Sunday, September 28, 2014

SU CTF 2014 - Commercial Application! write-up

Download

The apk is not protected. we used www.decompileandroid.com to get the source.
sqllite db in located in assets/db.db which contains IV and key:

a5efdbd57b84ca36
37eaae0141f1a3adf8a1dee655853714

we changed the src/edu/sharif/ctf/security/KeyVerifier.java to make it decrypt the  VALID_LICENCE






import java.util.*;
import java.lang.*;
import java.io.*;
import java.security.MessageDigest;
import java.util.Arrays;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.IvParameterSpec;

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

class Ideone {
  static String IV = "a5efdbd57b84ca36";
  static String encryptionKey = "37eaae0141f1a3adf8a1dee655853714";
  public static void main(String[] args) {
    try {
      byte[] cipher = hexStringToBytes("29a002d9340fc4bd54492f327269f3e051619b889dc8da723e135ce486965d84");
      System.out.println("cipher:  ");
      for (int i = 0; i < cipher.length; i++)
        System.out.print(new Integer(cipher[i]) + " ");
      String decrypted = decrypt(cipher, encryptionKey);
      System.out.println("");
      System.out.println("decrypt: " + decrypted);
    } catch (Exception e) {
      System.out.println(e.getMessage());
      e.printStackTrace();
    }
  }

  public static byte[] encrypt(String plainText, String encryptionKey) throws Exception {
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    SecretKeySpec key = new SecretKeySpec(hexStringToBytes(encryptionKey), "AES");
    cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(IV.getBytes()));
    return cipher.doFinal(plainText.getBytes("UTF-8"));
  }

  public static String decrypt(byte[] cipherText, String encryptionKey) throws Exception {
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    SecretKeySpec key = new SecretKeySpec(hexStringToBytes(encryptionKey), "AES");
    cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(IV.getBytes()));
    return new String(cipher.doFinal(cipherText), "UTF-8");
  }
  public static byte[] hexStringToBytes(String s) {
    int i = s.length();
    byte abyte0[] = new byte[i / 2];
    int j = 0;
    do {
      if (j >= i) {
        return abyte0;
      }
      abyte0[j / 2] = (byte)((Character.digit(s.charAt(j), 16) << 4) + Character.digit(s.charAt(j + 1), 16));
      j += 2;
    } while (true);
  }
  public static String bytesToHexString(byte abyte0[]) {
    StringBuilder stringbuilder = new StringBuilder();
    int i = abyte0.length;
    int j = 0;
    do {
      if (j >= i) {
        return stringbuilder.toString();
      }
      byte byte0 = abyte0[j];
      Object aobj[] = new Object[1];
      aobj[0] = Integer.valueOf(byte0 & 0xff);
      stringbuilder.append(String.format("%02x", aobj));
      j++;
    } while (true);
  }

}




result:



cipher:  
41 -96 2 -39 52 15 -60 -67 84 73 47 50 114 105 -13 -32 81 97 -101 -120 -99 -56 -38 114 62 19 92 -28 -122 -106 93 -124 
decrypt: fl-ag-IS-se-ri-al-NU-MB-ER










Posted by



at





















Labels:
,
,

















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)