in loadme.apk
1) test.dex is downloaded from https://challs.reyammer.io/loadme/stage1.apk
2) Dynamically loading class com.mobisec.stage1.LoadImage and method load
On unloading test.dex and Opening LoadImage.smali
1) An image logo.png is read and saved as a dex file named logo.dex (image can be found in initial apk)
2) Dynamically Loading com.mobisec.stage2.Check class and calling method check
On unloading logo.dex and Opening Check.smali we get the flag
Flag: MOBISEC{dynamic_code_loading_can_make_everything_tricky_eh?}
Scripts used
for loadme.apk
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class s{
static byte[] initVector = {-34, -83, -66, -17, -34, -83, -66, -17, -34, -83, -66, -17, -34, -83, -66, -17};
public static void main(String[] args) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
System.out.println(gu());
String path = dc(gu()); //download test.dex
da(path);
System.out.println(gc());
System.out.println(gm());
}
private static String gu() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
String url = ds("MAi9CEe4K9a+JzgsNqdYYh13dk7SQQ/yo5BN5HF39nYtgnOBmO4EV9Y2sQDthTG9");
return url;
}
private static String gm() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
return ds("6RSjLOfRkvb/qXa34Y7cOQ==");
}
private static void da(String path) {
byte[] xorKey = "com.mobisec.dexclassloader".getBytes();
File file = new File(path);
int size = (int) file.length();
byte[] bytes = new byte[size];
byte[] decbytes = new byte[size];
try {
BufferedInputStream buf = new BufferedInputStream(new FileInputStream(file));
buf.read(bytes, 0, bytes.length);
buf.close();
for (int i = 0; i < size; i++) {
decbytes[i] = (byte) (bytes[i] ^ xorKey[i % xorKey.length]);
}
File outFile = new File(path);
FileOutputStream out = new FileOutputStream(outFile, false);
out.write(decbytes);
out.flush();
out.close();
} catch (Exception e) {
e.printStackTrace();
}
}
private static String dc(String url) {
try {
URL downloaded_url = new URL(url);
HttpURLConnection urlConnection = (HttpURLConnection) downloaded_url.openConnection();
urlConnection.connect();
File file = new File(gf());
FileOutputStream fileOutput = new FileOutputStream(file);
InputStream inputStream = urlConnection.getInputStream();
byte[] buffer = new byte[1024];
while (true) {
int bufferLength = inputStream.read(buffer);
if (bufferLength <= 0) {
fileOutput.close();
return file.getAbsolutePath();
}
fileOutput.write(buffer, 0, bufferLength);
}
} catch (Exception e) {
return null;
}
}
public static String ds(String enc) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException{
String key = "mobiseccomkey!!!";
IvParameterSpec iv = new IvParameterSpec(initVector);
SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(2, skeySpec, iv);
byte[] original = cipher.doFinal(Base64.getDecoder().decode(enc.getBytes()));
return new String(original);
}
public static String gf() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
return ds("QLrdlqkhOkxIe5FEfpCLWw==");
}
public static String gc() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, UnsupportedEncodingException {
return ds("ca9O9YbCZ/+vIYUvxPQUHA4SgyL/m3cwlvVZ4ArkBFQ=");
// return ds("6RSjLOfRkvb/qXa34Y7cOQ==");
}
}
test.dex
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Base64;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class ss{
private static byte[] initVector = {-34, -83, -66, -17, -34, -83, -66, -17, -34, -83, -66, -17, -34, -83, -66, -17};
public static void main(String[] args){
System.out.println(getAssetsName());
System.out.println(getCodeName());
//load();
System.out.println(generateClass());
System.out.println(generateMethod());
}
private static String generateClass() {
return decryptString("4hJIFOEdvGy81kngg5W2mh4ZMYOQVmqX+FqCg8UmFmc=");
}
private static String generateMethod() {
return decryptString("zkKQzoRGUwBJurGdAYVuMw==");
}
private static String getAssetsName() {
return decryptString("VYsdn556h+cox7bnQV4UsA==");
}
private static String getCodeName() {
return decryptString("SXkAHK1O8Ssd6aCiqtpiAg==");
}
private static String decryptString(String enc) {
try {
String[] parts = "com.mobisec.stage1".split(Pattern.quote("."));
String key = "!!!" + parts[0] + parts[1] + "key";
IvParameterSpec iv = new IvParameterSpec(initVector);
SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(2, skeySpec, iv);
byte[] original = cipher.doFinal(Base64.getDecoder().decode(enc.getBytes()));
return new String(original);
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
public static boolean load() {
byte[] xorKey = "weneedtogodeeper".getBytes();
try {
InputStream in = new FileInputStream(new File("logo.png"));
File outFile = new File(getCodeName());
OutputStream out = new FileOutputStream(outFile);
byte[] buffer = new byte[1024];
while (true) {
int read = in.read(buffer);
if (read != -1) {
out.write(buffer, 0, read);
} else {
in.close();
out.close();
decryptApk(outFile.getAbsolutePath(), xorKey);
// return loadClass(ctx, outFile.getAbsolutePath(), flag);
}
}
} catch (Exception e) {
return false;
}
}
private static void decryptApk(String path, byte[] xorKey) {
File file = new File(path);
int size = (int) file.length();
byte[] bytes = new byte[size];
byte[] decbytes = new byte[size];
try {
BufferedInputStream buf = new BufferedInputStream(new FileInputStream(file));
buf.read(bytes, 0, bytes.length);
buf.close();
for (int i = 0; i < size; i++) {
decbytes[i] = (byte) (bytes[i] ^ xorKey[i % xorKey.length]);
}
File outFile = new File(path);
FileOutputStream out = new FileOutputStream(outFile, false);
out.write(decbytes);
out.flush();
out.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
Top comments (0)