Flare-On 6 CTF WriteUp (Part 3)

. 5 min read

This is the third part of the Flare-On 6 CTF WriteUp series.

3 - Flarebear

The challenge reads

We at Flare have created our own Tamagotchi pet, the flarebear. He is very fussy. Keep him alive and happy and he will give you the flag.

Different from previous, this is an Android challenge. We are provided with an APK - flarebear.apk. Let's install and run this in an Android Emulator. I prefer Genymotion but you can use any other emulator or even a real physical device.

Figure 1 - Flarebear running in Genymotion
Figure 1 - Flarebear running in Genymotion

The game prompts us to create a "New Flare Bear". Let's create one and give it a name.

Figure 2 - The bear is happy!
Figure 2 - The bear is happy!

At the bottom, we have three buttons - Feed, Play & Clean. Keeping the bear inactive makes it unhappy and it starts to cry.

Figure 3 - The bear is not happy!
Figure 3 - The bear is not happy!

Our objective is thus to keep the bear happy by feeding, playing and cleaning at regular intervals. However we have no idea the order in which we do this. To understand the core logic of the game we need to study its code. We can use JADX to decompile the APK to its Java source.

The FlareBearActivity class implements the game logic and resides in the com.fireeye.flarebear package. The presence of import kotlin.text.StringsKt; suggests that the game was most likely developed in Kotlin as opposed to Java.

Figure 4: The game was developed in Kotlin
Figure 4: The game was developed in Kotlin

Corresponding to the three actions - feed, play and clean we have three methods.

Figure 5: The methods handling feed, play and clean
Figure 5: The methods handling feed, play and clean

Each of the methods in turn call other methods to change some internal state variables. The changeMass, changeHappy and changeClean changes the mass, happiness and cleanliness by a given amount respectiviely.

  • Feeding increases mass and happiness by 10 and 2 units respectively while reducing cleanliness by 1 unit.
  • Playing decreases the mass and cleanliness by 2 and 1 unit respectively while increasing happiness by 4 units.
  • Cleaning increases cleanliness by 6 units while decreasing happiness by 1 unit. It doesn't change mass.

Internally, these methods make the changes and store the updated value using the setState method.

Figure 6: The changeXXX methods make the change to state variables
Figure 6: The changeXXX methods make the change to state variables

The setState method uses Android PreferenceManager to store the state values as a key-value pair.

Figure 7: Implementation of the setState method
Figure 7: Implementation of the setState method

In each of the feed, play and clean methods there was a saveActivity call with character f, p, and c passed as argument respectively. Lets look at its code.

Figure 8: The saveActivity method
Figure 8: The saveActivity method

All saveActivity does is to fetch a state variable named activity and append the character to it.

We have also seen a call to setMood from the clean method. The decompiled code looks interesting.

Figure 9: The setMood method
Figure 9: The setMood method

If both isHappy and isEcstatic return true it calls danceWithFlag. This is what we want. Let's have a look at both of the methods.

Figure 10: isEcstatic and isHappy methods
Figure 10: isEcstatic and isHappy methods

isEcstatic returns true only if the mass, happiness and cleanliness state variables are 72, 30 and 0 respectively.

isHappy returns true if result of getStat('f') / getStat('p') lies in the range 2.0 to 2.5. The getStat method counts the occurrences of the character in the state variable named activity. We have seen before that the saveActivity method appends a character to this state variable.

Figure 11: The getStat method
Figure 11: The getStat method

In other words, isHappy will return true if the number of times we feed divided by the number of times we play lies in the aforementioned range.

Armed with the above information, we can form some equations. Let us denote the number of times to feed, play and clean be f, p, and c respectively. Initially, mass, happiness and cleanliness are all zero.

Final Mass = 10f - 2p
Final Happiness = 2f + 4p - c
Final Cleanliness = -f -p +6c

Thus we have these system of equations,

Putting these system of equations in Wolfram Alpha, we get,

Figure 12: Solving the system of equations
Figure 12: Solving the system of equations

Thus, we need to clean 2 times, feed 8 times and play 4 times in order to make it happy and ecstatic which should gives us the flag. Let's try it out. There is no specific order in which we should feed, play and clean, but we should make sure that the number of times we execute each action equals the equation results.

Figure 13: We got the flag!
Figure 13: We got the flag!

Executing the required actions, make the bear happy and it gives us the flag.

Flag: th4t_was_be4rly_a_chall3nge@flare-on.com

Finally, its worth mentioning what if we patch isHappy and isEcstatic to return true instead of finding correct the number of times to execute each action. Will that gives us the flag too?

Unfortunately, this approach won't work. The number of times is used to derive a password which is used as a key to decrypt an encrypted resource using the AES crypto algorithm. Without the correct key we will not be able to decrypt the resource.

Figure 14: The password is derived from the state variables
Figure 14: The password is derived from the state variables
Figure 15: The decryption routine
Figure 15: The decryption routine


Barun

Reverse Engineer with an interest in low level stuff and anything about security.

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram