🚩
Capture the Flag
  • Capture the Flag
  • PicoCTF
    • PicoCTF 2023
      • General Skills
        • chrono
        • money-ware
        • Permissions
        • repetitions
        • useless
        • Special
        • Specialer
      • Cryptography
        • HideToSee
        • ReadMyCert
        • rotation
        • PowerAnalysis: Warmup
      • Reverse Engineering
        • Ready Gladiator 0
        • Reverse
        • Safe Opener 2
        • timer
        • Ready Gladiator 1
      • Forensics
        • PcapPoisoning
        • hideme
        • who is it
        • FindAndOpen
      • Binary Exploitation
        • two-sum
      • Web Exploitation
        • MatchTheRegex
        • findme
Powered by GitBook
On this page
  • Description
  • Solution
  • Flag
  1. PicoCTF
  2. PicoCTF 2023
  3. Reverse Engineering

timer

Author: Loic Shema | 100 points

Description

You will find the flag after analyzing this apk

Download here.

Solution

For this challenge we are given an Android apk file. If you are not familiar with the apk format, it is a file format used by Android, and other Android-based operating systems, for distribution and installation of software. It's similar to deb packages if you've use Ubuntu/Debian.

The first action I perform when given a file is use the file program to retrieve the basic information of the file.

% file timer.apk 
timer.apk: Zip archive data, at least v0.0 to extract, compression method=store

Once I see it's a zip archive, I unzip it after placing it in it's own directory and display it's contents.

% ll
total 13300
-rw-r--r--. 1 matthew matthew    3300 Jan  1  1981 AndroidManifest.xml
-rw-rw-rw-. 1 matthew matthew  472460 Jan  1  1981 classes2.dex
-rw-rw-rw-. 1 matthew matthew    6848 Jan  1  1981 classes3.dex
-rw-rw-rw-. 1 matthew matthew 7591452 Jan  1  1981 classes.dex
drwxr-xr-x. 1 matthew matthew     148 May 16 22:32 kotlin
drwxr-xr-x. 1 matthew matthew    3320 May 16 22:32 META-INF
drwxr-xr-x. 1 matthew matthew    1158 May 16 22:32 res
-rw-r--r--. 1 matthew matthew  854796 Jan  1  1981 resources.arsc
-rw-r--r--. 1 matthew matthew 4678467 May 16 22:21 timer.apk

Here we are interested in the classes.dex file, as it will contain the code we need to find the flag. But how do we decompile a dex file?... stackoverflow.

Once we follow the installation instructions for both dex2jar and jd-gui as explained in the stackoverflow post above, we can use them to decompile all three dex files and investigate them. 

% sh d2j-dex2jar.sh -f classes.dex 
dex2jar classes.dex -> ./classes-dex2jar.jar
% sh d2j-dex2jar.sh -f classes2.dex 
dex2jar classes.dex -> ./classes2-dex2jar.jar
% sh d2j-dex2jar.sh -f classes3.dex 
dex2jar classes.dex -> ./classes3-dex2jar.jar

Now we open the jar files in JD-GUI, as shown below.

To find the flag we can open all three jar files in JD-GUI and use the Search tool to search for the string "pico" since we know this is what the flag string will start with.

We find it in the BuildConfig.class file.

Flag

The flag, found in BuildConfig.class, is picoCTF{t1m3r_r3v3rs3d_succ355fully_17496}

PreviousSafe Opener 2NextReady Gladiator 1

Last updated 1 year ago

classes.jar in JD-GUI
Search in JD-GUI
BuildConfig.class