Difficult: Easy
Category: Mobile
OS: Android (SDK 30)
Description: This app contains some unique keys. Can you get one?
First, we need download the .apk
For this mobile challenge,we need install an Android device with SDK 30 (Android 11 máx) with Genymotion.
Decopile the .apk with apktool
apktool d APKey.apk
Here we can see that is a simple login, so, probably we need bypass that.
We can use the jadx tool for making the work.
Looking around the source code I found this:
There are the condition in the login. If the username = admin and the password = MD5 (a2a3d412e92d896134d9c9126d756f) the app will trigger a Toast message at the end of the screen.
Let’s inspect inside of this situation.
Looking for smali files, I noticed that jadx is a bad choice. So I inspect for myself the file that is located in:
/APKey/smali/com/example/apkey/MainActivity$a.smali
But, why I’m looking for smali files?
Smali files are the assembly code representation of the source code of an Android application. When you compile an Android application, the Java source code is converted to Dalvik code, which can then be disassembled to Smali. Analyzing Smali files can help to understand the inner workings of the application at the low-level code level.
Anyways, I will write a post about Dalvik code in the further explaining in deep this amazing topic.
For the moment, let’s inspect the MainActivity$a.smali file with code
In the 37 line start the public method onClick
The selected code in the source code is represented at this point:
Then, we need work with the second “if-eqz” condition that is in the 148 line
Source code represent:
So we have if-eqz p1, :cond_1
Example
p1 = 1 + 1
if-eqz = p1 = 2, :then (flag) (but we don’t know the passwd)
We need change the function to if-nez
if-nez = p1 = 3, :then (flag) (just if we type the correct passwd will get the ‘Wrong Credentials’ Toast msg)
So, changing the expected value to any random, if we type the incorrect password, the flag will jump because not match.
Then, change the eqz to nez
Save the file and rebuild with apktool the apk.
apktool b APKey
Now it’s time for create a keystore for sign the apk:
keytool -genkeypair -v -keystore mykey.jks -keyalg RSA -keysize 2048 -validity 3650 -alias myalias
Now with the keystore, we can use apksigner for the signing:
apksigner sign --ks mykey.jks --ks-key-alias myalias --out apk.apk APKey/dist/APKey.apk
Now we can reinstall the apk with adb, run this command:
adb install -r apk.apk
But previously we need uninstall the APKey.apk original file.
Then:
I hope you found it useful (:
Leave a Reply