0CTF 2015 Quals - Task VEZEL
Decompile the provided APK file with http://www.decompileandroid.com/, and then open the file MainActivity.java at /com/ctf/vezel, I found this:
// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/kpdus/jad.html // Decompiler options: braces fieldsfirst space lnc package com.ctf.vezel; import android.content.Context; import android.content.pm.PackageInfo; import android.content.pm.PackageManager; import android.content.pm.Signature; import android.os.Bundle; import android.support.v7.app.ActionBarActivity; import android.view.Menu; import android.view.MenuInflater; import android.view.MenuItem; import android.view.View; import android.widget.Button; import android.widget.EditText; import android.widget.Toast; import java.util.zip.ZipEntry; import java.util.zip.ZipFile; public class MainActivity extends ActionBarActivity { Button bt; EditText et; public MainActivity() { } private String getCrc() { String s; try { s = String.valueOf((new ZipFile(getApplicationContext().getPackageCodePath())).getEntry("classes.dex").getCrc()); } catch (Exception exception) { exception.printStackTrace(); return ""; } return s; } private int getSig(String s) { PackageManager packagemanager = getPackageManager(); int i; try { i = packagemanager.getPackageInfo(s, 64).signatures[0].toCharsString().hashCode(); } catch (Exception exception) { exception.printStackTrace(); return 0; } return i; } public void confirm(View view) { String s = String.valueOf(getSig(getPackageName())); String s1 = getCrc(); if ((new StringBuilder()).append("0CTF{").append(s).append(s1).append("}").toString().equals(et.getText().toString())) { Toast.makeText(this, "Yes!", 0).show(); return; } else { Toast.makeText(this, "0ops!", 0).show(); return; } } protected void onCreate(Bundle bundle) { super.onCreate(bundle); setContentView(0x7f040017); bt = (Button)findViewById(0x7f090041); et = (EditText)findViewById(0x7f090040); } public boolean onCreateOptionsMenu(Menu menu) { getMenuInflater().inflate(0x7f0d0000, menu); return true; } public boolean onOptionsItemSelected(MenuItem menuitem) { if (menuitem.getItemId() == 0x7f090042) { return true; } else { return super.onOptionsItemSelected(menuitem); } } }
So this app will compare our input with the following string:
"0ctf{" + [hashcode of this APK's signature.toCharsString()] + [CRC of this APK's classes.dex] + "}"
As for the hashcode part, we can get this without using Android by using the code from http://androidcracking.blogspot.com/2010/12/getting-apk-signature-outside-of.html. And we can use any tools to get the CRC32 checksum from classes.dex. I used TeraCopy to do this:
And don't forget to convert this result to an int. Java's getCrc() returns an int, but I didn't notice this so I failed at my first attempt to submit the flag.
The flag is: 0ctf{-1839715371189242199}