Android Hacking

Introduction

  • Key Techniques:

    • APK analysis and decompilation

    • Smali and Java code review

    • Reverse engineering and patching

    • Using tools: adb, wget, apktool, jadx, keytool, jarsigner

Challenge 1: droids0

Task

  • Objective: Extract the flag from application logs.

Steps & Commands

  • Download APK:

    wget https://jupiter.challenges.picoctf.org/static/02bcd73e630f50ef0b12bcdad9d84e0d/zero.apk

  • Install APK on Emulator/Device:

    adb install -t zero.apk

  • Check Device Logs for Flag:

    adb logcat | grep -E -o "picoCTF{.*}"

Challenge 2: droids1

Task

  • Objective: Discover the password and unlock the flag.

Steps & Commands

  • Download and Install APK:

    wget https://jupiter.challenges.picoctf.org/static/b12c6d058c7f52eb1fd2015cfd291716/one.apk
adb install -t one.apk

  • Decompile the APK:

    apktool d one.apk -o one_decompiled

  • Find Password in Smali Code:

    grep -r "password" one_decompiled/

  • Check XML Files for Hardcoded Password:

    grep -r "opossum" one_decompiled/res/

Challenge 3: droids2

Task

  • Objective: Uncover an obfuscated password by analyzing decompiled code.

Steps & Commands

  • Download and Install APK:

    wget https://jupiter.challenges.picoctf.org/static/b7d30de6eaaf83e685aea7c10c5bdea8/two.apk
adb install -t two.apk

  • Decompile APK for Analysis:

    apktool d two.apk -o two_decompiled

  • Decompile Java Code for Better Readability:

    jadx-gui

  • Extract Password from Decompiled Java Code:

    • Modify extracted Java class to print the password.

Challenge 4: droids3

Task

  • Objective: Patch the APK to redirect the flag method call.

Steps & Commands

  • Download and Install APK:

    wget https://jupiter.challenges.picoctf.org/static/06318765139795831859f843dd56ce60/three.apk
adb install -t three.apk

  • Decompile APK for Smali Editing:

    apktool d three.apk -o three_decompiled

  • Modify getFlag Method in Smali:

    • Replace call to nope(input) with yep(input).

  • Recompile Modified APK:

    apktool b three_decompiled -o three_patched.apk

  • Sign the Patched APK:

    keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore three_patched.apk alias_name

  • Install and Run the Patched APK:

    adb install -t three_patched.apk

Challenge 5: droids4

Task

  • Objective: Reverse the password logic and patch the app to reveal the flag.

Steps & Commands

  • Download and Install APK:

    wget https://jupiter.challenges.picoctf.org/static/926d4bfd7030b13dbc98ca26e608c740/four.apk

  • Decompile and Analyze Smali Code:

    apktool d four.apk -o four_decompiled

  • Find Password Logic in Smali or Decompiled Java:

    grep -r "password" four_decompiled/

  • Extract Password from Decompiled Java Code:

    • Modify extracted Java class to print the password.

  • Recompile & Sign APK (Same as Challenge 4):

    apktool b four_decompiled -o four_patched.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore four_patched.apk alias_name

  • Install and Run the Patched APK:

    adb install -t four_patched.apk

Thank You!

Credits to Learning to ‘Hack Android’ with picoCTF by Ed Holloway-George. You can reach out to me at LinkedIn and Twitter.

PreviousGitHub ActionsNextWhy I chose not to use an ORM

Last updated