CCUG Logo
achievementsmemberspostsgetting_startedabout_us
[📓] Writeup - Backdoor 2023 Android

Terbit pada tanggal 20 Desember 2023

Ditulis oleh: AnYujin
profile

Backdoor 2023 Writeup - Android

SlayDroid

This is one of the one of the reverse engineering problem in particular android reverse engineering, as usual we downloaded the apk named sl4ydroid.apk and load it directly into jadx-gui by dragging the apk into the jadx-gui interface.

jadx-gui interface
jadx-gui interface

after that we can find the main package by looking at the android manifest which should be located at Resources/AndroidManifest.xml

android manifest
android manifest

as we can see from the line

<activity android:name="com.backdoor.sl4ydroid.MainActivity" android:exported="true">

the Main Activity should be located at com/backdoor.sl4ydroid so we go and investigate the MainActivity file there

MainActivity
MainActivity

from the source code at the MainActivity file we now know that this application use Native library, the line that indicates this are these lines

public native void damn(String str);

public native void k2(String str);

public native void kim(String str);

public native void nim(String str);

static {
    System.loadLibrary("sl4ydroid");
}

we know that some string from the native library will be loaded into the variables damn, k2, kim, and nim, and the very strong indicator is that it will actually load the library named sl4ydroid, we can also find this library in the folder /Resources/lib and then choose any of the architecture.

We can actually load the native library into ghidra/IDA but because there's a interesting function named sh4dy, sl4y3r, it4chi, and n4ut1lus which will print some message using console.log then i took some interest into those function, i actually forgot how to see the value of these console log so i decided to use frida to intercept these message and see what's in it , we can easily generate the code for frida scripting by right clicking at the function we want to call in the jadx-gui and selecting the copy as frida snippet option.

frida snippet
frida snippet

after that we can copy it into a the script file, here's the final script that i use


Java.perform(() => {
let MainActivity = Java.use("com.backdoor.sl4ydroid.MainActivity");
let final_msg=""
MainActivity["sh4dy"].implementation = function (message) {
    final_msg+=message;
    console.log(`MainActivity.sh4dy is called: message=${message}`);
    this["sh4dy"](message);
};

MainActivity["sl4y3r"].implementation = function (message) {
    final_msg+=message;
    
    console.log(`MainActivity.sl4y3r is called: message=${message}`);
    this["sl4y3r"](message);
};

MainActivity["it4chi"].implementation = function (message) {
    final_msg+=message;
    
    console.log(`MainActivity.it4chi is called: message=${message}`);
    this["it4chi"](message);
};

MainActivity["n4ut1lus"].implementation = function (message) {
    final_msg+=message;
    
    console.log(`MainActivity.n4ut1lus is called: message=${message}`);
    this["n4ut1lus"](message);
    console.log(final_msg);
};

});

i named the file script.js and i call it by going into the folder where the scripted is located and then use this command in my terminal


frida -U -l script.js -f com.backdoor.sl4ydroid

and after that the flag will be printed into the terminal

flag printed
flag printed

Made with♥️by CCUG Core Team.