Note: All the related files that are mentioned in this post can be found here.
Category: Mobile
The task: We were given an apk that basically does nothing. However, if we dig deeper into the native layer, we’ll find a .so
file that we need to reverse engineer in order to get the flag.
Analysis
The apk tries to fetch an image (./digDeeper.jpg) and provide the response to a native method (agentMan()
).
After messing around with the .so
file, I found the ‘decryption’ implementation in the Java_com_jagent_javaagent_MainActivity_agentMan
exported function:
Explanation is below
Solution
I’ll break the screenshot above into 4 ‘components’:
- (1) The Algo: This is a typical XOR cipher
- (2) The Flag: This flag is hidden inside
digDeeper.jpg
(provided as a parameter to theagentMan()
native function) - (3) The Key: In the first few lines of the disassembly, the apk loads a constant variable(
DAT_0012c9a0
) and copies0xa8
bytes of it usingmemcpy
. This will be our XOR key (A5 00 00 00 BC ...
). - (4) The Implementation: This part was kinda trickey. The author of the challenge didn’t want to make it too obvious and put the encrypted flag characters one after another somewhere in the jpg file. Instead, the flag’s characters were being spread out all over the jpg file. one character for every 7401(
0x1CE9
) bytes of binary data.
Taking all of this into consideration, I came up with a solve.py
file which re-produces the loop(the one shown in the Analysis section above):
Output:
MCL{li7tl3_5P3c1al_S3crET_Ag3n7_'\'m3n'\'}