OWASP Android Crackme Level 1

The goal is to get the password to this app. APK Download


Running the app

First, install the APK on an emulator or device with adb install UnCrackable-Level1.apk.

Running it unpatched on an emulator

Running it unpatched on an emulator

The app yells at us about the emulator being rooted, so we’ll have to patch that out. In the background we can see that there is a text box prompting for a password.


Decompiling

Convert the APK to a JAR with dex2jar by running d2j-dex2jar -o app.jar UnCrackable-Level1.apk. Then make a new directory to store the source code, I’m calling it java. I will use fernflower to decompile the JAR into sources java -jar fernflower.jar app.jar -o java. This generates a jar file inside the directory, and the sources can be obtained by unzipping it.

In the onCreate() method we can see that it uses the c class in a to check for root. Main Activity

Examining the c class shows that it has several methods to do root checking. Root Checker

There are several ways that we can make all of them return true, I’m going to be using the patching method. However we have to decompile the APK into another format called smali which is like assembler but for dex. This is easily accomplished with apktool d UnCrackable-Level1.apk.

The smali disassembly of the root checker class looks like this. Smali of c class


Patching

Take a look at this part of the disassembly.

const-string v6, "su"

invoke-direct {v5, v4, v6}, Ljava/io/File;-><init>(Ljava/lang/String;Ljava/lang/String;)V

invoke-virtual {v5}, Ljava/io/File;->exists()Z

move-result v4

if-eqz v4, :cond_0

const/4 v0, 0x1

return v0

:cond_0
add-int/lit8 v3, v3, 0x1

v0, v1, v2, v3… those are registers. The method returns the v0 register when root is detected, so to bypass the check we can change the line before the return to.

const/4 v0, 0x0

This causes the method to return false instead of true, and we just have to do the same to the other methods.


Building and running

With the same tool, the APK can be built with apktool b UnCrackable-Level1 -o patched-unsigned.apk. To install it, signing is required, for that refer to here. Then remove the app and install the patched version with:

$ adb uninstall owasp.mstg.uncrackable && adb install patched-signed.apk

Launching the app should now show no prompt.

Patched app

Patched app


Static analysis for secret

Decompiled uncrackable1.a class

Back to the Java sources, the input seem to be checked with uncrackable1.a.a, and the source for that shows a base64 string and what seems like a key. I say key because it is hex and 32 characters long, usually that is an AES-128 key in CTFs, this is reinforced with “AES error: “ being logged on failure.

Decompiled a.a class

The other a class tells us that it is decrypted with AES in ECB mode and PKCS7 padding. Since it is in ECB mode, we already have everything we need to decrypt the base64 string. Just decrypt the string with openssl

$ echo 5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc= | openssl enc -aes-128-ecb -base64 -d -nopad -K 8d127684cbc37c17616d806cf50473cc
I want to believe
Typing that into the app solves this crack me.

Typing that into the app solves this crack me.