Thursday, May 30, 2013

Hack.Lu CTF 2011 Space Station 0xA1EA512A

Hack.Lu CTF 2011 : Space Station 0xA1EA512A


Hints given to us:
Space Station 0xA1EA512A

You have seen a deserted space station. Your task is to enter it. The first barrier is the access system. But you can find a module with the application on it. Here is the file:

https://ctf.hack.lu/files/0xA1EA512A.apk

What is the key?

(There is also station B. Station B is the advanced one.)

Here is a copy of the apk file.
0xA1EA512A.zip

Recommended Tools:
1. android emulator (http://developer.android.com/sdk/index.html)

2. dex-translator (http://code.google.com/p/dex2jar/downloads/detail?name=dex-translator-0.0.9.3.zip&can=2&q=) - convert android apps to Java jar file

3. DJ Java Decompiler (http://members.fortunecity.com/neshkov/dj.html) - java decompiler

Key Logic:
if(k == (j1 ^ (0x67782aef ^ j1 ^ j - 1422) ^ j - 2))
    textview.append("That's OK. Come in.");
else
    textview.append("No, that is not OK!");

where
    k = inputs that user type
    j = 0x67782aef + 2
    j1 can be 12 from the code

More Information:
Decompiling the file reveals 2 java files in which only the AccessControl.java is of interest to us.
My approach in finding the condition in gaining access is to find the line where it indicates that you are “authorized”.
In this puzzle that will be “That’s OK. Come in.”
The If statement has a total of 3 unknown variables. After tracing upwards, you will discover that k is actually what the user type in the text box. J is defined as 0x67782aef + 2 and j1 can be either 12 or 3L * (16 + (0x67782aef - 2)) - 0x57bac1daL - 2L;

Let’s take the easy way out by letting j1 be 12. We write a 1 liner PHP script and run the result. Type in the emulator and test if it works.

Solution:
Run a php script =D


Result:
0x67782563
Screenshot:


Using the answer, we solved the Android CrackMe. :D

cheers
Elucidator

No comments:

Post a Comment