APKey
Mobile challenge
This app contains some unique keys. Can you get one?
Source code review
This code its ofuscated , on mainActivity we saw the code to reverse that could be the one who shows the flag.
1
2
3
4
5
6
7
8
9
10
public b e = new b();
public g f = new g();
if (str.equals("a2a3d412e92d896134d9c9126d756f")) {
Context applicationContext = MainActivity.this.getApplicationContext();
MainActivity mainActivity2 = MainActivity.this;
b bVar2 = mainActivity2.e;
g gVar = mainActivity2.f;
makeText = Toast.makeText(applicationContext, b.a(g.a()), 1);
makeText.show();
}
This code its used to show a message to the user when the hash of the string match a2a3d412e92d896134d9c9126d756f The code for b.a() , as we saw b is instance of class b(), so a is one of this method
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
public class b {
public static String a(String str) {
char charAt = h.a().charAt(0);
char charAt2 = a.a().charAt(8);
char charAt3 = e.a().charAt(5);
char charAt4 = i.a().charAt(4);
char charAt5 = h.a().charAt(1);
char charAt6 = h.a().charAt(4);
char charAt7 = h.a().charAt(3);
char charAt8 = h.a().charAt(3);
char charAt9 = h.a().charAt(0);
char charAt10 = a.a().charAt(8);
char charAt11 = a.a().charAt(8);
char charAt12 = i.a().charAt(0);
char charAt13 = c.a().charAt(3);
char charAt14 = f.a().charAt(3);
char charAt15 = f.a().charAt(0);
char charAt16 = c.a().charAt(0);
SecretKeySpec secretKeySpec = new SecretKeySpec((String.valueOf(charAt) + String.valueOf(charAt2) + String.valueOf(charAt3) + String.valueOf(charAt4) + String.valueOf(charAt5).toLowerCase() + String.valueOf(charAt6) + String.valueOf(charAt7).toLowerCase() + String.valueOf(charAt8) + String.valueOf(charAt9) + String.valueOf(charAt10).toLowerCase() + String.valueOf(charAt11).toLowerCase() + String.valueOf(charAt12) + String.valueOf(charAt13).toLowerCase() + String.valueOf(charAt14) + String.valueOf(charAt15) + String.valueOf(charAt16)).getBytes(), g.b());
Cipher cipher = Cipher.getInstance(g.b());
cipher.init(2, secretKeySpec);
return new String(cipher.doFinal(Base64.decode(str, 0)), "utf-8");
}
}
The method, therefore, performs the following steps in its operation:
- Concatenates specific characters obtained from various sources.
- Uses the concatenation as a key to decrypt a text that is expected to be in Base64 and encrypted with the same algorithm and key.
- Returns the decrypted text as a UTF-8 character string.
So what characters are charAt, charAt2, etc..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public class h {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("8GGfdt");
arrayList.add("7654rF");
arrayList.add("09Hy24");
arrayList.add("56Gth6");
arrayList.add("hdgKj8");
arrayList.add("kdIdu8");
arrayList.add("kHtZuV");
arrayList.add("jHurf6");
arrayList.add("5tgfYt");
arrayList.add("kd9Iuy");
return (String) arrayList.get(6);
}
}
The a() method of the h class creates an ArrayList, adds several strings to this ArrayList, and then returns the string at position 6 of the ArrayList (remembering that positions in an ArrayList start from 0).The ArrayList contains these strings in order, and position 6 corresponds to the string “kHtZuV”. We continue this process with all strings from charAt to charAt16. 
1
2
3
4
SecretKeySpec secretKeySpec = new SecretKeySpec(("kV9qHuZZkVVrGW6F").getBytes(), g.b());
Cipher cipher = Cipher.getInstance(g.b());
cipher.init(2, secretKeySpec);
return new String(cipher.doFinal(Base64.decode(str, 0)), "utf-8");
from g.b() result the algoritm used in the cifer.
1
2
3
4
5
6
public static String b() {
char charAt = d.a().charAt(1);
char charAt2 = i.a().charAt(2);
char charAt3 = i.a().charAt(1);
return String.valueOf(charAt) + String.valueOf(charAt2) + String.valueOf(charAt3);
}
- Base64.decode(str, 0) decodes the Base64 encoded string str. The second argument (0) specifies that the default decoding mode should be used.
- cipher.doFinal(…) decrypts the previously Base64 decoded data, resulting in a byte array that represents the original information in its decrypted form.
