Android - Application Reversing

How to pwn cocon.apk ?

A CTF Android apk called cocon.apk, and we need to decrypt the hash value (ctf flag). Please prepare a smartphone and install the apk file. If successful, android desktop will show a icon called com.co.con

Open the app, the main windows as follow, it says “Hello World, cocon!” and “KEY: Key is disable”:

If you want to know the app code structure, please use jadx to reverse the code. View the code, we should modify int key_val = 0; to int key_val = 1;

Rebuild the apk project, and sign the apk, install it in smartphone.
Pwned, we get the flag key.

How to decompile a APK file ?

If you can not find jadx in local computer, or remote source, please download jadx-0.6.1.zip, and extract it.

root@sh:~/andriod_security# jadx -d /root/android_security/cocon_jadx/ /root/andriod_security/cocon.apk22:19:36 INFO  - loading ...22:19:36 INFO  - processing ...22:19:37 INFO  - done

If you decompile apk with jadx, you may need [gradle] or [Android Studio] to rebuild the apk. Of couse, apktool can also do it.

root@sh:~/andriod_security# apktool d cocon.apk -o cocon_apktool/I: Using Apktool 2.2.1-dirty on cocon.apkI: Loading resource table...I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /root/.local/share/apktool/framework/1.apkI: Regular manifest package...I: Decoding file-resources...I: Decoding values */* XMLs...I: Baksmaling classes.dex...I: Copying assets and libs...I: Copying unknown files...I: Copying original files...

root@sh:~/andriod_security# ls -l cocon_apktool/total 20-rw-r--r-- 1 root root  549 Dec 12 22:23 AndroidManifest.xml-rw-r--r-- 1 root root  370 Dec 12 22:23 apktool.ymldrwxr-xr-x 3 root root 4096 Dec 12 22:23 originaldrwxr-xr-x 7 root root 4096 Dec 12 22:23 resdrwxr-xr-x 3 root root 4096 Dec 12 22:23 smali

How to compile src into a APK file ?

rebuild the apk files extracted by apktool.

root@sh:~/andriod_security# apktool b cocon_apktool -o cocon_pwned.apkI: Using Apktool 2.2.1I: Checking whether sources has changed...I: Smaling smali folder into classes.dex...I: Checking whether resources has changed...I: Building resources...I: Building apk file...I: Copying unknown files/dir...

How to sign APK file ?

If apk is built successfully, we can try to install it in smartphone.

root@sh:~/andriod_security# adb install cocon_pwned.apkFailed to install cocon_pwned.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1691373271.tmp/base.apk: Attempt to get length of null array]

Every Android .apk needs to be signed if it is going to be installed on a phone, even if you’re not installing through the Market.

root@sh:~/andriod_security# bash apksign.sh cocon_pwned.apk[+] 1. Generate a new key for android apk signEnter keystore password:Re-enter new password:What is your first and last name?  [Unknown]:  GoogleWhat is the name of your organizational unit?  [Unknown]:  ITWhat is the name of your organization?  [Unknown]:  GoogleWhat is the name of your City or Locality?  [Unknown]:  FFWhat is the name of your State or Province?  [Unknown]:  FLWhat is the two-letter country code for this unit?  [Unknown]:  USIs CN=Google, OU=IT, O=Google, L=FF, ST=FL, C=US correct?  [no]:  yesGenerating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,000 days    for: CN=Google, OU=IT, O=Google, L=FF, ST=FL, C=USEnter key password for <at>    (RETURN if same as keystore password):Re-enter new password:[Storing google.key][+] 2. Sign android apkEnter Passphrase for keystore:   adding: META-INF/MANIFEST.MF   adding: META-INF/AT.SF   adding: META-INF/AT.RSA  signing: AndroidManifest.xml  signing: classes.dex  signing: res/drawable-hdpi-v4/icon.png  signing: res/drawable-ldpi-v4/icon.png  signing: res/drawable-mdpi-v4/icon.png  signing: res/layout/main.xml  signing: resources.arscjar signed.Warning:No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2019-09-08) or after any future revocation date.[+] 3. Verify sign results        589 Mon Dec 12 22:13:38 CST 2016 META-INF/MANIFEST.MF         710 Mon Dec 12 22:13:38 CST 2016 META-INF/AT.SF        1302 Mon Dec 12 22:13:38 CST 2016 META-INF/AT.RSAsm      1584 Wed Dec 31 18:00:00 CST 1980 AndroidManifest.xmlsm      3748 Wed Dec 31 18:00:00 CST 1980 classes.dexsm      3941 Wed Dec 31 18:00:00 CST 1980 res/drawable-hdpi-v4/icon.pngsm      1537 Wed Dec 31 18:00:00 CST 1980 res/drawable-ldpi-v4/icon.pngsm      2200 Wed Dec 31 18:00:00 CST 1980 res/drawable-mdpi-v4/icon.pngsm       816 Wed Dec 31 18:00:00 CST 1980 res/layout/main.xmlsm      1584 Wed Dec 31 18:00:00 CST 1980 resources.arsc  s = signature was verified  m = entry is listed in manifest  k = at least one certificate was found in keystore  i = at least one certificate was found in identity scopejar verified.Warning:This jar contains entries whose certificate chain is not validated.This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2019-09-08) or after any future revocation date.Re-run with the -verbose and -certs options for more details.

---

apksign.sh

#!/bin/bash# If you want to test more times, please update the code.APKFILE=$1KEYNAME="androidtesting"ALIASNAME="google"[[ -z "$APKFILE" ]] && echo "[*] Usage: $0 <apkfile>" && exit 0echo "[+] 1. Generate a new key for android apk sign"keytool -genkey -v -keystore $KEYNAME -alias at -keyalg RSA -keysize 2048 -validity 1000echo "[+] 2. Sign android apk"jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore "$KEYNAME" "$APKFILE" "$ALIASNAME"echo "[+] 3. Verify sign result"jarsigner -verify -verbose "$APKFILE"

References

1. https://github.com/skylot/jadx
2. https://ibotpeaches.github.io/Apktool/
3. https://gradle.org/
4. https://blog.bramp.net/post/2015/08/01/decompile-and-recompile-android-apk/