~$ Dissecting the KnightCTF Reverse Engineering challenges!
Posted on Jan. 30th, 2022. | Est. reading time: 5 minutes
Write-ups
Baby Shark (50 points)
During my holiday in Bahamas, I met a baby shark. The shark wanted to sing me something but couldn’t. Can you sing that for me?
Flag Format: KCTF{SomE_T3xT_h3r3}
Once the JAR is downloaded, go to javadecompilers.com, and upload it there.
We obtain a ZIP which we then unpack, revealing the following file structure:
We can see a few interesting Java files, which we’ll get into quickly.
The first is Flag.java, it is not very interesting:
In Strings.java we can see what resembles strings that are Base64 encoded:
If we throw these in a Base64 decoder, the last gives us the flag: KCTF{7H15_W@5_345Y_R16H7?}
Droid Flag (100 points)
One needs to decompile the provided APK, and understand what the decompiled code does, to retrieve the flag.
Once the ZIP is downloaded, extract the APK contained within, then go to javadecompilers.com, and upload it there.
We obtain a ZIP which we then unpack, revealing the following file structure:
We can see a few interesting Java files, which we’ll get into quickly.
The first is MainActivity.java, it contains a few interesting lines:
We can see that this code calls a number of functions in the StringHandler class from the StringHandler.java file, in the following order:
$(S1){$(S3)_$(S2)_$(S4)}
S1gets a value defined in classC074SRwhere the identifier isf112s5S2gets a value defined in classC074SRwhere the identifier isf113s6S3gets a value defined in classC074SRwhere the identifier isf114s7S4gets a value defined in classC074SRwhere the identifier isf115s8
Those values are:
We look for any identifier with those numbers (grep is useful), and find some in public.xml:
We then look for the names provided in strings.xml:
In StringHandler.java we see that the values for S2, S3 and S4 are then reversed, which makes the final flag:$(S1){$(S3)_$(S2)_$(S4)} -> KCTF{aNdR01D_s1MpL3_r3V3rS3}
