Google CTF 2017 : Android RE Challenge
The challenge was consist of three parts.
1.Android application loading native library (ARM or x86) depending on platform.
2.Native library drops a dex file and dynamically loads it.
3.Native library modify bytes (in memory) of loaded dex file in step2.
1.Android application loading native library
Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class.
Looking at FoodActivity class it only loads the native library cook.The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so, while a Win32 system converts the same cook name to cook.dll.
2.Attaching to libcook.so.
We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to native library loaded by android application.
We will be using ARM specific native library. JNI_OnLoad function exported by libcook.so will be called once it is loaded.
JNI_OnLoad contains lot of obfuscated strings and sub_1034 is decryption routine which is called to decrypt strings.
Below is python implementation of above code.
#v is list of words to decrypt.
v = [0xB651776,0xF201572,0x9652E6D,0x1A690564,0x216D0675,0x9684F20,0x4610165,0x2E2E0674,0x36F0F20,0xF6E1761,0x11700F65]
for i in range(0,len(v)):
r1 = v[i]
r7 = (0xFF << 8) & 0xFFFFFFFF
r7 = r7 & r1
r6 = (r1 << 0x18) & 0xFFFFFFFF
r7 = (r7 >> 0x8) & 0xFFFFFFFF
r6 = (r6 >> 0x18) & 0xFFFFFFFF
r5 = ~(r7)
r5 = (r5 | r6)
r6 = ~(r6)
r6 = r6 | r7
r6 = r6 & r5
r6 = ~(r6)
o = o + chr(r6)
r6 = 0xFF0000
r6 = (r6 & r1) & 0xFFFFFFFF
r6 = (r6 >> 0x10)
r1 = (r1 >> 0x18)
r1 = (r1 ^ r6)& 0xFF
o = o + chr(r1)
print(o)
Before dropping dex file native library loads libdvm.so (dalvik vm library) .If libdvm.so cannot be found it throws error.
From android version 4.4(KitKat, SDK version 19) google introduced Android Run Time (ART). Therefore user can select between Dalvik and ART to execute their apps.Android version 7.0 and above (SDK version 24 and above) uses ART by default.
ART(libart.so) and Dalvik(libdvm.so) libraries located at /system/lib directory.
3.Dropping dex file and dynamically loads it.
create directory /files/odex/ at location /data/data/<app_package_name>.
open d.dex file in write mode.
write 0x15A8 (5544) bytes to d.dex file which is stored in native library at offset 0x2F18.
Next, a DexClassLoader is instantiated to load class S of the dropped d.dex file. Below is the code to create a DexClassLoader.
DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)
Code executed by native library to instantiate DexClassLoader.
dalvik/system/DexClassLoader <init> (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V
Below is representation of above code.
dalvik/system/ - package
DexClassLoader - class
<init> - call constructor of DexClassLoader
(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;) - parameters to constructor of DexClassLoader
V - Return type void.
Below are the parameters passed to constructor of DexClassLoader.
1.Ljava/lang/String - dexPath - /data/data/com.google.ctf.food/files/d.dex
2.Ljava/lang/String - optimizedDirectory - /data/data/com.google.ctf.food/files/odex
3.Ljava/lang/String - librarySearchPath - null
4.Ljava/lang/ClassLoader - parent
To get value of Ljava/lang/ClassLoader below code is executed and implemented in sub_11F4.
java/lang/ClassLoader/getSystemClassLoader()Ljava/lang/ClassLoader;
Below is representation of above code.
1.java/lang - package
2.ClassLoader - class
3.getSystemClassLoader() - method
4.Ljava/lang/ClassLoader - return type
After DexClassLoader is instantiated, loadClass method is called to load class S of d.dex file.
loadClass(Ljava/lang/String;)Ljava/lang/Class;
Ljava/lang/String - com/google/ctf/food/S
Ljava/lang/Class - return type
After class S of d.dex file is loaded its constructor is called using below code.
<init>(Landroid/app/Activity;)V
<init> - class S contructor
Landroid/app/Activity - parameter to constructor of Class S is activity object - activity Landroid/app/Activity
V - return type void
After Class S of d.dex file is loaded native library deletes d.dex and /files/odex/ directory it created.
Lets pull dropped d.dex file using adb pull command and decompile it with JADX to see what it contains.
As mentioned above once class S is loaded and its constructor is called with activity object passed as parameter.Class S constructor sends broadcast as highlighted below and broadcast receiver is implemented by class F.
onReceive method in Class F calls method cc() as highlighted below.
