FireEye FLARE CTF 2017 : APK Challenge 8

The challenge required decrypting passwords in order to form AES key to decrypt the flag bytes.
On decompiling flair.apk file we can see four classes for which we need to decrypt passwords.


1.Michael Class 
It was pretty simple password comparison.The password is MYPRSHE__FTW.

2. Brian Class
Password is formed as shown below.
String.format("%s_%s%x_%s!", new Object[]{t, y, Integer.valueOf(p), c});

t = (ImageView) findViewById(R.id.pfdu).getTag().toString()
y = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), 128).metaData.getString("vdf")
p = (TextView) findViewById(R.id.vcxv).getCurrentTextColor() & SupportMenu.USER_MASK;
c = (TextView) findViewById(R.id.vcxv).getText().toString().split(" ")[4];

The Password is hashtag_covfefe_Fajitas!.


3.Milton Class
The password is formed by decrypting a string and taking SHA1 of the decrypted string.

Decryption algorithm used are base64, xor and substitution operation.
I wrote python script to decrypt password string for Milton Class.

Output of above python script.
Milton Class String ---> A rich man is nothing but a poor man with money.
Milton Class String SHA1 ---> 10aea594831e0b42b956c578ef9a6d44ee39938d

4.Printer Class
To get password for printer class we need to decrypt few strings to understand what below function is doing.

The string in above function can be decrypted by passing them to above python script as shown below.

Decrypted strings as shown below.
JT43W0c= --->  SHA-1
Gv@H -->  tspe
,e}e8yGS!8Dev)-e@ -->  java.util.HashMap
vSBH -->  size
LHG -->  get
H?ye!v -->  equals
,e}e8yGS!81PPe(v -->  java.util.Arrays
,e}e8S98*eGeu.@yG5GPHed -->  java.io.DataInputStream
e.RP9SR8x9.GH.G8PHv81vvHG-e.eLHP -->  android.content.res.AssetManager
9@H. -->  open
PHeR -->  read
PHeRu.G -->  readInt
,e}e8yGS!8Dev)-e@ -->  java.util.HashMap
@yG -->  put
PHeR"(GH -->  readByte
PHeR5)9PG -->  readShort
e.RP9SR8x9.GH.G8M9.GHkG -->  android.content.Context
e.RP9SR8x9.GH.G8@d81@@!SxeGS9.u.g9 -->  android.content.pm.ApplicationInfo
g!eLv -->  flags
LHG1@@!SxeGS9.u.g9 -->  getApplicationInfo
LHG1@@!SxeGS9.M9.GHkG -->  getApplicationContext

Function is reading tspe file from asset folder and forming password string.

Printer Class Decrypted String : Give a man a fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life.
Printer Class Decrypted String SHA1 : 5f1be3c9b081c40ddfc4a0238156008ee71e24a4

Once we get password for all four classes we need to concatenate passwords to form AES key and decrypt flag bytes.

Flag : pc_lo4d_l3tt3r_gl1tch@flare-on.com

Comments

Popular posts from this blog

VIrtual Machine Detection Techniques

Debugging MBR : IDA Pro and Bochs Emulator

DoublePulsar Backdoor

Analyzing ATM Malwares

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow

Word Document : Anti Analysis Tricks