Reverse Android Memory Creation: BlockCTF - Protect Your API Key

first i reversed the apk the MainActivity
public class MainActivity extends AppCompatActivity {
private ActivityMainBinding binding;
public native void run(Context context, String str);
public native String stringFromJNI();
static {
System.loadLibrary("app");
}
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
this.binding = inflate;
setContentView(inflate.getRoot());
this.binding.sampleText.setText(stringFromJNI());
new Thread(new Runnable() { // from class: com.some.better.practice.app.MainActivity$$ExternalSyntheticLambda0
@Override // java.lang.Runnable
public final void run() {
MainActivity.this.m125lambda$onCreate$0$comsomebetterpracticeappMainActivity();
}
}).start();
}
/* JADX INFO: Access modifiers changed from: package-private */
/* renamed from: lambda$onCreate$0$com-some-better-practice-app-MainActivity, reason: not valid java name */
public /* synthetic */ void m125lambda$onCreate$0$comsomebetterpracticeappMainActivity() {
run(this, "com.some.real.better.practice.myapplication.RideHailing");
}
}
it caught my attention that it loads native lib called app, and that classcom.some.real.better.practice.myapplication.RideHailing
does not exist i opned ida , then it turns out that it created this class RideHailing
on memory !.
i used this frida script https://codeshare.frida.re/@cryptax/inmemorydexclassloader-dump/ to dump this class from memory

grapped this dump.dex using adb, then dex2jar to create jar to use jadx on it and the class src code was
/* loaded from: dump-dex2jar.jar:com/some/real/better/practice/myapplication/RideHailing.class */
public class RideHailing extends Thread {
public static String decryptMsg(byte[] bArr) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(2, secretKeySpec);
return new String(cipher.doFinal(bArr), "UTF-8");
}
public static byte[] encryptMsg(String str) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(1, secretKeySpec);
return cipher.doFinal(str.getBytes("UTF-8"));
}
private void logLocation(Navigator navigator) {
Log.v(Navigator.class.getName(), "Your location is " + navigator.locate());
}
@Override // java.lang.Thread
public void start() {
try {
logLocation(new Entry().initialization(decryptMsg(Base64.decode("9Bmk+Nc8i7oz2+sRYI9Q1fZ/metvBlUzoMMdC2aLstA=", 2))));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
so simply i created a simllar java app to get the encrypted key, and I got the flag

Last updated