Bytes of method cc is corrupted and JADX is not able to decompile it.
4.Native library modify bytes (in memory) of loaded d.dex file
Reading memory and patching bytes is implemented in sub_1098 of native binary.
Use /proc/self/map to get current process memory.
read 0x100 bytes from current process memory.
buffer containing read bytes.
search /d.dex in above read bytes.
if /d.dex is found in read bytes.Get start address of memory map which is 0x822e3000 as shown above and find offest of loaded d.dex file in memory map by searching magic bytes "dex".
if magic bytes "dex" is found copy 0x90 bytes stored in native library at offset 0x2e88.
Encrypted bytes in native library at offset 0x2e88.
Decrypt bytes stored in native library at offset 0x2e88 by xoring with byte 0x5A.Write the decrypted bytes at offset 0x720 from address of "dex" magic bytes found in memory map.
Bytes at offset 0x720 in d.dex file before patching.
Bytes at offset 0x720 in d.dex file after patching.
Lets look at cc() function of class F in patched d.dex file.cc() function calls method C in class R which decrypts flag bytes.
Implementing logic in method C of class R we get below flag bytes.
CTF{bacon_lettuce_tomato_lobster_soul}
1.Android application loading native library (ARM or x86) depending on platform.
2.Native library drops a dex file and dynamically loads it.
3.Native library modify bytes (in memory) of loaded dex file in step2.
1.Android application loading native library
Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class.
Looking at FoodActivity class it only loads the native library cook.The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so, while a Win32 system converts the same cook name to cook.dll.
2.Attaching to libcook.so.
We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to native library loaded by android application.
We will be using ARM specific native library. JNI_OnLoad function exported by libcook.so will be called once it is loaded.
JNI_OnLoad contains lot of obfuscated strings and sub_1034 is decryption routine which is called to decrypt strings.
Below is python implementation of above code.
#v is list of words to decrypt.
v = [0xB651776,0xF201572,0x9652E6D,0x1A690564,0x216D0675,0x9684F20,0x4610165,0x2E2E0674,0x36F0F20,0xF6E1761,0x11700F65]
for i in range(0,len(v)):
r1 = v[i]
r7 = (0xFF << 8) & 0xFFFFFFFF
r7 = r7 & r1
r6 = (r1 << 0x18) & 0xFFFFFFFF
r7 = (r7 >> 0x8) & 0xFFFFFFFF
r6 = (r6 >> 0x18) & 0xFFFFFFFF
r5 = ~(r7)
r5 = (r5 | r6)
r6 = ~(r6)
r6 = r6 | r7
r6 = r6 & r5
r6 = ~(r6)
o = o + chr(r6)
r6 = 0xFF0000
r6 = (r6 & r1) & 0xFFFFFFFF
r6 = (r6 >> 0x10)
r1 = (r1 >> 0x18)
r1 = (r1 ^ r6)& 0xFF
o = o + chr(r1)
print(o)
Before dropping dex file native library loads libdvm.so (dalvik vm library) .If libdvm.so cannot be found it throws error.
From android version 4.4(KitKat, SDK version 19) google introduced Android Run Time (ART). Therefore user can select between Dalvik and ART to execute their apps.Android version 7.0 and above (SDK version 24 and above) uses ART by default.
ART(libart.so) and Dalvik(libdvm.so) libraries located at /system/lib directory.
3.Dropping dex file and dynamically loads it.
create directory /files/odex/ at location /data/data/<app_package_name>.
Next, a DexClassLoader is instantiated to load class S of the dropped d.dex file. Below is the code to create a DexClassLoader.
DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)
Code executed by native library to instantiate DexClassLoader.
dalvik/system/DexClassLoader <init> (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V
Below is representation of above code.
dalvik/system/ - package
DexClassLoader - class
<init> - call constructor of DexClassLoader
(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;) - parameters to constructor of DexClassLoader
V - Return type void.
Below are the parameters passed to constructor of DexClassLoader.
1.Ljava/lang/String - dexPath - /data/data/com.google.ctf.food/files/d.dex
2.Ljava/lang/String - optimizedDirectory - /data/data/com.google.ctf.food/files/odex
3.Ljava/lang/String - librarySearchPath - null
4.Ljava/lang/ClassLoader - parent
To get value of Ljava/lang/ClassLoader below code is executed and implemented in sub_11F4.
java/lang/ClassLoader/getSystemClassLoader()Ljava/lang/ClassLoader;
Below is representation of above code.
