A box of chocolate

my public personal notebook

0CTF 2015 Quals - Task VEZEL

Writeup

Decompile the provided APK file with http://www.decompileandroid.com/, and then open the file MainActivity.java at /com/ctf/vezel, I found this:

// Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.geocities.com/kpdus/jad.html
// Decompiler options: braces fieldsfirst space lnc 

package com.ctf.vezel;

import android.content.Context;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.os.Bundle;
import android.support.v7.app.ActionBarActivity;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;

public class MainActivity extends ActionBarActivity
{

    Button bt;
    EditText et;

    public MainActivity()
    {
    }

    private String getCrc()
    {
        String s;
        try
        {
            s = String.valueOf((new ZipFile(getApplicationContext().getPackageCodePath())).getEntry("classes.dex").getCrc());
        }
        catch (Exception exception)
        {
            exception.printStackTrace();
            return "";
        }
        return s;
    }

    private int getSig(String s)
    {
        PackageManager packagemanager = getPackageManager();
        int i;
        try
        {
            i = packagemanager.getPackageInfo(s, 64).signatures[0].toCharsString().hashCode();
        }
        catch (Exception exception)
        {
            exception.printStackTrace();
            return 0;
        }
        return i;
    }

    public void confirm(View view)
    {
        String s = String.valueOf(getSig(getPackageName()));
        String s1 = getCrc();
        if ((new StringBuilder()).append("0CTF{").append(s).append(s1).append("}").toString().equals(et.getText().toString()))
        {
            Toast.makeText(this, "Yes!", 0).show();
            return;
        } else
        {
            Toast.makeText(this, "0ops!", 0).show();
            return;
        }
    }

    protected void onCreate(Bundle bundle)
    {
        super.onCreate(bundle);
        setContentView(0x7f040017);
        bt = (Button)findViewById(0x7f090041);
        et = (EditText)findViewById(0x7f090040);
    }

    public boolean onCreateOptionsMenu(Menu menu)
    {
        getMenuInflater().inflate(0x7f0d0000, menu);
        return true;
    }

    public boolean onOptionsItemSelected(MenuItem menuitem)
    {
        if (menuitem.getItemId() == 0x7f090042)
        {
            return true;
        } else
        {
            return super.onOptionsItemSelected(menuitem);
        }
    }
}

So this app will compare our input with the following string:

"0ctf{" + [hashcode of this APK's signature.toCharsString()] + [CRC of this APK's classes.dex] + "}"

As for the hashcode part, we can get this without using Android by using the code from http://androidcracking.blogspot.com/2010/12/getting-apk-signature-outside-of.html. And we can use any tools to get the CRC32 checksum from classes.dex. I used TeraCopy to do this:

f:id:dakutenpura:20150331001820p:plain

And don't forget to convert this result to an int. Java's getCrc() returns an int, but I didn't notice this so I failed at my first attempt to submit the flag.

The flag is: 0ctf{-1839715371189242199}