September 19, 2020 3 min to read

CyberTalents National CTF 2020 - RE Challenges Writeup

CyberTalents National CTF 2020 - RE Challenges Writeup

RE Challenge 1 - Isolation

• You can download the Challenge from this link

Description: Developer think That the real Hacker Does not need any buttons to get the flag.

• when running the app we see that it asks for a Username and a Password but as the description says there is no buttons to login.

so lets open bytecode viewer and see the decompiled version of the app to see the main activity.

• nothing is interesting here but we can see Secretbox looking interesting as calling the library and setting text view.

• so my initial thought was decompiling the app change the main activity to run the library and setting the text view as secretbox, but I couldn’t make it to work, after a while my friend Elshinbary pointed out to me that u can change the Main activity from the AndroidManifest.xml
  so let’s try that as also the name of the installed apk is otherside.
  so what you need to do is decompile the apk with apk easy tool and change the Main activity from the AndroidManifest.xml.
  

From

To

and compile it again so after running the new version we will see the flag.

Another Solution

my friend told me that we can run command from edb shell to call any activity like SecretBox which will give us the flag.

• We can start any activity using a simple command in adb shell.

• Launch your adb shell using normal steps

am start -n yourpackagename/.activityname

am start -n com.cybertalents.otherside/.SecretBox

RE Challenge 2 - Silver ASM

Description: the flag is the parameter of the function int he following format (“FLAG{0_%X_0}” % parmter)

• You can download the Challenge from this link

• This is a Assembly file so let’s break it down.

mov     DWORD PTR [rbp-4], edi
mov     edx, DWORD PTR [rbp-4]

moves edi to edx.

mov     eax, edx
add     eax, eax
add     eax, edx

moves edx to eax and do 2 add operations which is equal to eax=3*eax.

sal     eax, 2

which is left shifting eax by to bits or multiplying eax by 4, eax = 4*eax.

sub     eax, 3571200
cmp     eax, 0

• sub eax by 3571200 or eax = eax - 3571200, and compare it with zero.

• by doing some math we can tell that (3eax)x(4eax)-3571200=0.

• so eax = 297600, which is the same as edi.
  

fx:
        push    rbp
        mov     rbp, rsp
        mov     DWORD PTR [rbp-4], edi
        mov     edx, DWORD PTR [rbp-4]
        mov     eax, edx
        add     eax, eax
        add     eax, edx
        sal     eax, 2
        sub     eax, 3571200
        cmp     eax, 0
        setbe   al
        movzx   eax, al
        pop     rbp
        ret

• the flag is as specified in the description so we need to convert it to HEX.
  

• the flag: FLAG{0_48a80_0}

• h00l19an$

• cheers!