1.java/lang - package
2.ClassLoader - class
3.getSystemClassLoader() - method
4.Ljava/lang/ClassLoader - return type
After DexClassLoader is instantiated, loadClass method is called to load class S of d.dex file.
loadClass(Ljava/lang/String;)Ljava/lang/Class;
Ljava/lang/String - com/google/ctf/food/S
Ljava/lang/Class - return type
After class S of d.dex file is loaded its constructor is called using below code.
<init>(Landroid/app/Activity;)V
<init> - class S contructor
Landroid/app/Activity - parameter to constructor of Class S is activity object - activity Landroid/app/Activity
V - return type void
After Class S of d.dex file is loaded native library deletes d.dex and /files/odex/ directory it created.
While instantiating DexClassLoader 2nd parameter passed is optimizedDirectory = /data/data/com.google.ctf.food/files/odex.
odex directory will contain d.dex file that is execution ready for Dalvik VM and need not to be parsed again by dalvik VM.
odex directory will contain d.dex file that is execution ready for Dalvik VM and need not to be parsed again by dalvik VM.
Lets pull dropped d.dex file using adb pull command and decompile it with JADX to see what it contains.
As mentioned above once class S is loaded and its constructor is called with activity object passed as parameter.Class S constructor sends broadcast as highlighted below and broadcast receiver is implemented by class F.
Bytes of method cc is corrupted and JADX is not able to decompile it.
4.Native library modify bytes (in memory) of loaded d.dex file
Reading memory and patching bytes is implemented in sub_1098 of native binary.
Use /proc/self/map to get current process memory.
read 0x100 bytes from current process memory.
buffer containing read bytes.
if /d.dex is found in read bytes.Get start address of memory map which is 0x822e3000 as shown above and find offest of loaded d.dex file in memory map by searching magic bytes "dex".
if magic bytes "dex" is found copy 0x90 bytes stored in native library at offset 0x2e88.
Encrypted bytes in native library at offset 0x2e88.
Decrypt bytes stored in native library at offset 0x2e88 by xoring with byte 0x5A.Write the decrypted bytes at offset 0x720 from address of "dex" magic bytes found in memory map.
Bytes at offset 0x720 in d.dex file before patching.
Bytes at offset 0x720 in d.dex file after patching.
Lets look at cc() function of class F in patched d.dex file.cc() function calls method C in class R which decrypts flag bytes.
Implementing logic in method C of class R we get below flag bytes.
CTF{bacon_lettuce_tomato_lobster_soul}
I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting {skylinktechnes@yahoo.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with $50,000 so i requested for one & paid the delivery fee to obtain the card, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via email skylinktechnes@yahoo.com or whatsapp: +1(213)785-1553
ReplyDelete**Contact 24/7**
DeleteTelegram > @killhacks
ICQ > 752822040
Skype > Peeterhacks
Wicker me > peeterhacks
**HIGH CREDIT SCORES SSN FULLZ AVAILABLE**
>For tax filling/return
>SSN DOB DL all info included
>For SBA & PUA
>Fresh spammed & Fresh database
**TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING
CARDING CASHOUT CLONING SCRIPTING**
Fullz info included
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
High credit fullz with DL 700+
(bulk order preferable)
**Payment in all crypto currencies will be accepted**
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers contact me for long term business & excellent profit
->Genuine & Verified stuff
TOOLS & TUTORIALS AVAILABLE:
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
**TOOLS & TUTORIALS LIST**
=>US CC Fullz
=>Ethical Hacking Tools & Tutorials
=>Bitcoin Hacking
=>Kali Linux
=>Keylogger & Keystroke Logger
=>Bulk SMS Sender
=>Facebook & Google Hacking
=>Bitcoin Flasher
=>SQL Injector
=>Logins Premium (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
=>Bitcoin Cracker
=>SMTP Linux Root
=>Shell Scripting
=>DUMPS with pins track 1 and 2 with & without pin
=>SMTP's, Safe Socks, Rdp's brute
=>PHP mailer
=>SMS Sender & Email Blaster
=>Cpanel
=>Server I.P's & Proxies
=>Viruses & VPN's
=>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc)
==>Contact 24/7<==
Telegram> @killhacks
ICQ> 752822040
Skype> Peeterhacks
Wicker me > peeterhacks
*Serious buyers are always welcome
*Big Discount in bulk order
*Offer gives monthly, quarterly, half yearly & yearly
*Hope we do a great business together
**You should try at least once**
ReplyDeleteBEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE….. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . ………. EXPLANATION OF HOW THESE CARD WORKS………. You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $1,000, 2nd VAULT $2,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done. ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com) We are located in USA.