- new String(…, “utf-8”) converts the decrypted byte array into a text string, using UTF-8 as the character encoding.
str -> g.a()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
public static String a() {
StringBuilder sb = new StringBuilder();
ArrayList arrayList = new ArrayList();
arrayList.add("722gFc");
arrayList.add("n778Hk");
arrayList.add("jvC5bH");
arrayList.add("lSu6G6");
arrayList.add("HG36Hj");
arrayList.add("97y43E");
arrayList.add("kjHf5d");
arrayList.add("85tR5d");
arrayList.add("1UlBm2");
arrayList.add("kI94fD");
sb.append(arrayList.get(8));
sb.append(h.a());
sb.append(i.a());
sb.append(f.a());
sb.append(e.a());
ArrayList arrayList2 = new ArrayList();
arrayList2.add("ue7888");
arrayList2.add("6HxWkw");
arrayList2.add("gGhy77");
arrayList2.add("837gtG");
arrayList2.add("HyTg67");
arrayList2.add("GHR673");
arrayList2.add("ftr56r");
arrayList2.add("kikoi9");
arrayList2.add("kdoO0o");
arrayList2.add("2DabnR");
sb.append(arrayList2.get(9));
sb.append(c.a());
ArrayList arrayList3 = new ArrayList();
arrayList3.add("jH67k8");
arrayList3.add("8Huk89");
arrayList3.add("fr5GtE");
arrayList3.add("Hg5f6Y");
arrayList3.add("o0J8G5");
arrayList3.add("Wod2bk");
arrayList3.add("Yuu7Y5");
arrayList3.add("kI9ko0");
arrayList3.add("dS4Er5");
arrayList3.add("h93Fr5");
sb.append(arrayList3.get(5));
sb.append(d.a());
sb.append(a.a());
return sb.toString();
}
Adding this to our code we find the value for str 
But when i try to reply
1
2
3
4
5
6
7
8
9
10
try {
String str = "1UlBm2kHtZuVrSE6qY6HxWkwHyeaX92DabnRFlEGyLWod2bkwAxcoc85S94kFpV1";
SecretKeySpec secretKeySpec = new SecretKeySpec(result.getBytes(), algo);
Cipher cipher = Cipher.getInstance(algo);
cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
String flag = new String(cipher.doFinal(Base64.getDecoder().decode(str)), "UTF-8");
System.out.println(flag);
} catch (Exception e) {
e.printStackTrace();
}
It doesn’t work ! , and offcourse i was missing .toLowerCase() on some values for the key
Proof of Concept
Compile with java 18
1
2
javac Main.java
java Main
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
import java.util.ArrayList;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
public class Main {
public static void main(String[] args) {
char charAt = h.a().charAt(0);
char charAt2 = a.a().charAt(8);
char charAt3 = e.a().charAt(5);
char charAt4 = i.a().charAt(4);
char charAt5 = h.a().charAt(1);
char charAt6 = h.a().charAt(4);
char charAt7 = h.a().charAt(3);
char charAt8 = h.a().charAt(3);
char charAt9 = h.a().charAt(0);
char charAt10 = a.a().charAt(8);
char charAt11 = a.a().charAt(8);
char charAt12 = i.a().charAt(0);
char charAt13 = c.a().charAt(3);
char charAt14 = f.a().charAt(3);
char charAt15 = f.a().charAt(0);
char charAt16 = c.a().charAt(0);
String result = String.valueOf(charAt) + String.valueOf(charAt2) + String.valueOf(charAt3)
+ String.valueOf(charAt4) + String.valueOf(charAt5).toLowerCase() + String.valueOf(charAt6)
+ String.valueOf(charAt7).toLowerCase() + String.valueOf(charAt8) + String.valueOf(charAt9)
+ String.valueOf(charAt10).toLowerCase() + String.valueOf(charAt11).toLowerCase()
+ String.valueOf(charAt12) + String.valueO(charAt13).toLowerCase() + String.valueOf(charAt14)
+ String.valueOf(charAt15) + String.valueOf(charAt16);
System.out.println("charAt to charAt16 is: '" + result + "'");
char keyAt = d.a().charAt(1);
char keyAt2 = i.a().charAt(2);
char keyAt3 = i.a().charAt(1);
String algo = String.valueOf(keyAt) + String.valueOf(keyAt2) + String.valueOf(keyAt3);
System.out.println("Algo is: '" + algo + "'");
System.out.println(a());
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(result.getBytes(), algo);
Cipher cipher = Cipher.getInstance(algo);
cipher.init(2, secretKeySpec);
String flag = new String(cipher.doFinal(Base64.getDecoder().decode(a())), "UTF-8");
