10 November 2014

Droid App - 80

An Android application was released for the toaster bots, but it seems like this one is some sort of debug version. Can you discover the presence of any debug information being stored, so we can plug this?
You can download the apk here.
The only thing needed is an apk decompiler and some programming knowledge.

I used decompileandroid to decompile the .apk package (after downloading it).

When the decompiling was complete, I downloaded the full contents of the APK.


I opened up the folder after it was downloaded (it was named 'source'), and, quite primitively, I know, searched through each subfolder, opening each and every file within it. Needless to say, the flag was located within one of the .java files in the 'picoapp' folder.


Its path is: source → src → picoapp453 → picoctf → com → picoapp

When I opened ToasterActivity.java, the flag immediately popped out at me.


The String created out of a char array in the ToasterActivity() constructor had 'flag' as its first four chars.

Being the lazy person I am, rather than manually remove all the commas, spaces, and apostrophes, I quickly wrote a simple Java program to do that for me because, you know, #yolo


However, there is a simpler way of printing out the flag: println'ing (printing) the variable containing the flag. The program is here:

 public class printFlag {  
      public static void main(String[] args) {  
           String entireFlag = new String(new char[] {'f', 'l', 'a', 'g', ' ',  
                     'i', 's', ':', ' ', 'w', 'h', 'a', 't',  
                     '_', 'd', 'o', 'e', 's', '_', 't', 'h',  
                     'e', '_', 'l', 'o', 'g', 'c', 'a', 't',  
                     '_', 's', 'a', 'y'});  
           System.out.println(entireFlag);  
      }  
 }

And, for your convenience, the Java program I'd initially written is also here:

 public class RemoveNonAlphaChars {  
      public static void main(String[] args) {  
           String entireFlag = ""  
                     + "'f', 'l', 'a', 'g', ' ', 'i', 's', ':', ' '"  
                     + ", "  
                     + "'w', "  
       + "'h', 'a', 't', '_', 'd', 'o', 'e', 's', '_', 't', "  
       + "'h', 'e',"  
       + "'_', 'l', 'o', 'g', 'c', 'a', 't', '_', "  
       + "'s', 'a', 'y'";  
           String noApos = entireFlag.replaceAll("'", "");  
           String noCom = noApos.replaceAll(",", "");  
           String flag = noCom.substring(noCom.indexOf(":") + 1, noCom.length());  
           String noSpace = flag.replaceAll(" ", "");  
           System.out.println(noSpace);  
      }  
 }

Regardless of the method used, the flag is what_does_the_logcat_say
Tagged Under: , , ,