{"id":76,"date":"2013-03-27T10:44:49","date_gmt":"2013-03-27T18:44:49","guid":{"rendered":"http:\/\/www.android-decompiler.com\/blog\/?p=76"},"modified":"2018-12-19T13:42:23","modified_gmt":"2018-12-19T21:42:23","slug":"help-for-the-bluebox-challenge","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/help-for-the-bluebox-challenge\/","title":{"rendered":"Help for the Bluebox challenge"},"content":{"rendered":"<p>The Bluebox fellows have posted an interesting Android <a href=\"http:\/\/blog.bluebox.com\/2013\/03\/25\/android-security-analysis-challenge-tampering-dalvik-bytecode-during-runtime\/\">crackme<\/a>\u00a0a few days ago.<\/p>\n<p>The APK presents several oddities, including:<\/p>\n<ul>\n<li><span style=\"line-height: 14px;\">APK entries marked as password-protected.<\/span><\/li>\n<li>Reuse of java.lang.String to confuse tools and analysts.<\/li>\n<li>Some basic cryptography in the APK.<\/li>\n<li>The most interesting part: a native library that replaces the bytecode for the custom String.add() upon loading the main activity class<\/li>\n<\/ul>\n<p>As Jurriaan Bremer <a href=\"http:\/\/jbremer.org\/cross-referencing-stand-alone-dalvik-bytecode\/\">pointed out<\/a>, the replacement bytecode in question can be found at offset 4004h of libnet.so, and is E0h bytes long. The original String.add() is only A6h bytes long, and references exception handlers. Replacing the bytecode is not trivial, but annoying.<\/p>\n<p><a href=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/addbc.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-77\" alt=\"addbc\" src=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/addbc.png\" width=\"628\" height=\"216\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2013\/03\/addbc.png 628w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2013\/03\/addbc-300x103.png 300w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2013\/03\/addbc-624x214.png 624w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/a><\/p>\n<p>After reassembly, JEB decompiles the real String.add() to clean code: (marked-up in the screenshot below)<\/p>\n<p><a href=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/addfixed.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-78\" alt=\"addfixed\" src=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/addfixed.png\" width=\"576\" height=\"445\" srcset=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2013\/03\/addfixed.png 576w, https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2013\/03\/addfixed-300x231.png 300w\" sizes=\"auto, (max-width: 576px) 100vw, 576px\" \/><\/a><\/p>\n<p>I&#8217;m providing the sources for both <a href=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/bluebox_Action.txt\">com.bluebox.lab.poc.Action<\/a> and the fixed\u00a0<a href=\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/bluebox_String.txt\">java.lang.String<\/a> if you want to complete the challenge.<\/p>\n<p>Enjoy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Bluebox fellows have posted an interesting Android crackme\u00a0a few days ago. The APK presents several oddities, including: APK entries marked as password-protected. Reuse of java.lang.String to confuse tools and analysts. Some basic cryptography in the APK. The most interesting part: a native library that replaces the bytecode for the custom String.add() upon loading the &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/help-for-the-bluebox-challenge\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Help for the Bluebox challenge<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,3],"tags":[],"class_list":["post-76","post","type-post","status-publish","format-standard","hentry","category-android","category-decompilation"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/76","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=76"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/76\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=76"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=76"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=76"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}