Home

NahamCon CTF 2022 – Click Me!

, , , , , ,

Description: I created a cookie clicker application to pass the time. There’s a special prize that I can’t seem to get.

Downloadhttps://lautarovculic.com/my_files/click_me.apk

NahamCON CTF 2022

Install the apk with ADB

				
					adb install -r click_me.apk

Decompile it with apktool

				
					apktool d click_me.apk

Then, let’s open the apk with jadx (GUI version) for check source code.
The package name is com.example.clickme. We have the MainActivity, and another class called ActivityMainBinding. But we’ll work with the first one.

We have the main logic here:

				
					public final void getFlagButtonClick(View view) {
    Intrinsics.checkNotNullParameter(view, "view");
    if (this.CLICKS == 99999999) {
        Toast.makeText(getApplicationContext(), getFlag(), 0).show();
    } else {
        Toast.makeText(getApplicationContext(), "You do not have enough cookies to get the flag", 0).show();
    }
}

Mmmm… This may be really simple, we just need change 99999999 by 0 haha.
So, come to smali directory that apktool has drop to us.

				
					tree click_me/smali/com/example/clickme/
click_me/smali/com/example/clickme/
├── BuildConfig.smali
├── databinding
│   └── ActivityMainBinding.smali
├── MainActivity$Companion.smali
├── MainActivity.smali
├── R$color.smali
├── R$drawable.smali
├── R$id.smali
├── R$layout.smali
├── R$mipmap.smali
├── R$string.smali
├── R$style.smali
└── R.smali

We just need MainActivity.smali file.
We can found the declaration of variables.

The 0x5f5e0ff number is 99999999.
And 0x0 is 0.

We just need change 0x5f5e0ff by 0x0.
Then, the logic in java code must look like:

				
					if (this.CLICKS == 0) {
        Toast.makeText(getApplicationContext(), getFlag(), 0).show();
    }

Save the .smali file. And it’s rebuild time!

Come to our directory path where we have the original apk.
Then

				
					apktool b click_me

This will create a new apk (patched) in click_me/dist/click_me.apk
Let’s align the .apk with zipalign

				
					zipalign -v -p 4 click_me/dist/click_me.apk clicc_me-aligned.apk

Now, let’s create a key with keytool

				
					keytool -genkey -v -keystore name.keystore -keyalg RSA -keysize 2048 -validity 10000 -alias alias

And then, sign the aligned apk with apksigner

				
					apksigner sign --ks name.keystore --ks-key-alias alias --ks-pass pass:lautaro --key-pass pass:lautaro --out click_me-signed.apk click_me-aligned.apk

Let’s uninstall the original app in our device, then, install the new signed apk with ADB

				
					adb install -r click_me-signed.apk

Run the app, then, GET THE FLAG!

Flag: flag{849d9e5421c59358ee4d568adebc5a70}

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *