How to pwn cocon.apk ?
A CTF Android apk called cocon.apk, and we need to decrypt the hash value (ctf flag). Please prepare a smartphone and install the apk file. If successful, android desktop will show a icon called com.co.con
Open the app, the main windows as follow, it says “Hello World, cocon!” and “KEY: Key is disable”:
If you want to know the app code structure, please use jadx to reverse the code. View the code, we should modify int key_val = 0; to int key_val = 1;
Rebuild the apk project, and sign the apk, install it in smartphone.
Pwned, we get the flag key.
How to decompile a APK file ?
If you can not find jadx in local computer, or remote source, please download jadx-0.6.1.zip, and extract it.
root@sh:~/andriod_security# jadx -d /root/android_security/cocon_jadx/ /root/andriod_security/cocon.apk
22:19:36 INFO - loading ...
22:19:36 INFO - processing ...
22:19:37 INFO - done
If you decompile apk with jadx, you may need [gradle] or [Android Studio] to rebuild the apk. Of couse, apktool can also do it.
root@sh:~/andriod_security# apktool d cocon.apk -o cocon_apktool/
I: Using Apktool 2.2.1-dirty on cocon.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
root@sh:~/andriod_security# ls -l cocon_apktool/
total 20
-rw-r--r-- 1 root root 549 Dec 12 22:23 AndroidManifest.xml
-rw-r--r-- 1 root root 370 Dec 12 22:23 apktool.yml
drwxr-xr-x 3 root root 4096 Dec 12 22:23 original
drwxr-xr-x 7 root root 4096 Dec 12 22:23 res
drwxr-xr-x 3 root root 4096 Dec 12 22:23 smali
How to compile src into a APK file ?
rebuild the apk files extracted by apktool.
root@sh:~/andriod_security# apktool b cocon_apktool -o cocon_pwned.apk
I: Using Apktool 2.2.1
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
How to sign APK file ?
If apk is built successfully, we can try to install it in smartphone.
root@sh:~/andriod_security# adb install cocon_pwned.apk
Failed to install cocon_pwned.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl1691373271.tmp/base.apk: Attempt to get length of null array]
Every Android .apk needs to be signed if it is going to be installed on a phone, even if you’re not installing through the Market.
root@sh:~/andriod_security# bash apksign.sh cocon_pwned.apk
[+] 1. Generate a new key for android apk sign
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Google
What is the name of your organizational unit?
[Unknown]: IT
What is the name of your organization?
[Unknown]: Google
What is the name of your City or Locality?
[Unknown]: FF
What is the name of your State or Province?
[Unknown]: FL
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Google, OU=IT, O=Google, L=FF, ST=FL, C=US correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,000 days
for: CN=Google, OU=IT, O=Google, L=FF, ST=FL, C=US
Enter key password for <at>
(RETURN if same as keystore password):
Re-enter new password:
[Storing google.key]
[+] 2. Sign android apk
Enter Passphrase for keystore:
adding: META-INF/MANIFEST.MF
adding: META-INF/AT.SF
adding: META-INF/AT.RSA
signing: AndroidManifest.xml
signing: classes.dex
signing: res/drawable-hdpi-v4/icon.png
signing: res/drawable-ldpi-v4/icon.png
signing: res/drawable-mdpi-v4/icon.png
signing: res/layout/main.xml
signing: resources.arsc
jar signed.
Warning:
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2019-09-08) or after any future revocation date.
[+] 3. Verify sign result
s 589 Mon Dec 12 22:13:38 CST 2016 META-INF/MANIFEST.MF
710 Mon Dec 12 22:13:38 CST 2016 META-INF/AT.SF
1302 Mon Dec 12 22:13:38 CST 2016 META-INF/AT.RSA
sm 1584 Wed Dec 31 18:00:00 CST 1980 AndroidManifest.xml
sm 3748 Wed Dec 31 18:00:00 CST 1980 classes.dex
sm 3941 Wed Dec 31 18:00:00 CST 1980 res/drawable-hdpi-v4/icon.png
sm 1537 Wed Dec 31 18:00:00 CST 1980 res/drawable-ldpi-v4/icon.png
sm 2200 Wed Dec 31 18:00:00 CST 1980 res/drawable-mdpi-v4/icon.png
sm 816 Wed Dec 31 18:00:00 CST 1980 res/layout/main.xml
sm 1584 Wed Dec 31 18:00:00 CST 1980 resources.arsc
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2019-09-08) or after any future revocation date.
Re-run with the -verbose and -certs options for more details.
apksign.sh
#!/bin/bash
# If you want to test more times, please update the code.
APKFILE=$1
KEYNAME="androidtesting"
ALIASNAME="google"
[[ -z "$APKFILE" ]] && echo "[*] Usage: $0 <apkfile>" && exit 0
echo "[+] 1. Generate a new key for android apk sign"
keytool -genkey -v -keystore $KEYNAME -alias at -keyalg RSA -keysize 2048 -validity 1000
echo "[+] 2. Sign android apk"
jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore "$KEYNAME" "$APKFILE" "$ALIASNAME"
echo "[+] 3. Verify sign result"
jarsigner -verify -verbose "$APKFILE"