This is another series on android reverse engineering. In this series I will be going through num1r0’s crackme’s and give detailed steps on how I solved these challenges. The first crack me is crackme_0x01. Though these crackmes are a bit older, they offer useful guidance on how to look at an android apk and begin doing some basic reverse engineering on an application.
The apk can be pulled down from github and examined using any apk decompiling tool. I prefer to use jadx-gui. Opening the apk I first examine the AndroidManifest.xml file for any useful hints as to what I might be looking for.
Defined in the code above I can see that the application has a single activity. Called MainActivity with an intent that supplies an action MAIN and category LAUNCHER. Opening the MainActivity class we can see the main onCreate and onClick methods.
The onCreate method from lines 20 – 29 is what builds our main activity to submit the user defined password. This allows the user to submit any string for the password only once the Button tied to the onClickListener is clicked on line 29. Once clicked this will evaluate the editTest string on line 27 submitted by the user to the value of the getFlag method in the FlagGuard class.
Once the correct password is submitted the if statement will execute the FlagGuard class and decodes the hard coded flag. Sending a message dialogue to the user with the flag.
The FlagGuard class runs a series of if else statements to evaluate the scrambled string using an index from a-z to evaluate the array charArray. What is particularly interesting is that the private String unscramble uses the log.e method. Logging the letter and FLAG of the application which can be obtained via adb’s logcat functionality.
Furthermore we can see that the public string getFlag evaluates the str string from the application MainActivity class with the private string getData Data class on lines 10 – 13. If the password is correct the application will jump to the private String unscramble and begin executing the code.
If we inspect the Data class we can see an interesting plaintext string stored in the application.
This appears to be the application’s password to obtain the flag. Lets type the password in the prompt and see if it gives us the flag.
Alright this looks like the solution. I hope you enjoyed the first crackme from num1r0. Look out for my anothr blog post in the series on cracking the second one.