In this challenge we are presented with an Android APK, so let’s start with the usual tools:

  • unzip the APK and get the classes.dex file
  • convert classes.dex to a jar with dex2jar
  • Get the decompiled code with Luyten or similar tools

We will obtain something similar to this plus some other interfaces and debugging classes. In particular we can notice the following things:

  • The app gets a PIN code of maximum 7 digits
  • It applies the method OneWayFunction to the PIN
  • The isOk() method checks that the “hash” of the PIN is “be790d865f2cea9645b3f79c0342df7e”, if so prints the flag

Further reversing is left as an exercise to the reader.

Of course the first idea is to get the source code working on our laptop and bruteforce the PIN until we reach the correct result. After some polishing of the decompiled code I had it working. After a first try however I was not able to find the correct PIN even by passing all the possible 7 digits codes. I decided to use the debugging capabilities offered by the app which where unfortunately turned off :( In fact here is the decompiled DebugTools class. So let’s patch the APK! If you are not familiar with this process look for some docs on the intertubes, here’s a brief description of the required steps:

  • Disassemble the APK with apktool (or equivalent) with: $ apktool d -r numdroid.apk
  • Modify the smali code (kinda like ASM for Dalvik) to set the DebugTools.DBG variable to true. This means modifying line 23 to load 1 in register v0 instead of 0.
  • Rebuild the APK $ apktool b numdroid
  • Sign the APK and install it in the emulator
  • Run it and check debug logs with logcat

Here my doubts were confirmed, my code and the actual app were computing different hashes. After some debugging I noticed an evil detail: the OneWayFunction method computes different hashes of the input (MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512) and combines the results. However if one algorithm is not available it just skips it! I tried removing MD2 as it was probably not available on Android and everything worked fine.

Here’s the final cracker code, the correct PIN was 3130110.