Android Hacking

Introduction

Key Techniques:
- APK analysis and decompilation
- Smali and Java code review
- Reverse engineering and patching
- Using tools: adb, wget, apktool, jadx, keytool, jarsigner

Challenge 1: droids0

Task

Objective: Extract the flag from application logs.

Steps & Commands

Download APK:

wget https://jupiter.challenges.picoctf.org/static/02bcd73e630f50ef0b12bcdad9d84e0d/zero.apk

Install APK on Emulator/Device:
```
adb install -t zero.apk
```
Check Device Logs for Flag:
```
adb logcat | grep -E -o "picoCTF{.*}"
```

Challenge 2: droids1

Task

Objective: Discover the password and unlock the flag.

Steps & Commands

Download and Install APK:

wget https://jupiter.challenges.picoctf.org/static/b12c6d058c7f52eb1fd2015cfd291716/one.apk
adb install -t one.apk

Decompile the APK:
```
apktool d one.apk -o one_decompiled
```
Find Password in Smali Code:
```
grep -r "password" one_decompiled/
```
Check XML Files for Hardcoded Password:
```
grep -r "opossum" one_decompiled/res/
```

Challenge 3: droids2

Task

Objective: Uncover an obfuscated password by analyzing decompiled code.

Steps & Commands

Download and Install APK:

wget https://jupiter.challenges.picoctf.org/static/b7d30de6eaaf83e685aea7c10c5bdea8/two.apk
adb install -t two.apk

Decompile APK for Analysis:
```
apktool d two.apk -o two_decompiled
```
Decompile Java Code for Better Readability:
```
jadx-gui
```
Extract Password from Decompiled Java Code:
- Modify extracted Java class to print the password.

Challenge 4: droids3

Task

Objective: Patch the APK to redirect the flag method call.

Steps & Commands

Download and Install APK:

wget https://jupiter.challenges.picoctf.org/static/06318765139795831859f843dd56ce60/three.apk
adb install -t three.apk

Decompile APK for Smali Editing:
```
apktool d three.apk -o three_decompiled
```
Modify getFlag Method in Smali:
- Replace call to nope(input) with yep(input).

Recompile Modified APK:

apktool b three_decompiled -o three_patched.apk

Sign the Patched APK:

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore three_patched.apk alias_name

Install and Run the Patched APK:
```
adb install -t three_patched.apk
```

Challenge 5: droids4

Task

Objective: Reverse the password logic and patch the app to reveal the flag.

Steps & Commands

Download and Install APK:

wget https://jupiter.challenges.picoctf.org/static/926d4bfd7030b13dbc98ca26e608c740/four.apk

Decompile and Analyze Smali Code:
```
apktool d four.apk -o four_decompiled
```
Find Password Logic in Smali or Decompiled Java:
```
grep -r "password" four_decompiled/
```
Extract Password from Decompiled Java Code:
- Modify extracted Java class to print the password.

Recompile & Sign APK (Same as Challenge 4):

apktool b four_decompiled -o four_patched.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore four_patched.apk alias_name

Install and Run the Patched APK:
```
adb install -t four_patched.apk
```

Thank You!

Credits to Learning to ‘Hack Android’ with picoCTF by Ed Holloway-George. You can reach out to me at LinkedIn and Twitter.

PreviousGitHub Actions NextWhy I chose not to use an ORM

Last updated 7 months ago