Samsung CTF : Chicken or Egg Reversing Challenge
The CTF is over but i really enjoyed solving the challenge (https://sctf.codeground.org/ctf/prob).The challenge is to decrypt flag.enc.
This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html).
Challenge can be divided into three parts.
1.Android application (application) loading Native Library
2.Native Library decrypts DEX file in memory.
3.Using Reflection to call methods of decrypted DEX file in step 2.
1. Android application loading Native Library
OnClick() method of MainActivity class calls constructor of Crypt class.
Before decrypting the DEX file stored in asset folder native library decrypts AES key and init vector. Encrypted AES key and Init vector is stored at below mentioned file offset in native library.
1.AES key - 0xB8A
2.Init vector - 0x930
Below is the python implementation of decryption loop logic in native library to decrypt AES key and Init vector.
enc_data = [{'asset_name':[0x64,0x65,0x64,0x7D,0x6A,0x6A,0x6C]},\
{'aes_key':[0x60,0x75,0x66,0x77,0x6A,0x6B,0x62,0x6B,\
0x60,0x7A,0x63,0x69,0x7F,0x65,0x6A,0x69]},\
{'aes_init_vect':[0x69,0x63,0x6D,0x60,0x76,0x69,0x6A,0x6D,\
0x60,0x64,0x62,0x78,0x7B,0x6B,0x6C,0x64]}]
for i in range(0,len(enc_data)):
keys = enc_data[i].keys()
for key in keys:
value = enc_data[i][key]
dec_data = ''
for i in range(0,len(value)):
v = (value[i] ^ (i+1)) & 0xFF
dec_data = dec_data + chr(v)
print(key + ' ===> ' + dec_data)
asset_name ===> eggyolk
aes_key ===> awesomecipherkey
aes_init_vect ===> handsomeinitvect
After decrypting AES key and Init vector, native library decrypts DEX bytes.
Decrypted DEX bytes as show below.
How to determine AES is used to decrypt DEX bytes? Answer is hard coded AES S-Box (substitution box) at file offset 0x24A7 in native library.
Decompilation of decrypted DEX bytes gives Egg Class which has enc method that encrypts data using AES.
This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html).
Challenge can be divided into three parts.
1.Android application (application) loading Native Library
2.Native Library decrypts DEX file in memory.
3.Using Reflection to call methods of decrypted DEX file in step 2.
1. Android application loading Native Library
OnClick() method of MainActivity class calls constructor of Crypt class.
Calling constructor of Crypt class results in loading of Native library (libegg.so) which is ELF for ARM.
Constructor of Crypt class calls crackEgg method implemented in native library.
2.Native Library decrypts DEX file in memory.
The native library reads the encrypted DEX file stored in asset folder.
Before decrypting the DEX file stored in asset folder native library decrypts AES key and init vector. Encrypted AES key and Init vector is stored at below mentioned file offset in native library.
1.AES key - 0xB8A
2.Init vector - 0x930
Below is the python implementation of decryption loop logic in native library to decrypt AES key and Init vector.
enc_data = [{'asset_name':[0x64,0x65,0x64,0x7D,0x6A,0x6A,0x6C]},\
{'aes_key':[0x60,0x75,0x66,0x77,0x6A,0x6B,0x62,0x6B,\
0x60,0x7A,0x63,0x69,0x7F,0x65,0x6A,0x69]},\
{'aes_init_vect':[0x69,0x63,0x6D,0x60,0x76,0x69,0x6A,0x6D,\
0x60,0x64,0x62,0x78,0x7B,0x6B,0x6C,0x64]}]
for i in range(0,len(enc_data)):
keys = enc_data[i].keys()
for key in keys:
value = enc_data[i][key]
dec_data = ''
for i in range(0,len(value)):
v = (value[i] ^ (i+1)) & 0xFF
dec_data = dec_data + chr(v)
print(key + ' ===> ' + dec_data)
asset_name ===> eggyolk
aes_key ===> awesomecipherkey
aes_init_vect ===> handsomeinitvect
After decrypting AES key and Init vector, native library decrypts DEX bytes.
Decrypted DEX bytes as show below.
How to determine AES is used to decrypt DEX bytes? Answer is hard coded AES S-Box (substitution box) at file offset 0x24A7 in native library.
3.Using Reflection to call methods of decrypted DEX file in step 2.
Method a() in Crypt class calls enc method of Egg class using reflection to encrypt files.
To decrypt flag.enc file we can call the same enc function of Egg class but with little modification. While initializing the Cipher instance we have to set mode to Decrypt as shown below.
After decryption of flag.enc we get a PDF file which has flag inside it.
I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting {skylinktechnes@yahoo.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with $50,000 so i requested for one & paid the delivery fee to obtain the card, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via email skylinktechnes@yahoo.com or whatsapp: +1(213)785-1553
ReplyDelete
ReplyDeleteBEST WAY TO HAVE GOOD AMOUNT TO START A GOOD BUSINESS or TO START LIVING A GOOD LIFE….. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (williamshackers@hotmail.com) for how to get it and its cost . ………. EXPLANATION OF HOW THESE CARD WORKS………. You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT $1,000, 2nd VAULT $2,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done. ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. email (williamshackers@hotmail.com) We are located in USA.
