Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(. I make writeup of chall I solve.
This is RE chall and at first, I am given android apk file “food.apk”.
At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.
And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.
Then I check libcook.so in lib/x86/ by IDA Pro.
In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).
Then I try to find out what this function do, and recoginize it as beolw.
Then area of 0x00001640+0x15a8 write to d.dex file.
And finally call sub_710 function.
After analyze of this function, I realize that this function replace one part of d.dex file to another data.
Inspected source of this function is as below
Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.
So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.
Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.
And in cc() function C0004.m0() function caluculate flag and this.f2k.
I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).
I make java file of m0 function, and execute it. (java source is below link)