Kiro Maged's Blog
Reverse Android Memory Creation
Reverse Android Memory Creation
  • Reverse Android Memory Creation: BlockCTF - Protect Your API Key
Powered by GitBook
On this page

Reverse Android Memory Creation: BlockCTF - Protect Your API Key

Last updated 6 months ago

first i reversed the apk the MainActivity 

public class MainActivity extends AppCompatActivity {
    private ActivityMainBinding binding;

    public native void run(Context context, String str);

    public native String stringFromJNI();

    static {
        System.loadLibrary("app");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        this.binding = inflate;
        setContentView(inflate.getRoot());
        this.binding.sampleText.setText(stringFromJNI());
        new Thread(new Runnable() { // from class: com.some.better.practice.app.MainActivity$$ExternalSyntheticLambda0
            @Override // java.lang.Runnable
            public final void run() {
                MainActivity.this.m125lambda$onCreate$0$comsomebetterpracticeappMainActivity();
            }
        }).start();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: lambda$onCreate$0$com-some-better-practice-app-MainActivity, reason: not valid java name */
    public /* synthetic */ void m125lambda$onCreate$0$comsomebetterpracticeappMainActivity() {
        run(this, "com.some.real.better.practice.myapplication.RideHailing");
    }
}

it caught my attention that it loads native lib called app, and that classcom.some.real.better.practice.myapplication.RideHailing does not exist i opned ida , then it turns out that it created this class RideHailing on memory !.

grapped this dump.dex using adb, then dex2jar to create jar to use jadx on it and the class src code was

/* loaded from: dump-dex2jar.jar:com/some/real/better/practice/myapplication/RideHailing.class */
public class RideHailing extends Thread {
    public static String decryptMsg(byte[] bArr) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(2, secretKeySpec);
        return new String(cipher.doFinal(bArr), "UTF-8");
    }

    public static byte[] encryptMsg(String str) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(1, secretKeySpec);
        return cipher.doFinal(str.getBytes("UTF-8"));
    }

    private void logLocation(Navigator navigator) {
        Log.v(Navigator.class.getName(), "Your location is " + navigator.locate());
    }

    @Override // java.lang.Thread
    public void start() {
        try {
            logLocation(new Entry().initialization(decryptMsg(Base64.decode("9Bmk+Nc8i7oz2+sRYI9Q1fZ/metvBlUzoMMdC2aLstA=", 2))));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

so simply i created a simllar java app to get the encrypted key, and I got the flag

i used this frida script to dump this class from memory

https://codeshare.frida.re/@cryptax/inmemorydexclassloader-dump/