DEV Community

Nucu Labs
Nucu Labs

Posted on

FlareOn6 - Challenge 3: Write-Up

Hello,

In this short article I will show you how I solved the third challenge of flareon6.

The challenge is to make the bear dance. You have a tamagotchi like app and you need to keep your bear pet alive and happy.

Since the challenge is Android oriented, I've used the following tools to solve it:

The first thing I've tried was to download JadX and look at the source code, I thought I could easily solve the challenge by patching it using Apktool, but that didn't work.

To patch the file, I used Apktool to decompiler, modified the smali code and rebuild the apk.

To decode the apk, I've ran the following command:

apktool d flarebear.apk
Enter fullscreen mode Exit fullscreen mode

And to rebuild the apk:

apktool b flarebear
Enter fullscreen mode Exit fullscreen mode

I don't know the ins and out of the smali language and when I've patched the files I studied the other smali source code and keep modification at a minimum. JadX helped me very much, since Java code is much easier to read and finding that block in smali is not that hard when you have Java code side by side.

Patching the apk didn't work because the program has an encrypted resource file and it uses some internal state stored in shared preferences in order to generate the password required to decrypt the resource file. I patched the app to jump directly to the win() function and that caused it to crash, as the generated password was not the correct one.

win function's source-code

After studying the source code a bit more with JadX, figured that the shared state can be modified by pressing the feed, play and clean buttons. Pressing the correct combination of those buttons will generate the correct password.

--

The following piece of source code gives us exactly what we need to press in order to solve the challenge and get the flag:

the right combination.jpg

Now, we can check the clean(), feed() and play() function to see how they affect the shared prefs of the app. Each function affects it in some way:

doFeed source code.jpg

This is the part where I got stuck, I knew this would yield an equation to solve but I have forgotten how to solve the equation. I stopped doing math since the first year of college and I got very rusty. I tried to solve the equation mathematically but I failed. Nothing that I've tried gave good results.

Nonetheless, I've asked Twitter for help and a brilliant twitter user told me to put the values in Excel and play with them, so that's what I did.

excell.jpg

After pressing the buttons I got the bear to dance and he gave me the flag which unlocked challenge 4.

Thanks for reading!

Top comments (0)