Энэ хоосон АТМ картын талаар би нэлээд удаан сонсож байсан бөгөөд миний эргэлзээ төрж байсан тул би огт сонирхолгүй байсан. Нэг өдөр би RICK HACKER WORLD хэмээх хакердсан залууг олж илрүүлтэл тэр үнэхээр сайн хийж байгаа юм. Буцаад буцаж ирэхэд би The Blank ATM картын талаар асуусан юм. Хэрэв энэ нь ажиллаж байгаа эсвэл Бүр Бүрэлдэж байгаа бол. Тэд надад Тийм гэж хэлсэн бөгөөд үүнийг картыг анзааралгүйгээр санамсаргүй мөнгө олох програмчлагдсан програм бөгөөд үнэгүй онлайн худалдан авалт хийхэд ашиглах боломжтой. Энэ нь цочирдом байсан бөгөөд би эргэлзээтэй хэвээр байв. Дараа нь би үүнийг туршиж үзээд картыг асууж, үйлчилгээний нөхцөлийг зөвшөөрсөн. Үүнийг найдаж, залбирах нь хуурамч биш байсан. Нэг долоо хоногийн дараа би картаа аваад хамгийн ойрхон АТМ машиныг туршиж үзлээ. Энэ нь ид шид шиг ажилласан. Би 5000 евро авах боломжтой байсан. Энэ итгэмээргүй байсан. Одоогоор би ямар ч дарамт шахалтгүйгээр 100,000 еврогийн АТМ картыг захиалдаг. Би яагаад үүнийг энд илгээж байгаагаа мэдэхгүй байна, энэ нь санхүүгийн тогтвортой байдалд байгаа хүмүүст туслах болно гэж би бодож байна. хоосон АТМ миний амьдралыг үнэхээр өөрчилсөн. Хэрэв та тэдэнтэй холбоо барихыг хүсч байвал имэйл хаягаа эндээс авна уу: rickatmcardoffer@gmail.com эсвэл Whatsapp: +1 (519) 900 4925.
ReplyDeleteDo you need an urgent loan of any kind? Loans to liquidate debts or need to loan to improve your business have you been rejected by any other banks and financial institutions? Do you need a loan or a mortgage? This is the place to look, we are here to solve all your financial problems. We borrow money for the public. Need financial help with a bad credit in need of money. To pay for a commercial investment at a reasonable rate of 3%, let me use this method to inform you that we are providing reliable and helpful assistance and we will be ready to lend you. Contact us today by email: daveloganloanfirm@gmail.com Call/Text: +1(501)800-0690 And whatsapp: +1 (315) 640-3560
ReplyDeleteNEED A LOAN?
Ask Me.
**SELLING SSN+DOB FULLZ**
ReplyDeleteCONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
>>1$ each without DL/ID number
>>2$ each with DL
>>5$ each for premium (also included relative info)
*Will reduce price if buying in bulk
*Hope for a long term business
FORMAT OF LEADS/FULLZ/PROS
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER WITH EXPIRY DATE
->COMPLETE ADDRESS
->PHONE NUMBER, EMAIL, I.P ADDRESS
->EMPLOYMENT DETAILS
->REALTIONSHIP DETAILS
->MORTGAGE INFO
->BANK ACCOUNT DETAILS
>Fresh Leads for tax returns & w-2 form filling
>Payment mode BTC, ETH, LTC, PayPal, USDT & PERFECT MONEY
''OTHER GADGETS PROVIDING''
>SSN+DOB Fullz
>CC with CVV
>Photo ID's
>Dead Fullz
>Carding Tutorials
>Hacking Tutorials
>SMTP Linux Root
>DUMPS with pins track 1 and 2
>Sock Tools
>Server I.P's
>HQ Emails with passwords
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
THANK YOU
i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or
ReplyDeletealways too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,
email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to
SUPERIOR.HACK@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>2$ each with SSN+DOB+DL
>>5$ each for premium (also included relative info)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
Socks, rdp's, vpn's
Server I.P's
HQ Emails with passwords
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report you can contatc him for all kind of hacks . Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: +1 213 295 1376.
ReplyDeleteFULLZ AVAILABLE
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Sql injector
Bitcoin cracker
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
Hello all
ReplyDeleteam looking few years that some guys comes into the market
they called themselves hacker, carder or spammer they rip the
peoples with different ways and it’s a badly impact to real hacker
now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
Anyone want to make deal with me any type am available.
