Angler
Angler
Prepared By : aris
Difficulty : Medium
Classification : Official
Synopsis
The main objective is to discover hidden contents in the native android code.
Description
The skilled fisherman used his full strength and expertise to hook the fish. Can you beat him and
set the fish free?
Skills Required
Know how to decompile APK files.
Basic knowledge on how to trigger events and sending extras to the application via adb .
Skills Learned
Learn how to trigger BATTERY_LOW events.
By using JADX, we have to reverse engineer the apk. We will soon discover that there is a broadcast
receiver which invokes a native method.
By using frida
Broadcasting a battery low event with data
But to invoke the native we have to broadcast along with data the next image shows that.
We can make the method to be called by using this command in an adb shell.
After we run the above command. We will get a different image like the following.
From that picture we will get a hint there is something on the logcat. So let's use adb to view the logs.
We can do so by running the following command:
From the above hint "there" means on the native code. then by checking the source code the string that
is on system.out is return from native method which is getInfo() .
To figure out what's going we have to find the native library. There is a method loaded from native
library.
Inside the APK file, there is file called libangle.so . We can find that file by extracting all the files from
the APK. This can be done by the following command:
apktool d Angler.apk
As you can see on the image there are two methods called inside that function. Let's check the method
ne :
In the above code there is a string that's discover before in the logcat, and there is another string which
say's You found the flag . These two strings are returned after strcmp . Then we can use Frida to hook
that method and find the flag. The flag is passed as the second argument of strcmp .
1. Discover the memory address of the strcmp call by hovering on the method like this.
2. Finally we need to write frida script to get the strcmp argument value. After this, we invoke the
native method and get the flag in hex.
// This script requires frida-server running on the android, and spawned to the app process
function main() {
findFlag()
}
return str;
}
function findFlag() {
var offset = 0x4515c // This is address is get from the reverse engineered binary
Interceptor.attach(baseaddress, {
onEnter: function(args) {
},
onLeave: function(ret) {
console.log("Done");
}
});
}