PLEASE READ!!Hello Guys!!!I am Caro I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from Adriano. My blank ATM card can withdraw $4,000 daily. I got it from Him last week and now I have withdrawn about $10,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met Adriano because I met Five persons before him and they could not help me. But am happy now Adriano sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to Adriano because he changed my story all of a sudden. The card works in all countries that is the good news Adriano’s email address is adrianohackers01@gmail.com.
ReplyDeletePLEASE READ!!Hello Guys!!!I am Caro I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from Adriano. My blank ATM card can withdraw $4,000 daily. I got it from Him last week and now I have withdrawn about $10,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met Adriano because I met Five persons before him and they could not help me. But am happy now Adriano sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to Adriano because he changed my story all of a sudden. The card works in all countries that is the good news Adriano’s email address is adrianohackers01@gmail.com.
ReplyDeleteMagnificent site. A lot of useful info here. I am sending it to several friends ans also sharing in delicious. And certainly, thanks for your effort! apple kundendienst berlin
ReplyDeleteDo you need an urgent loan of any kind? Loans to liquidate debts or need to loan to improve your business have you been rejected by any other banks and financial institutions? Do you need a loan or a mortgage? This is the place to look, we are here to solve all your financial problems. We borrow money for the public. Need financial help with a bad credit in need of money. To pay for a commercial investment at a reasonable rate of 3%, let me use this method to inform you that we are providing reliable and helpful assistance and we will be ready to lend you. Contact us today by email: daveloganloanfirm@gmail.com Call/Text: +1(501)800-0690 And whatsapp: +1 (315) 640-3560
ReplyDeleteNEED A LOAN?
Ask Me.
Do you need Personal Finance?
ReplyDeleteBusiness Cash Finance?
Unsecured Finance
Fast and Simple Finance?
Quick Application Process?
Finance. Services Rendered include,
*Debt Consolidation Finance
*Business Finance Services
*Personal Finance services Help
contact us today and get the best lending service
personal cash business cash just email us below
Contact Us: financialserviceoffer876@gmail.com
call or add us on what's app +918929509036
I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report you can contatc him for all kind of hacks . Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: +1 213 295 1376.
ReplyDeleteDO YOU NEED A PERSONAL/BUSINESS/INVESTMENT LOAN? CONTACT US TODAY VIA WhatsApp +19292227023 Email drbenjaminfinance@gmail.com
ReplyDeleteHELLO
Loan Offer Alert For Everyone! Are you financially down and you need an urgent credit/financial assistance? Or are you in need of a loan to start-up/increase your business or buy your dream house. Are you in search of a legit loan? Tired of Seeking Loans and Mortgages? Have you been turned down by your banks? Have you also been scammed once? Have you lost money to scammers or to Binary Options and Cryptocurrency Trading, We will help you recover your lost money and stolen bitcoin by our security FinanceRecovery Team 100% secured, If you are in financial pains consider your financial trauma over. We Offer LOANS from $3,000.00 Min. to $30,000,000.00 Max. at 2% interest rate NO MATTER YOUR CREDIT SCORE. GET YOUR INSTANT LOAN APPROVAL 100% GUARANTEED TODAY VIA WhatsApp:+19292227023 Email: drbenjaminfinance@gmail.com
Ping-here : @killhacks - Telegram/ICQ
ReplyDelete@peeterhacks - Wickr/Skype
Leads-Pros-Fullz
Fullz-Pros SSN+DOB+DL
Fullz High-Cresdit-Scores
CC+C.V.V with SSN Info Fullz
Dumps-Pin-Codes (101/202)
Fullz-Business-E.I.N
Tax-Return-Filling-Fullz
Fullz-For SBA/PUA/UI-Filling
Premium-Fullz For applying-loans
Fullz-available in Bulk-quantity
Genuine-stuff Fresh-Spammed
Within-Mins-Delivery
Will-be-replaced If anything-Invalid
Tools&Tutorials available-too for Hacking+Carding+Spamming+Cracking
Mai-lers-Senders-C.panels-Shells-Web-mailers
Bru-tes, Dorks, R.A.T's, RDP's, Vir-uses
2021/2022-Fr**d Bi**e
Complete Kali-Linux/Python Courses
WA/FB-Hacking-Methods/Key-loggers
Packages-are-also-available For Learning-Purpose
TG - @leadsupplier
ICQ - 752822040
Wickr/Skype - @peeterhacks
For-More-Info Hit me up