NahamCon CTF 2022 Write-up: Click Me! Android challenge

NahamSec, John Hammond & few other folks hosted a CTF this weekend. I solved Android challenges, the challenges were really fun. I decided to write down this one.

The Challenge

Let’s download and run the click_me.apk

We are greeted with this screen, let’s click on GET FLAG button to see what happens.

The toast says “You do not have enough cookies to get the flag”. Now the question is how to get enough cookies?

To answer this question, we need to look at the code.

Let’s open this app with Jadx-GUI and navigate to com.example.clickme.MainActivity

MainActivity has two functions which are of our interest.

Interesting Function #1: getFlagButtonClick()

According to this function we need to click the button 99999999 times to get the flag or else we’ll see this message “You do not have enough cookies to get the flag”.

Interesting Function #2: cookieViewClick()

Now this function is calculating the number of clicks on the GET FLAG button. But if we look at the if condition, it will not let us surpass the click counts from 1337133 number. As soon as we click more than 13371337 times it will reset back to 13371337.

So it is a never ending condition even if anyone decides to sit and click the button for hours!

Certainly, We are not going to that. What is the easy way out?

Now, there could be multiple ways to solve this challenge. Using FRIDA scripts or modifying the smali code.

This time I chose to play with the smali code.

If we look at the smali representation of MainActivity it looks something like this.

Our target remains the getFlagButtonClick() method in this code.

Going back to java representation of the getFlagButtonClick() method.

The If-condition says the button clicks should be equals to 99999999 to print the flag or the “You do not have enough cookies….” message is displayed.

Now technically, the getFlag() method can be called from anywhere inside the above code. What if we place getFlag() method in the place of “You do not…” message. As long as both are strings it should not be a problem.

Like this..

Now, the flag will be printed each time without checking for any condition.

But we can’t do this in java so we’ll need to make exact change in the smali code. To modify the smali code we’ll have to de-compile the application using APKTOOL.

Let’s open the MainActivity.smali and understand following lines.

const-string p1, “You do not have enough cookies to get the flag”

This line says p1 register has the string “You do not have…”

invoke-static {p0, p1, v0}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

Above line will show the Toast with whatever value stored in p1 register.

Our goal is to replace the value of p1 register with result of getFlag() method.

We will add following line to call the getFlag() method.

invoke-virtual {p0}, Lcom/example/clickme/MainActivity;->getFlag()Ljava/lang/String;

let’s store the output of getFlag() method into p1 register.

move-result-object p1

Lastly, we need to comment the line which is adding pre-defined message to p1 register.

# const-string p1, “You do not have enough cookies to get the flag”

The modified code will look like this..

The changes are done let’s rebuild the apk.

The application needs to be re-signed before we can install it.

Installing and running the modified app.

`adb install c.apk`

As soon as we click on the GET FLAG button instead of the message our flag will be displayed.

Challenge solved!

I enjoyed writing this article and I hope that you enjoyed reading it too.

Stay safe, Happy hacking :-)

Twitter: @jaimin_gohel
LinkedIn: @jaimin-gohel-440a4a52