Source of topic: https://github.com/tlamb96/kgb_messenger
topic introduction
You are working for the International Secret Intelligence Service as a reverse engineer. This morning your team lead assigned you to inspect an Android application found on the phone of a misbehaving agent. It’s rumored that the misbehaving agent, Sterling Archer, has been in contact with some KGB spies. Your job is to reverse engineer the application to verify the rumor.
The challenges should be solved sequentially. The flag format is FLAG{insert_flag_here}. Good luck!
Alerts (Medium)
The app keeps giving us these pesky alerts when we start the app. We should investigate.
Login (Easy)
This is a recon challenge. All characters in the password are lowercase.
Social Engineering (Hard)
It looks like someone is bad at keeping secrets. They're probably susceptible to social engineering... what should I say?
You are a reverse engineer for the International Secret Intelligence Service. This morning, your team lead assigned you to examine an Android application found on a misbehaving agent's phone. Misbehaving agent Sterling Archer was rumored to have had contact with some KGB spies. Your job is to reverse engineer the app to verify the rumors.
These challenges should be addressed in turn. The format of flag is FLAG{insert_flag_here}. Good luck!
Alerts (Medium)
The app kept giving us annoying alerts when we launched it. We should investigate.
Log in (easy)
This is the scouting challenge. All characters in the password are lowercase.
Social Engineering (Difficult)
It seems like someone is bad at keeping secrets. They may be vulnerable to social engineering. . . what should i say
Analysis process
According to the usual practice, load the .apk into the mobile phone, and first look at the basic logic of the APP
Then use jadx-gui to decompile the .apk. It is preliminarily determined that the .apk is not packed, and the application package name is com.tlamb96.spetsnazmessenger
Here, using the objection automation tool to inject memory for further analysis, we can see that there are 3 Activity components defined in the .apk, and their functions can be roughly determined based on their names (additionally, through the android intent launch_activity com.tlamb96.kgbmessenger.LoginActivity, the Activity component jump can be directly realized, thereby cracking the Dialog of the first level. Of course, this is not the original intention of the question).
The general analysis is over, and the problem-solving process begins.
The first level
jadx-gui global search keywords Russian devices, successfully located android intent launch_activity com.tlamb96.kgbmessenger.LoginActivity->onCreate function analysis 
shows that want to bypass branch a("Integrity Error", "This app can only run on Russian devices."); then property.equals("Russ ia") the return value must be true, and the property variable is taken from String property = System.getProperty("user.home");. Then the current problem-solving idea is to hook the getProperty function of the System class, so that it will always return "Russia" of the String type. The key code is given below
function hook_java_System_getProperty(){
Java.perform(function(){
Java.use("java.lang.System").getProperty.overload("java.lang.String").implementation=function(arg0){
var result = this.getProperty(arg0);
console.log("arg0="+arg0+"--"+"result="+result);
return Java.use("java.lang.String").$new("Russia");
}
});
}Start frida based on the spawn method, the command is: frida -U -f com.tlamb96.spetsnazmessenger -l kgb_messenger.js --no-pause, you can see the successful hook and go to the next link.
Further analysis shows that at this time the program has transferred to the second branch a("Integrity Error", "Must be on the user whitelist."); if we want to bypass it, we need to let str.equals(getResources().getString(R.string.User)) return true.
Directly locate the resource file resources.arsc/res/values/Strings.xml, you can get the corresponding resource content RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==
Continue to hook the getEnv function of the System class, so that it will always return "RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==". Below is the key code.
function hook_java_System_getenv(){
Java.perform(function(){
Java.use("java.lang.System").getenv.overload("java.lang.String").implementation=function(arg0){
var result = this.getenv(arg0);
console.log("arg0="+arg0+"--"+"result="+result);
return Java.use("java.lang.String").$new("RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==");
}
});
}Start frida based on the spawn method, the command is: frida -U -f com.tlamb96.spetsnazmessenger -l kgb_messenger.js --no-pause, the execution effect of the frida script is as follows. It can be seen that the first level of this question has been successfully solved, and now it is transferred to the second level. 
