Reverse Android Memory Creation: BlockCTF - Protect Your API Key

first i reversed the apk the MainActivity

public class MainActivity extends AppCompatActivity {
    private ActivityMainBinding binding;

    public native void run(Context context, String str);

    public native String stringFromJNI();

    static {
        System.loadLibrary("app");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        this.binding = inflate;
        setContentView(inflate.getRoot());
        this.binding.sampleText.setText(stringFromJNI());
        new Thread(new Runnable() { // from class: com.some.better.practice.app.MainActivity$$ExternalSyntheticLambda0
            @Override // java.lang.Runnable
            public final void run() {
                MainActivity.this.m125lambda$onCreate$0$comsomebetterpracticeappMainActivity();
            }
        }).start();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: lambda$onCreate$0$com-some-better-practice-app-MainActivity, reason: not valid java name */
    public /* synthetic */ void m125lambda$onCreate$0$comsomebetterpracticeappMainActivity() {
        run(this, "com.some.real.better.practice.myapplication.RideHailing");
    }
}

it caught my attention that it loads native lib called app, and that classcom.some.real.better.practice.myapplication.RideHailing does not exist i opned ida , then it turns out that it created this class RideHailing on memory !.

i used this frida script https://codeshare.frida.re/@cryptax/inmemorydexclassloader-dump/ to dump this class from memory

grapped this dump.dex using adb, then dex2jar to create jar to use jadx on it and the class src code was

/* loaded from: dump-dex2jar.jar:com/some/real/better/practice/myapplication/RideHailing.class */
public class RideHailing extends Thread {
    public static String decryptMsg(byte[] bArr) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(2, secretKeySpec);
        return new String(cipher.doFinal(bArr), "UTF-8");
    }

    public static byte[] encryptMsg(String str) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(1, secretKeySpec);
        return cipher.doFinal(str.getBytes("UTF-8"));
    }

    private void logLocation(Navigator navigator) {
        Log.v(Navigator.class.getName(), "Your location is " + navigator.locate());
    }

    @Override // java.lang.Thread
    public void start() {
        try {
            logLocation(new Entry().initialization(decryptMsg(Base64.decode("9Bmk+Nc8i7oz2+sRYI9Q1fZ/metvBlUzoMMdC2aLstA=", 2))));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

so simply i created a simllar java app to get the encrypted key, and I got the flag

Last updated 1 year ago