Morty’s New Tool : Android Application Based CTF Challenge Walkthrough

Morty’s new tool is an intermediate level Android application CTF challenge. The basic aim of this CTF challenge is to learn the dynamic transformation in the code at run time, reverse engineering of native libraries and much more.

It will give an atmosphere of real time scenarios which will teach us the working of an application, its process and data flow.

Let’s take a minute to thank Moksh for creating this challenge. If someone wants to try and solve the challenge before going through the walkthrough, the link for the CTF can be found [here] and the application can be downloaded from [here].

Tools Used :

adb : command line tool that lets you communicate with device

apktool : command line tool for reverse engineering android applications

jadx-gui : tool for producing Java source code from Android Dex and APK files

Android Studio : official Integrated Development Environment (IDE) for Android app development

Device : Android Device/Android Studio Emulator/Genymotion Emulator

Ghidra : Open source reverse engineering tool

Frida : dynamic code instrumentation toolkit for native applications

Connecting the device with a USB cable and entering command for checking proper connectivity.

adb devices

The above command will list down all the connected devices/emulators.

The above exhibit shows the list of devices connected to the system

Note : Make sure to connect the android phone with debugging mode enabled for initiating the application installation process.

After downloading the application from the above given link, the application can be installed in device/emulator by a very simple command.

adb install <apk-name>

The above exhibit shows that the application has been successfully installed in the device

We can run the application in the device/emulator

The above exhibit shows the first page after running the application in the device

Here, we can see there is a button named “LOGIN”.

On a single click we got a message..

The above exhibit shows the action performed after clicking in LOGIN button

The message says..

Request Sent : { “algo” : “SHA256” , “challenge” : “lab3” , “flag” : <value-of-the-flag> }

So from here, we can grab the information that the

Algorithm used for hashing is SHA-256

Value of the flag is stored in the flag parameter

We just have to break the hash and we have the flag..

How much time will it take to break a SHA-256 hash ?

So, basically I need a supercomputer with very high computational power for brute forcing a hash function which will take approximately (2^128) operations and will consume only a million years.

Well! We need to find an alternative for this.

Let’s get back to our reverse engineer technique. We have the jadx-gui, reverse engineering tool for reading the application source code.

So for reverse engineering entering a simple command

jadx-gui <apk-name>

Reading the code from MainActivity.java

The above code snippet shows that the source code is obfuscated and JSON object being created

JSON object named f1004a is being created and two parameters are being hardcoded.

On reading further code…

The above code snippet shows the function call for capturing the value of the flag

We can grab that, there is a class named t() which has a function a() which is returning SHA-256 hash value of the flag

Let’s have a look at class t

The above code snippet shows the application source code having Class t and function a()

After reading the function a(), we can grab a bit of information that two functions k1() and k2() are playing some role.

Let’s have a look at them.

The above source code shows the declaration of two functions k1() and k2() in source code

Here, k1() and k2() are two native functions which are being defined in a native library named “local”

The above code snippet shows that the native library named “local” is loaded in application source code

So now for reading a native library we need a binary analysis reverse engineering tool i.e Ghidra.

function k1() opened in ghidra

The above code snippet is from ghidra for native function k1()

Here, we can see the function k1() is of no use to us as it returns nothing (void), we need to monitor k2().

function k2() opened in ghidra

The above code snippet is from ghidra for native function k2()

The above code snippet is from ghidra for native function k2()

So, after trying to read the code we got an understanding that is very dynamic and we cannot directly capture the flag straight from the binaries by just reading the native code.

We have an alternative approach to this, which is runtime hooking.

Runtime hooking is a concept in which function variables can be monitored and modified at runtime.

For doing this we have a tool named FRIDA, a dynamic instrumentation tool.

Note : You can find the installation and configuration of FRIDA in your system [here]. A rooted device/emulator is required for running FRIDA.

A short script in JS for hooking the return value of function k2().

The above code snippet shows the frida script used to hook the function k2() at run time.

Running the above written JS script for hooking using FRIDA

The above exhibit shows the return value of the function k2() captured by hooking it by FRIDA

We got a string, as a return value of function k2() in Original arg parameter.

Now we can replicate the code written in class t and compile it to find the flag.

The above exhibit shows the value of flag

CONGRATULATIONS !! Morty

You got your new dynamic analysis tool i.e FRIDA

Takeaways :

Learned reading application source code

Tracing down application source code

Using ghidra for reverse engineering binary files

Dynamic method hooking using FRIDA

Hard coding code is the key to failure