Click Button! Attack Virus!
Points: 200 Category: Offensive
Description: VirusClicker
MD5: 1a0462c2bc27bdd3a5045036c36c3e31
Solution
After downloading the APK and installing it on my BlueStacks Emulator, you see this screen that requires us to press on the button for 10’000’000 times…
We first use apktool to decompile the apk into the respective smali code.
The part of the code that we’re interested in is the onTouchEvent that is called on every press.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
.method public onTouchEvent(Landroid/view/MotionEvent;)Z
.locals 4
const/4 v3, 0x1
invoke-virtual {p1}, Landroid/view/MotionEvent;->getAction()I
move-result v0
packed-switch v0, :pswitch_data_0
:cond_0
:goto_0
return v3
:pswitch_0
iput-boolean v3, p0, Lcom/tm/ctf/clicker/activity/c;->h:Z
goto :goto_0
:pswitch_1
const/4 v0, 0x0
iput-boolean v0, p0, Lcom/tm/ctf/clicker/activity/c;->h:Z
iget v0, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
add-int/lit8 v0, v0, 0x1
iput v0, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
invoke-static {}, Lcom/tm/ctf/clicker/a/a;->b()V
const/16 v0, 0xeb9
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const/16 v0, 0x2717
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const v0, 0xe767
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const v0, 0x186a3
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const v0, 0x78e75
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const v0, 0xf4243
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-eq v0, v1, :cond_1
const v0, 0x98967f
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-ne v0, v1, :cond_2
:cond_1
new-instance v0, Landroid/content/Intent;
const-string v1, "com.tm.ctf.clicker.SCORE"
invoke-direct {v0, v1}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V
const-string v1, "SCORE"
iget v2, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
invoke-virtual {v0, v1, v2}, Landroid/content/Intent;->putExtra(Ljava/lang/String;I)Landroid/content/Intent;
iget-object v1, p0, Lcom/tm/ctf/clicker/activity/c;->a:Landroid/content/Context;
invoke-virtual {v1, v0}, Landroid/content/Context;->sendBroadcast(Landroid/content/Intent;)V
:cond_2
const v0, 0x989680
iget v1, p0, Lcom/tm/ctf/clicker/activity/c;->g:I
if-gt v0, v1, :cond_0
invoke-static {}, Landroid/os/Message;->obtain()Landroid/os/Message;
move-result-object v0
new-instance v1, Ljava/lang/StringBuilder;
iget-object v2, p0, Lcom/tm/ctf/clicker/activity/c;->q:Ljava/lang/String;
invoke-static {v2}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v2
invoke-direct {v1, v2}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
const-string v2, "Jh"
invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v1
invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v1
iput-object v1, v0, Landroid/os/Message;->obj:Ljava/lang/Object;
iget-object v1, p0, Lcom/tm/ctf/clicker/activity/c;->b:Landroid/os/Handler;
invoke-virtual {v1, v0}, Landroid/os/Handler;->sendMessage(Landroid/os/Message;)Z
goto :goto_0
:pswitch_data_0
.packed-switch 0x0
:pswitch_0
:pswitch_1
.end packed-switch
.end method
From the code, we can see that something will happen after we hit 0x989680 (10’000’000) clicks. Also, it seems that there are “mini-checkpoints” that you’re suppose to hit at 0xeb9, 0x2717, 0xe767, 0x186a3, 0x78e75, 0xf4243, 0x98967f. What I am going to do is to patch the APK such that upon the first touch event, I am going to invoke all the necessary instructions to show me the flag.
1
2
3
const v0, 0x989680
const v1, 0x989680
if-gt v0, v1, :cond_0
The same for all the “mini-checkpoints”. We then use apktool to recompile the smali code back to .apk and then use jarsigner to sign it with a key we generated. We then install the “patched” apk onto the BlueStacks emulator and tada! We got the flag!
TMCTF{Congrats_10MClicks}