## Where's my APK? (499 pts)
### Description
Can you achieve a leet download speed?
* Note 1: Flag is not in the usual format.
* Note 2: Only non password protected files can be opened with the app.
### Solution
Given .aab file, through googling i found a way to convert it to a single APK
*
```bash
brew install bundletool
bundletool build-apks --mode universal --bundle ./app-release.aab --output ./app.apks
mv app.apks app.zip
unzip app.zip
```
Through decompiling using apktool, i found that this APK is using flutter.
So the source code will not be in .dex file, it shuold be in libapp.so. Previously i've been read some article regarding flutter reverse engineering and i found that this tools is very useful.
*
So lets use blutter on our target
Now we have some information about the target. In this case i use ida script to recover the function name and object pool. Do a little modify to make the script work fully
* change # to any value (for example \_)
After that load the script and we will see almost all functions are renamed. Lets filter the function name with cybersharing.
Back to the application, we need to find some string to get the reference.
There is a string, so let's search it on the object pool.
Next, go the structures then ctrl+g and put the 0x7970 as the address.
We can see that there is XREF, click it and we will see the code that use the value.
Now the problem is, i cannot open any cybersharing.net/s/ URL with the application. So i decided to take a look on the AndroidManifest.
From AndroidManifest i tried to create a command to spawn the Activity including the data used.
```bash
adb shell am start -W \
-c android.intent.category.BROWSABLE \
-n com.et3rnos.cybersharing/.MainActivity \
-d "https://cybersharing.net/s/630ca91826267dee"
```
Now i can continue the the next Activity.
We see some new information in current activity. Let's try to findout which function that show the current screen.
* cybersharing\_files\_\_FilesPageState::build\_1d3f30
We can confirm it by looking at the object used in the function, such as below
Looking the code, i found something suspicious.
We can see there is value 13371337 used as comparation which is not common. Through the analysis i conclude the logic below
* if value == 13371337
* Show string @Obj\_0x3d60 -> WLGOOQNAWWPLSEA
* else
* Show string \ + MiB/s
Back to the challenge description, i also found that there is "leet" mentioned. So lets try to found another 13371337 value. Use search immediate value in IDA
There are 3 instructions that load value 13371337. Lets check each instruction
*
```
```
*
```
```
*
```
```
After looking at each instruction, i've idea. The idea is patching the library so it will do the behaviour like if the value is 13371337. The easiest way to do that is by changing the B.NE to B.EQ, the problem is this is not x64 architecture so it would not that easy to change the assembly. But we've shell-storm as our savior.
*
Copy the bytecode for each B.NE \ to the shell-storm then disassemble it.
After that copy the assembly then change from b.ne to b.eq
Now, we've the pattern which is decrement the first byte by 1 for changing fro B.NE to B.EQ. So do that for all the rest instructions.
*
*
```
```
*
```
```
The last step just compile the APK and sign it.
```bash
apktool b universal
cd universal/dist
uber-apk-signer --allowResign -a universal.apk
# install universal-aligned-debugSigned.apk
```
After that install the new APK and trigger the activity again.
```bash
adb shell am start -W \
-c android.intent.category.BROWSABLE \
-n com.et3rnos.cybersharing/.MainActivity \
-d "https://cybersharing.net/s/630ca91826267dee"
```
Now the flag will shown in the topbar.
Flag: WCLHGQOWOEQBNZALWSWDPSLQSLELA
