Scribd
Upload
11 views7 pages

Angler

The document outlines a challenge focused on discovering hidden content in native Android code, specifically through reverse engineering an APK file. It details the skills required, methods to trigger events, and the process of using tools like Ghidra and Frida to extract a flag from the application. The challenge emphasizes the importance of understanding native methods and manipulating application behavior through ADB commands and scripting.

Uploaded by

Ye Zeiya Shein
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views7 pages

Angler

The document outlines a challenge focused on discovering hidden content in native Android code, specifically through reverse engineering an APK file. It details the skills required, methods to trigger events, and the process of using tools like Ghidra and Frida to extract a flag from the application. The challenge emphasizes the importance of understanding native methods and manipulating application behavior through ADB commands and scripting.

Uploaded by

Ye Zeiya Shein
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Angler

29th October 2022 / Document No. D23.102.109

Prepared By : aris

Challenge Author(s) : Tomisec

Difficulty : Medium

Classification : Official

Synopsis
The main objective is to discover hidden contents in the native android code.

Description
The skilled fisherman used his full strength and expertise to hook the fish. Can you beat him and
set the fish free?

Skills Required
Know how to decompile APK files.

Basic knowledge on how to trigger events and sending extras to the application via adb .

Basic knowledge of Ghidra and decompiling shared libraries.

Basic knowledge of Frida scripting.

Skills Learned
Learn how to trigger BATTERY_LOW events.

Become more experienced in hooking function arguments with Frida.


Enumeration
In this challenge we are provided with a single APK file.

Running the application


Let's use Android Studio's built in emulators or any other emulator of our choice to run the application.

By using JADX, we have to reverse engineer the apk. We will soon discover that there is a broadcast
receiver which invokes a native method.

There are two ways to trigger the native method:

By using frida
Broadcasting a battery low event with data

Triggering a BATTERY_LOW event


As you can see on the image below there is a registered event "android.intent.action.BATTERY_LOW".

But to invoke the native we have to broadcast along with data the next image shows that.

We can make the method to be called by using this command in an adb shell.

vbox86p:/ # am broadcast -a "android.intent.action.BATTERY_LOW" --es "Is_on" "yes"

After we run the above command. We will get a different image like the following.
From that picture we will get a hint there is something on the logcat. So let's use adb to view the logs.
We can do so by running the following command:

adb logcat | grep -i System.out

The hint says:

From the above hint "there" means on the native code. then by checking the source code the string that
is on system.out is return from native method which is getInfo() .

To figure out what's going we have to find the native library. There is a method loaded from native
library.
Inside the APK file, there is file called libangle.so . We can find that file by extracting all the files from
the APK. This can be done by the following command:

apktool d Angler.apk

Decompiling the shared library


We can disassemble this library file using a tool called Ghidra . We have to mind that about the
architecture of the device the app installed when we disassemble it. Then we discover where that
method is implemented. By decompiling the method getInfo() , we get the following output.

As you can see on the image there are two methods called inside that function. Let's check the method
ne :

In the above code there is a string that's discover before in the logcat, and there is another string which
say's You found the flag . These two strings are returned after strcmp . Then we can use Frida to hook
that method and find the flag. The flag is passed as the second argument of strcmp .

Getting the Flag


To do so, we have to do the following:

1. Discover the memory address of the strcmp call by hovering on the method like this.
2. Finally we need to write frida script to get the strcmp argument value. After this, we invoke the
native method and get the flag in hex.

The script for the above output is shown below.

// This script requires frida-server running on the android, and spawned to the app process

function main() {

console.log("[*] Script to find the flag")


console.log("[*] Setting the address") // hooking the function strcmp specfic to the flag
console.log("[*] Hook the strcmp")

findFlag()
}

//convert hex to string


function hexToASCII(hex) {
var str = '';
for (var i = 0; i < hex.length; i += 2) {

var v = parseInt(hex.substr(i, 2), 16);


if (v) str += String.fromCharCode(v);
}

return str;
}
function findFlag() {
var offset = 0x4515c // This is address is get from the reverse engineered binary

//getting the address of specfic strcmp which holds the flag


var baseaddress = Module.getBaseAddress("libangler.so").add(offset)

Interceptor.attach(baseaddress, {

onEnter: function(args) {

var flag = Memory.readUtf8String(args[1])

console.log("The flag in hex " + flag)


console.log("The flag " + hexToASCII(flag))

},

onLeave: function(ret) {
console.log("Done");
}

});
}

You might also like