is of no use to us as it returns nothing (void), we need to monitor k2().
function k2() opened in ghidra
So, after trying to read the code we got an understanding that is very dynamic and we cannot directly capture the flag straight from the binaries by just reading the native code.
We have an alternative approach to this, which is runtime hooking.
Runtime hooking is a concept in which function variables can be monitored and modified at runtime.
For doing this we have a tool named FRIDA, a dynamic instrumentation tool.
Note : You can find the installation and configuration of FRIDA in your system [here]. A rooted device/emulator is required for running FRIDA.
A short script in JS for hooking the return value of function k2().
Running the above written JS script for hooking using FRIDA
We got a string, as a return value of function k2() in Original arg parameter.
Now we can replicate the code written in class t and compile it to find the flag.
CONGRATULATIONS !! Morty
You got your new dynamic analysis tool i.e FRIDA
Takeaways :
Learned reading application source code
Tracing down application source code
Using ghidra for reverse engineering binary files
Dynamic method hooking using FRIDA
Hard coding code is the key to failure