Level 3 - KPA

Domain(s): Mobile

We've managed to grab an app from a suspicious device just before it got reset! The copying couldn't finish so some of the last few bytes got corrupted... But not all is lost! We heard that the file shouldn't have any comments in it! Help us uncover the secrets within this app!

3MB

kpa.apk

We are provided with an APK or an android application file.

Upon attempting to decompile the file, we are interrupted with an error that matches the description "last few bytes got corrupted".

As APK files are essentially zip archives, we can try using the zip command to find out what's wrong with file.

zip -FF kpa.apk --out kpa-fixed.apk

However, we are faced with a warning regarding the zipfile comment

Referring to the structure of a zip file, we can see that the zip file comment is stored in the End of Central Directory Record (EOCDR).

Comparing this to the hex of the APK we were given, we can see that the comment length is 0x0a = 10 bytes, while the comment that follows is 0 bytes.

We can fix this by changing 0A to 00.

And now we can decompile the APK succesfully.

apktool d kpa_fixed.apk

We can open the output folder in Android Studio to dig into the code.

First, start a device in Android Studio and drag the fixed APK file into the phone to install it, and open the application. We see a message "Suspicious device detected!"

The next thing we need to do is disable this check. Search for the string "Suspicious" in files and you should find it in the file MainActivity.smali.

We can replace if-eqz with if-nez to bypass the check, then build the apk with

apktool b .\kpa_fixed\

Before we can install and test the patched app, we have to sign it. In this case, we'll use the Uber APK Signer: https://github.com/patrickfav/uber-apk-signer

java -jar uber-apk-signer-1.3.0.jar --apks kpa_fixed.apk --allowResign

Now if we install the signed APK jpa_fixed-aligned-debugSigned.apk, we should be able to see the page, but it still lacks some elements seen in the source code.

Using jadx-gui, we can decompile the APK into Java to make it more readable. Then in MainActivity.java, we can see that the application is mostly loaded after a certain condition is met.

We can compare this with the smali code to locate the condition we can edit to bypass the check.

In this case, simply change if-eq to if-ne.

Recompile the app, sign it, then re-install it and you should see the app as below.

The app now tells us the secret we need was written somewhere, this could be the logs, but we could also just look at the heap dump.

Open the APK in Android Studio and click the Profile button in the toolbar

The application should open on the emulated device and you should see the profiler at the bottom.

Right click MEMORY and click Open Memory, then select Capture heap dump and Record. When the heap dump opens, search for string and search through the list. Knowing that the string is 25 characters makes it easier to locate it.

Secret string: ArBraCaDabra?KAPPACABANA!

Lastly, enter this string into the app, and the flag will be displayed!

Flag: TISC{C0ngr@tS!us0lv3dIT,KaPpA!}