System.out.println(flag);
} catch (Exception e) {
e.printStackTrace();
}
}
public static String a() {
StringBuilder sb = new StringBuilder();
ArrayList arrayList = new ArrayList();
arrayList.add("722gFc");
arrayList.add("n778Hk");
arrayList.add("jvC5bH");
arrayList.add("lSu6G6");
arrayList.add("HG36Hj");
arrayList.add("97y43E");
arrayList.add("kjHf5d");
arrayList.add("85tR5d");
arrayList.add("1UlBm2");
arrayList.add("kI94fD");
sb.append(arrayList.get(8));
sb.append(h.a());
sb.append(i.a());
sb.append(f.a());
sb.append(e.a());
ArrayList arrayList2 = new ArrayList();
arrayList2.add("ue7888");
arrayList2.add("6HxWkw");
arrayList2.add("gGhy77");
arrayList2.add("837gtG");
arrayList2.add("HyTg67");
arrayList2.add("GHR673");
arrayList2.add("ftr56r");
arrayList2.add("kikoi9");
arrayList2.add("kdoO0o");
arrayList2.add("2DabnR");
sb.append(arrayList2.get(9));
sb.append(c.a());
ArrayList arrayList3 = new ArrayList();
arrayList3.add("jH67k8");
arrayList3.add("8Huk89");
arrayList3.add("fr5GtE");
arrayList3.add("Hg5f6Y");
arrayList3.add("o0J8G5");
arrayList3.add("Wod2bk");
arrayList3.add("Yuu7Y5");
arrayList3.add("kI9ko0");
arrayList3.add("dS4Er5");
arrayList3.add("h93Fr5");
sb.append(arrayList3.get(5));
sb.append(d.a());
sb.append(a.a());
return sb.toString();
}
}
class h {
public static String a() {
ArrayList<String> arrayList = new ArrayList<String>();
arrayList.add("8GGfdt");
arrayList.add("7654rF");
arrayList.add("09Hy24");
arrayList.add("56Gth6");
arrayList.add("hdgKj8");
arrayList.add("kdIdu8");
arrayList.add("kHtZuV");
arrayList.add("jHurf6");
arrayList.add("5tgfYt");
arrayList.add("kd9Iuy");
return arrayList.get(6);
}
}
class a {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("LmBf5G6h9j");
arrayList.add("3De3f4HbnK");
arrayList.add("hdKD7b87yb");
arrayList.add("85S94kFpV1");
arrayList.add("dCV4f5G90h");
arrayList.add("34Jnf8ku4F");
arrayList.add("ld7HV5F4d2");
arrayList.add("el0oY7gF54");
arrayList.add("lsKJt69jo8");
arrayList.add("Kju87F5dhk");
return (String) arrayList.get(3);
}
}
class e {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("TG7ygj");
arrayList.add("U8uu8i");
arrayList.add("gGtT56");
arrayList.add("84hYDG");
arrayList.add("ejhHy6");
arrayList.add("7ytr4E");
arrayList.add("j5jU87");
arrayList.add("HyeaX9");
arrayList.add("jd9Idu");
arrayList.add("kd546G");
return (String) arrayList.get(7);
}
}
class i {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("9GDFt6");
arrayList.add("83h736");
arrayList.add("kdiJ78");
arrayList.add("vcbGT6");
arrayList.add("rSE6qY");
arrayList.add("kFgde4");
arrayList.add("5drDr4");
arrayList.add("Y6ttr5");
arrayList.add("444w45");
arrayList.add("hjKd56");
return (String) arrayList.get(4);
}
}
class c {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("5d5d6Y");
arrayList.add("g7Fr3d");
arrayList.add("44r5T5");
arrayList.add("Hg6t89");
arrayList.add("FlEGyL");
arrayList.add("8iIi89");
arrayList.add("uiu445g");
arrayList.add("JJgF55");
arrayList.add("lhjko0");
arrayList.add("t53rfs");
return (String) arrayList.get(4);
}
}
class f {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("JuFtt5");
arrayList.add("6HxWkw");
arrayList.add("ojG4es");
arrayList.add("yhngR4");
arrayList.add("fFdsEe");
arrayList.add("8878yu");
arrayList.add("h6h6y7");
arrayList.add("juJ8i9");
arrayList.add("sfrt46");
arrayList.add("ksid80");
return (String) arrayList.get(1);
}
}
class d {
public static String a() {
ArrayList arrayList = new ArrayList();
arrayList.add("wAxcoc");
arrayList.add("j48duH");
arrayList.add("kJDH78");
arrayList.add("748HDj");
arrayList.add("jDKDO9");
arrayList.add("UJuiu8");
arrayList.add("637g73");
arrayList.add("kd0o0d");
arrayList.add("l3K39I");
arrayList.add("lSPgt6");
return (String) arrayList.get(0);
}
}
This post is licensed under CC BY 4.0 by the author.