Input casually, click LOGIN, you can see that the displayed Toast component 
is based on this clue, search the keyword "User not recognized" globally in jadx-gui, and successfully locate com.tlamb96.kgbmessenger.LoginActivity->onLogin function
Analysis of the function logic shows that the two key attributes of the LoginActivity class, f2617n of String type and f2618o of String type, should meet two conditions to jump to the logic startActivity(new Intent(this, MessengerActivity.class)); first look at the first condition: this.f2617n.equals(getResources().getString(R.string.username)), obviously, directly locate the resource file resources. arsc/res/values/Strings.xml, you can get the corresponding resource content "codenameduchess" Username is successfully obtained, let's look at the second condition! m532j(), that is, m532j() must return true, click
to see
.
, the corresponding non-standard MD5 value is 84e343a0486ff05530df6c705c8bb4, and the corresponding standard MD5 value is 084e0343a0486ff05530df6c705c8bb4.
Enter Username as codenameduchess and Password as guest, successfully crack the second level. Of course, it can also be bypassed through frida hook, but this method is not the original intention of the title, so I won’t repeat it here.
Now turn to the analysis of level 3. Input
casually, if there is no response 
, then analyze the decompiled source code, directly locate com.tlamb96.kgbmessenger.MessengerActivity, start analysis from the function onSendMessage, this function is triggered after each click on SEND, you can see that the final FLAG is generated in this function and continue to trace back, you can get this analysis conclusion: the input String instance obj, as String instance q, must be equal to String instance p after being processed by function a, and as String instance s After the function b is processed, it must be equal to the String instance r. Only when these two conditions are satisfied at the same time, can q and s be used as the input of the function i to generate FLAG 
.
package com.siritobla.kgbmessenger;
public class Test {
public static String reversep(){
String p = "V@]EAASB\u0012WZF\u0012e,a$7(&am2(3.\u0003";
String result = a(p);
return result;
}
public static String a(String str) {
char[] charArray = str.toCharArray();
for (int i = 0; i < charArray.length / 2; i++) {
char c = charArray[i];
charArray[i] = (char) (charArray[(charArray.length - i) - 1] ^ 'A');
charArray[(charArray.length - i) - 1] = (char) (c ^ '2');
}
return new String(charArray);
}
}The following is the frida calling code
function invoke_dex_Test_reversep(){
Java.perform(function(){
Java.openClassFile("/data/local/tmp/classes.dex").load();
var Test =Java.use("com.siritobla.kgbmessenger.Test");
var result = Test.reversep();
console.log(result);
});
}Execute the inverse algorithm to get the reverse result and 
enter Boris, give me the password to see how the effect is. 
Next, analyze the b algorithm. First, traverse the char array. The i-th character is cyclically shifted to the right by 0/1/2/3/4/5/6/7 bits, and then performs bitwise XOR with the i-th character. Traversing again and performing reverse order processing shows that each character in the plaintext can be violently enumerated. The code implementation of the inverse algorithm is given below 
.
public static String search() {
String characterset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r";
char [] charactersetArray = characterset.toCharArray();
String ciphertext = "\000dslp}oQ\000 dks$|M\000h +AYQg\000P*!M$gQ\000";
char [] charArray = ciphertext.toCharArray();
for (int i2 = 0; i2 < charArray.length / 2; i2++) {
char c = charArray[i2];
charArray[i2] = charArray[(charArray.length - i2) - 1];
charArray[(charArray.length - i2) - 1] = c;
}
String plaintext="";
for(int i = 0 ; i < charArray.length; i++)
{
for(int j = 0; j < charactersetArray.length ; j++ ){
char c = charactersetArray[j];
char result = (char)(char)((c >> (i % 8) )^ c);
if(result == charArray[i]){
plaintext+=charactersetArray[j];
break;
}
}
}
//Log.i("ceshi", "plaintext="+plaintext);
return plaintext;
}Same as above, frida calls this method to get the reverse result and 
input aay I *PaEASE* have the aassworda to get the final flag
final summary
The topic mainly examines the basic operation of frida implementing hooks in the Java layer, as well as the idea of reverse analysis of simple algorithms.
Generally speaking, the topics are relatively basic and relatively simple.