ghidra
-
Read more: BSides Canberra 2019 – You Shall Not Pass
Download: https://lautarovculic.com/my_files/PasswordCheckerAPKs.zip Install the correct APK, depends of your cpu device. You can check with getprop ro.product.cpu.abi In my case, is arm64-v8a.Then, install with ADB adb install -r PasswordChecker-arm64-v8a.apk We can see a simply password checker.That *return true or false*.Let’s inspect the source code with jadx (GUI version).And, decompile it with apktool apktool d PasswordChecker-arm64-v8a.apk We have the package name io.cybears.rev.passwordchecker and just one activity (MainActivity). And just the code that exists for our…
-
Read more: HackerOne H1-702 – Challenge 1
Description: Someone chopped up the flag and hide it through out this challenge! Can you find all the parts and put them back together? Download APK: https://lautarovculic.com/my_files/challenge1_h1-702.apk Install the apk with adb adb install -r challenge1_h1-702.apk Then, decompile with apktool apktool d challenge1_h1-702.apk Let’s inspect the source code with jadx (GUI version)When the app is launched, we just see an blank activity with the text “Reverse the…
-
Read more: BSides San Francisco CTF 2017 – flag-receiver
Description: Here is a simple mobile application that will hand you the flag.. if you ask for it the right way.P.S, it is meant to have a blank landing activity 🙂 Use string starting with Flag:Note: For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation Download APK: https://lautarovculic.com/my_files/flagstore.apk…
-
Read more: LabyREnth CTF 2016 – 1 – LastChance
Download IPA: https://lautarovculic.com/my_files/fbfe8ecef4b5f97c40687fd02f74ae009277538490fba314e61830d75b3b4ac5Password: infected When you extract the file, we’ll have the .ipa file, and the LastChance_Simulator.app folder.Inside of this folder we have the LastChance executable. file LastChance LastChance: Mach-O 64-bit x86_64 executable, flags We can use ghidra for inspect this binary.After load, we have the entry point. But, we can search for some functions or hardcoded strings.I found some interesting strings. Let’s found where is used.Taking…
-
Read more: Sharif University CTF 2016 – Android App
Description: Find the Flag!!Note: For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation Download APK: https://lautarovculic.com/my_files/Sharif_CTF.apk Install the apk with adb adb install -r Sharif_CTF.apk Then, decompile with apktool apktool d Sharif_CTF.apk We can see an input that need a serial number for login.Let’s inspect the source code with jadx (GUI Version)The package name is com.example.ctf2 Here’s the MainActivity java code public class MainActivity extends…
-
Read more: SECCON Quals CTF 2015 – Rock, Paper, Scissors
Description: Please win 1000 times in rock-paper-scissorsNote: For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation Download APK: https://lautarovculic.com/my_files/rps.apk Install the apk with adb adb install -r rps.apk Then, decompile it with apktool apktool d rps.apk We can see the game Rock, Paper and Scissors.If we win, +1.Draw keep points and loose all the pointsWe need…
-
Read more: AHE17: Android Hacking Events 2017 (Flag-Validator)
Methods For this challenge, probably we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APKhttps://team-sik.org/wp-content/uploads/2017/06/FlagValidator.apk_.zip With apktool will extract the content of the apk file apktool d FlagValidator.apk Let’s see the content of MainActivity.java that say so clear the structure of the flag.In the onValidateClick method public void onValidateClick(View view) { new StringBuilder(“Validate Token…
-
Read more: Injured Android – Flag 1 to 13
This CTF Mobile has taken from here:https://github.com/B3nac/InjuredAndroid I use a Genymotion Android device (API 29) for this challenge.For install and use the application, you must install an ARM Translator. I use the .zip file for Android 9.0, it’s work fine for the emulator. You can find the translator here:https://github.com/m9rco/Genymotion_ARM_Translation Flags First Steps There are so many flags in the application,…
-
Read more: AHE17: Android Hacking Events 2017 (AES-Decrypt)
For this challenge, we need install some things into our Android 5.1 device with Genymotion.For example, an ARM Translator.https://github.com/m9rco/Genymotion_ARM_Translation For download the APK https://team-sik.org/wp-content/uploads/2017/06/AES-Decrypt.apk_.zip Now, installing the APK, we can see a button and two text box for decrypt something. Then, let’s take around the code with jadx. Just we need this piece of Java…
-
Read more: Joker – Hack The Box – @lautarovculic
Difficult: Hard Category: Mobile OS: Android Description: The malware reverse engineering team got an alert about malware which is still published on Google’s PlayStore and has thousands of installs. Can you help them to identify the address of the command and control server in order to blacklist it ? Download and extract the .zip file…