Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(.  I make writeup of chall I solve.


This is RE chall and at first, I am given android apk file “food.apk”.

At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.

And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.

Then I check libcook.so in lib/x86/ by IDA Pro.


In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).


Then I try to find out what this function do, and recoginize it as beolw.

# divide int to 4-byte value
def parse_to_byte(val):
    byte = []
    byte.append((val>>24)&0xff) # BYTE3
    byte.append((val>>16)&0xff) # BYTE2
    byte.append((val>>8)&0xff) # BYTE1
return byte
string = “”
# decrypt 
for i in str:
    byte_array = parse_to_byte(i)
    string += chr(byte_array[0]^byte_array[1])
    string += chr(~((byte_array[2] | ~byte_array[3]) & (byte_array[3] | ~byte_array[2])))
print string[::1]
#str = [0x1D650B6E, 0x1377416F, 0x16724D62, 0x5320096C, 0x5691D74, 0x86E5A75, 0x4420046B, 0x6F096F, 0x4D634620, 0x10640D6E, 0x4F614520, 0x0A660265, 0x0A650D62, 0x47204A64, 0x36E1A75, 0x0C6F5D72, 0x6675420, 0x4650C68, 0x5B744120, 0x10640564, 0x25410F20]
# -> “/data/data/http://ift.tt/2tisMQq”


Then area of 0x00001640+0x15a8 write to d.dex file.


And finally call sub_710 function.


After analyze of this function, I realize that this function replace one part of d.dex file to another data. 

Inspected source of this function is as below



Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.

So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.


Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.

And in cc() function C0004.m0() function caluculate flag and this.f2k.

I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).

I make java file of m0 function, and execute it. (java source is below link)




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s