Mobile - Red Light Green Light

Medium | 464 points | 86 solves

Description

You are stuck in a game of red light green light, to win you need to press the button when the light is green. Wait all you want, the light has never changed to green for me :(

Downloads

4MB
red_light_green_light.zip
archive

Solution

Decompile the .apk using an online decompiler.

Decompile .apk

Head over to sources -> com -> nahamcon2023 -> redlightgreenlight and open up the MainActivity.java file to find out what the app is doing.

Decompiled .java file from .dex format

The main logic of the app is in the checkLight() function.

checklight()

It is also worth looking at the decrypt() function in the Decrypt.java file.

decrypt()

In summary, this is what the app is doing:

  1. Get the decryption key using the Java native function getKey()

  2. Check if the light is red

  3. If the light is red, the app will show that "You cannot move right now..."

  4. If the light is not red, the app will decrypt the AES-encrypted image with the key from step 1 and display the decrypted image

The first thing I attempted was to look into the native getKey() function and that function can be found in the following shared library file: resources\lib\x86_64\libredlightgreenlight.so

The native function as seen in IDA

The decompilation is only a few lines of code but we will quickly see that the return value goes through a fastcall before returning.

__fastcall at line 46

At this point I tried to use Frida to call this native function and to see the return value dynamically but unfortunately, I couldn't get Frida to attach to the app without crashing it.

Instead, I worked on modifying the .apk instead. Firstly, we need Apktool and the instructions on how to install it can be found here. Let's take a look again at the checkLight() function.

checkLight()

Our goal is to modify line 33 and flip the predicate from if (!this.red) to if (this.red).

The steps:

  1. Using Apktool, we can decompile the .apk once again and get the smali files.

$ apktool d red_light_green_light.apk
Decompile using Apktool

  1. Inside the decompiled folder, open up the AndroidManifest.xml file and change the android:extractNativeLibs="false" property to true. I am not sure why but if you skip this step, you will have issues installing the apk later.

Inside AndroidManifest.xml

  1. Next, navigate to: red_light_green_light\smali\com\nahamcon2023\redlightgreenlight

smali files

  1. Open up MainActivity.smali and what we are looking for is at line 115.

if (!this.red) in smali

  1. Modify the predicate to if-eqz and rebuild the apk using Apktool

$ apktool b <folder_name> -o <output_apk_name>
Rebuild .apk

  1. Generate keystore for signing the .apk

keytool -genkey -v -keystore my.keystore -alias redlightks -sigalg MD5withRSA -keyalg RSA -keysize 2048 -validity 7300
Keystore generation

  1. Zipalign APK

zipalign.exe -v 4 <input_apk> <output_apk>
zipalignment

  1. Sign APK

apksigner.bat sign --ks <keystore_name> <apk_to_sign>
Sign APK

Now we have successfully modified the .apk, launch our device in Android Studio and we can use adb to install the modified .apk (alternatively we can drag-and-drop the apk into the device but we won't be able to see the errors this way.)

Install apk using adb
redlightgreenlight apk installed
flag

Flag: flag{29b9edf8fd1e28ea8cd4faa37a6dbf25}

Last updated