# Mobile - Red Light Green Light ## Description You are stuck in a game of red light green light, to win you need to press the button when the light is green. Wait all you want, the light has never changed to green for me :( ## Downloads {% file src="/files/94aYq7gNrzmNZtbPFvUU" %} ## Solution Decompile the .apk using an [online decompiler](http://www.javadecompilers.com/apk).

Head over to `sources -> com -> nahamcon2023 -> redlightgreenlight` and open up the `MainActivity.java` file to find out what the app is doing.

The main logic of the app is in the `checkLight()` function.

It is also worth looking at the `decrypt()` function in the `Decrypt.java` file.

In summary, this is what the app is doing: 1. Get the decryption key using the Java native function `getKey()` 2. Check if the light is red 3. If the light is red, the app will show that "You cannot move right now\..." 4. If the light is not red, the app will decrypt the AES-encrypted image with the key from step 1 and display the decrypted image The first thing I attempted was to look into the native `getKey()` function and that function can be found in the following shared library file: **resources\lib\x86\_64\libredlightgreenlight.so**

The decompilation is only a few lines of code but we will quickly see that the return value goes through a `fastcall` before returning.

At this point I tried to use Frida to call this native function and to see the return value dynamically but unfortunately, I couldn't get Frida to attach to the app without crashing it. Instead, I worked on modifying the .apk instead. Firstly, we need **Apktool** and the instructions on how to install it can be found [here](https://ibotpeaches.github.io/Apktool/install/). Let's take a look again at the `checkLight()` function.

Our goal is to modify line 33 and flip the predicate from `if (!this.red)` to `if (this.red)`. The steps: 1. Using **Apktool**, we can decompile the .apk once again and get the smali files. ``` $ apktool d red_light_green_light.apk ```

2. Inside the decompiled folder, open up the **AndroidManifest.xml** file and change the `android:extractNativeLibs="false"` property to `true`. I am not sure why but if you skip this step, you will have issues installing the apk later.

3. Next, navigate to: **red\_light\_green\_light\smali\com\nahamcon2023\redlightgreenlight**

3. Open up `MainActivity.smali` and what we are looking for is at line 115.

4. Modify the predicate to `if-eqz` and rebuild the apk using **Apktool** ``` $ apktool b -o ```

5. Generate keystore for signing the .apk ``` keytool -genkey -v -keystore my.keystore -alias redlightks -sigalg MD5withRSA -keyalg RSA -keysize 2048 -validity 7300 ```

6. Zipalign APK ``` zipalign.exe -v 4 ```

7. Sign APK ``` apksigner.bat sign --ks ```

Now we have successfully modified the .apk, launch our device in Android Studio and we can use **adb** to install the modified .apk (alternatively we can drag-and-drop the apk into the device but we won't be able to see the errors this way.)

Flag: `flag{29b9edf8fd1e28ea8cd4faa37a6dbf25}` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://arne-ctf.gitbook.io/ctf/2023/nahamconctf/mobile-red-light-green-light.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.