Introduction
In this writeup, I’ll walk you through the steps I took to reverse engineer an Android APK and extract the flag.
Description
Mr. Krabs has decided to make a new food delivery app for the Krusty Krab but Plankton decided to make his own patched version. Loyal Krusty Krab customers are saying weird network traffic and shell commands are coming from the app! Can you figure out what’s going on?
Enumeration
- Decompilation: Initially, I decompiled the APK using
jadxto transform it into readable Java code. The command used was:
jadx -Pdex-input.verify-checksum=no free-delivery.apk- Code Analysis: Next, I delved into the Java code, particularly focusing on the
doInBackgroundfunction inMainActivity.java. This function contained intriguing logic related to making HTTP requests, as seen in the code snippet provided.
public String doInBackground(Void... voidArr) {
try {
MainActivity mainActivity = MainActivity.this;
StringBuilder sb = new StringBuilder();
sb.append(MainActivity.X0("aHR0cDovLzEyNy4wLjAuMToxMjU0"));
MainActivity mainActivity2 = MainActivity.this;
sb.append(mainActivity2.a1(mainActivity2.f12220f));
mainActivity.Q0(sb.toString());
MainActivity mainActivity3 = MainActivity.this;
StringBuilder sb2 = new StringBuilder();
sb2.append(MainActivity.X0("aHR0cDovLzEyNy4wLjAuMToxMjU0"));
MainActivity mainActivity4 = MainActivity.this;
sb2.append(mainActivity4.a1(mainActivity4.W0()));
mainActivity3.Q0(sb2.toString());
MainActivity mainActivity5 = MainActivity.this;
mainActivity5.Q0(MainActivity.X0("aHR0cDovLzEyNy4wLjAuMToxMjU0") + "AzE9Omd0eG8XHhEcHTx1Nz0dN2MjfzF2MDYdICE6fyMa");
return "";
} catch (Exception e8) {
e8.printStackTrace();
return "";
}
}Part 1
Looking into MainActivity.java, it became clear that the X0 method was used for decoding base64 strings:
public static String X0(String str) {
return Y0(Base64.decode(str, 0));
}But things got interesting when I noticed a part where a decoded string was combined with another string without decoding:
mainActivity5.Q0(MainActivity.X0("aHR0cDovLzEyNy4wLjAuMToxMjU0") + "AzE9Omd0eG8XHhEcHTx1Nz0dN2MjfzF2MDYdICE6fyMa");After decoding the second part, a hexadecimal string popped up, and deciphering it gave \x031=:gtxo\x17\x1e\x11\x1c\x1d<u7=\x1d7c#\x7f1v06\x1d !:\x7f#\x1a. Also, I stumbled upon a critical function named b1:
public byte[] b1(byte[] bArr) {
byte[] bytes = "SPONGEBOBSPONGEBOBSPONGEBOBSPONGEBOBSPONGEBOB".getBytes();
for (int i8 = 0; i8 < bArr.length; i8++) {
bArr[i8] = (byte) (bArr[i8] ^ bytes[i8 % bytes.length]);
}
return bArr;
}To see if the string went through this function for encoding, I used a Python script for XOR decryption:
flag = b'\x031=:gtxo\x17\x1e\x11\x1c\x1d<u7=\x1d7c#\x7f1v06\x1d !:\x7f#\x1a'
flag = list(flag)
key = b"SPONGEBOBSPONGEBOBSPONGEBOBSPONGEBOBSPONGEBOB"
for i in range(len(flag)):
flag[i] = (flag[i] ^ key[i % len(flag)])
flag = bytearray(flag)And the outcome uncovered the first part of the flag:
b'Part 1: UMASS{0ur_d3l1v3ry_squ1d_'
Quite the journey just for the first part!
Part 2
So, in the MainActivity.java file of the app, there’s a line that loads a native library:
static {
System.loadLibrary("freedelivery");
}I explored the app’s directory and found the library libfreedelivery.so in different architectures like x86_64, arm64-v8a, and armeabi-v7a. Using Ghidra, I peeked into the library’s code and found this interesting snippet:
do {
i = (long)(int)i;
local_58[i] = (&DAT_0010e6ec)[i] ^ 0x55;
i = (i + 1) * (long)c;
} while (local_58[i + -1] != '\0');then I decoded DAT_0010e6ec, and it looked like this:
b'\x30\x36\x3d\x3a\x75\x77\x05\x34\x27\x21\x75\x01\x22\x3a\x6f\x75\x22\x64\x39\x39\x0a\x37\x27\x64\x3b\x32\x0a\x64\x21\x0a\x27\x64\x32\x3d\x21\x0a\x65\x23\x66\x27\x0a\x74\x28\x77\x55'A simple XOR decryption in Python revealed the next part of the flag:
flag = list(b'\x30\x36\x3d\x3a\x75\x77\x05\x34\x27\x21\x75\x01\x22\x3a\x6f\x75\x22\x64\x39\x39\x0a\x37\x27\x64\x3b\x32\x0a\x64\x21\x0a\x27\x64\x32\x3d\x21\x0a\x65\x23\x66\x27\x0a\x74\x28\x77\x55')
for i in range(len(flag)):
flag[i] = flag[i] ^ 0x55
flag = bytearray(flag)
print(flag)And there it was, the second part of the flag:
b'echo "Part Two: w1ll_br1ng_1t_r1ght_0v3r_!}"\x00'
Put together with the first part, we get the full flag:
UMASS{0ur_d3l1v3ry_squ1d_w1ll_br1ng_1t_r1ght_0v3r_!}