CTFtime.org

pinlock

by youben / Sudo_root

Tags: engineering rever reverse android 

Rating: 3.5


|Challenge |
|------------|
|It's the developer's first mobile application.hey are trying their hand at storing secrets securely. Could one of them be the flag? (150 pts)|

|file|
|-------------|
|[pinstore.apk](https://github.com/youben11/BSides-San-Francisco-CTF-2017/blob/master/pinstore.apk)|

We start by : unzip pinstore.apk
then convert the classes.dex file to jar by using : d2j-dex2jar classes.dex
we have now to extract the jar file and decompile all class file using javadecompiler

we can start by reading MainActivity.java : we have to enter a pin which will be compared to the pin provided by
DatabaseUtilities.fetchpin(), so we read the DatabaseUtilities.java and find this interesting line :

Cusror cursor = db.rawQuery("SELECT pin FROM pinDB" , null);

we search for a database file and find assets/pinlock.db

[youben@youben assets]$ sqlite3 pinlock.db

SQLite version 3.14.2 2016-09-12 18:50:49

Enter ".help" for usage hints.

sqlite> SELECT pin FROM pinDB;

d8531a519b3d4dfebece0259f90b466a23efc57b

we can easily find the pin by searching on google 7498

we can also read assets/README:

v1.0:
- Pin database with hashed pins

v1.1:
- Added AES support for secret

v1.2:
- Derive key from pin
[To-do: switch to the new database]

So now we know that we have to switch to the new db

after reading SecretDisplay.java and CryptoUtilities.java we know that the app is reading a secret from the databases and
using an algorithm to decrypt it, but we have two secret and two algorithm and all what we need to do is switching to
the second secret and algorithm.

we convert the classes.dex to a smali to patches it

[youben@youben pinstore]$ baksmali classes.dex

we modify SecretDisplay.smali :

const-string v7, "v1" --> const-string v7, "v2" // (line 74) to switch to the second algorithm

and modify the DatabaseUtilities.smali :

const-string v1, "SELECT entry FROM secretsDBv1" --> const-string v1, "SELECT entry FROM secretsDBv2" //(line 315) to switch to the second table and get the second secret

we can now rebuild the app :

[youben@youben pinstore]$ smali out/ -o classes.dex

[youben@youben patches]$ ls

AndroidManifest.xml assets classes.dex res resources.arsc // (the new classes.dex)

[youben@youben patches]$ jar -cvf myapp.apk *
//(use you keystore to sign the jar)

[youben@youben patches]$ adb install myapp.apk

[100%] /data/local/tmp/myapp.apk

pkg: /data/local/tmp/myapp.apk

Success

run the app, enter the pin ... you can see the flag.

Original writeup (https://github.com/youben11/BSides-San-Francisco-CTF-2017/blob/master/pinlock-reverse-mobile.md).

Comments

sudoFeb. 14, 2017, 4:09 p.m.

good ^^

sudoFeb. 14, 2017, 4:09 p.m.

good