Available Services
..Wire Bank Transfer all over the world
..Western Union Transfer all over the world
..Credit Cards (USA, UK, AUS, CAN, NZ)
..School Grade upgrade / remove Records
..Spamming Tool
..keyloggers / rats
..Social Media recovery
.. Teaching Hacking / spamming / carding (1/2 hours course)
discount for re-seller
Contact: 24/7
fixitrogers@gmail.com
Hello everyone, Are you looking for a professional trader, forex and binary manager who will help you trade and manager your account with good and massive amount of profit in return. you can contact Mr. Anderson for your investment plan, for he helped me earned 8,000usd with little investment funds. Mr Anderson you're the best trader I can recommend for anyone who wants to invest and trade with a genuine trader, he also helps in recovery of loss funds..you can contact him on his whatsapp: (+447883246472) Email (tdameritrade077@gmail.com)I advice you shouldn't hesitate He's great.
ReplyDeleteBardzo fajny sklep internetowy z lutownicami super ceny
ReplyDeleteNajlepszy sklep super asortyment oraz super ceny
Lutownica transformatorowa
Lutownica transformatorowa
Lutownica transformatorowa
Lutownica transformatorowa
**Contact 24/7**
ReplyDeleteTelegram > @killhacks
ICQ > 752822040
Skype > Peeterhacks
Wicker me > peeterhacks
**HIGH CREDIT SCORES SSN FULLZ AVAILABLE**
>For tax filling/return
>SSN DOB DL all info included
>For SBA & PUA
>Fresh spammed & Fresh database
**TOOLS & TUTORIALS AVAILABLE FOR HACKING SPAMMING
CARDING CASHOUT CLONING SCRIPTING**
Fullz info included
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
High credit fullz with DL 700+
(bulk order preferable)
**Payment in all crypto currencies will be accepted**
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers contact me for long term business & excellent profit
->Genuine & Verified stuff
TOOLS & TUTORIALS AVAILABLE:
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
**TOOLS & TUTORIALS LIST**
=>US CC Fullz
=>Ethical Hacking Tools & Tutorials
=>Bitcoin Hacking
=>Kali Linux
=>Keylogger & Keystroke Logger
=>Bulk SMS Sender
=>Facebook & Google Hacking
=>Bitcoin Flasher
=>SQL Injector
=>Logins Premium (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
=>Bitcoin Cracker
=>SMTP Linux Root
=>Shell Scripting
=>DUMPS with pins track 1 and 2 with & without pin
=>SMTP's, Safe Socks, Rdp's brute
=>PHP mailer
=>SMS Sender & Email Blaster
=>Cpanel
=>Server I.P's & Proxies
=>Viruses & VPN's
=>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc)
==>Contact 24/7<==
Telegram> @killhacks
ICQ> 752822040
Skype> Peeterhacks
Wicker me > peeterhacks
*Serious buyers are always welcome
*Big Discount in bulk order
*Offer gives monthly, quarterly, half yearly & yearly
*Hope we do a great business together
**You should try at least once**
Hello there, as a newbie to crypto currency trading, I lost a lot of money trying to navigate the market on my own. In my search for a genuine and trusted trader, i came across Anderson Carl who guided and helped me make so much profit up to the tune of $40,000. I made my first investment with $1,000 and got a ROI of $9,400 in less than 8 days. You can contact this expert trader via email: andersoncarlassettrade@gmail.com or on WhatsApp +1(252)285-2093 and be ready to share your own testimony
ReplyDeleteHere We Go..
ReplyDeleteIf you are in search of legit Tools, Fullz & Tutorials for
Hac-king, Car-ding, Sp-amming, Spying, Cyber Attacking
We will provide you.
@killhacks / TG/Icq
peeterhacks / Wickr/Skype
All tools will be genuine, verified, guaranteed
Fullz available in bulk order
Dumps with pins Track 101-202
You just asked what you need
We'll provide you stuff
We don't do any job, just selling the stuff
Replacement available only/N0 Refund
C.C FULLZ
S.S.N DOB D.L FULLZ
HIGH.CREDIT.SCORES FULLZ
Business EIN Fullz
Office365 Logins/Emails Leads
C-panels/Shells/SMTP's/Rdp's/Brute's
Mailers/Senders/SMS Sender/Bulk Email Senders
Key-Logger's/VPN's/RAT's/Viruses
BTC Cracker/Flasher
Kali.Linux Master Class With Complete Guide
FB/WA H-ack-ing Tutorials/Tips/Tricks
Sever Pene-tra-tion/SQLi Injector
I.p's/Combos/Proxies
PayPal/Coinbase/Amazon/Netflix/E-bay/Spotify Logins
C-rackers/Extractors
Fr**d B***e 2021/2022
E.T.C
@killhacks / TG/Icq
peeterhacks / Wickr/Skype
You can asked whatever you want
We will fulfil your demands
Just Try Our services
So finally i found the Legit guys that does real money transfers for me here in United States after so many ripped off. If you are looking for legit people, kindly contact dwchzone@gmail.com or visit www.darkwebonlinehackers.com i can show you i got 35,000.00 US Dollars from them today
ReplyDelete