Fork me on GitHub
#off-topic
<
2020-03-26
>
bravilogy12:03:22

Hi everyone. I’m working on a CTF (Capture The Flag) challenge which is about apk reverse engineering and I’ve got some Java code for Android here, that I’m trying to analyse. Unfortunately my knowledge in Java is not that good and I’m stuck with one specific function. I was wondering if anyone who knows java could help me out a bit?

manutter5112:03:18

Maybe post a link to a gist or something so as not to take up too much room here? I’d take a look.

bravilogy12:03:05

sure, thank you! that’d be a great help

bravilogy12:03:27

so I’m including this one specific function and + strings.xml that I managed to extract. so I’m trying to find out where are the requests going to basically

bravilogy12:03:34

with my little knowledge, I think one of the addresses is

(which comes from strings.xml)

hindol.adhya12:03:33

You want to understand this line?

HttpPost httpPost = new HttpPost("http://" + this.context.getResources().getStringArray(2131099648)[i] + this.context.getString(2131034123));

hindol.adhya13:03:05

Is it possible to run the APK and use a network sniffer?

manutter5113:03:30

What class does the check_domain_200 method appear in?

manutter5113:03:11

It looks like it has its own Context object, and that context has a getResources() method that returns an instance of a class that has a getStringArray method. If you can track down which class that is, you should get a better understanding of where the data is being stored.

bravilogy13:03:51

I wasn’t able to track down getResources unfortunately. So I assumed that it was coming from that strings.xml file

bravilogy13:03:00

now that I think about it, I might be wrong

manutter5113:03:11

It’s possible that the locations aren’t coded, and that the app is getting the data from either a remote source or from some kind of local storage, since the 2131099648 is such a high value.

manutter5113:03:54

First step is to find the definition for the class that check_domain_200 appears in, and look at its constructor, to see what it’s setting this.context to.

manutter5113:03:28

It’s a bit confusing because it also defines Context context at the top of the method, but context and this.context are different variables.

bravilogy13:03:09

oh, ok I got that part now

manutter5113:03:38

Actually, let’s thread this so we don’t consume too much space in #off-topic .

bravilogy13:03:34

So the class is:

public class webServiceRobot {
   Context context;

   // and the method goes here
}

manutter5113:03:36

The constructor will give you the class that’s being stored in this.context. It’ll either be instantiated directly, or passed in as a constructor arg.

manutter5113:03:24

Ok, you’ve got the class, can you see where this.context is being set to a value? Or is it just a setContext method?

bravilogy13:03:29

there is a setContext method which just sets it

public void setContext(Context paramContext) {
  this.context = paramContext;
}
so I guess it is being set from outside of this class

bravilogy13:03:39

so I need to find that now

manutter5113:03:27

Yeah, you’re probably not going to find a list of IPs anywhere in the source code, I’m guessing. 2131099648 as a string index is too big to be the array index of a list of strings in a config file somewhere, so that’s most likely going to be a db ID into some kind of local storage, which suggests the data is coming in from some remote server somewhere.

manutter5113:03:32

Although it could be a generated ID from a compiled XML file like @ suggested outside the the thread.

hindol.adhya13:03:59

All the strings in strings.xml (and there can be multiple strings.xml) are compiled into a huge String array in Android.

hindol.adhya13:03:22

Don't remember the internals too much.

bravilogy13:03:42

thank you both. I’ll try to see if I can find another useful xml file

jings.bill14:03:29

android developer here

jings.bill14:03:22

in source, this.context.getResources().getStringArray(2131099648) would look something like this: this.context.getResources().getStringArray(R.array.my_array)

jings.bill14:03:16

R.array.my_array is generated from the strings.xml file as it’s being packaged into the apk

jings.bill14:03:51

so in xml that would look something like:

strings.xml:
<resources>
    <string-array name="my_array">
        <item>Mercury</item>
        <item>Venus</item>
        <item>Earth</item>
        <item>Mars</item>
    </string-array>
</resources>

jings.bill14:03:39

re: strings.xml, resources have a “configuration” system which allow for switching between different resources under different situations… for strings, this is often used for locale/language

jings.bill14:03:44

so in source you might have res/values/strings.xml and then a second res/values-es/strings.xml for translation

jings.bill14:03:17

i think that may be relevant in your case because this strings.xml doesn’t have any string arrays in it. it appears to be a translation.

jings.bill14:03:23

this string array is storing endpoints, so it’s almost certainly using the default strings.xml, not a localization

jings.bill14:03:26

(the default is res/values/strings.xml)

jings.bill14:03:59

i don’t know how to find the R.java map that translates the integer into a string… if you have access to a runtime system, that can be done with an instance of the Resources object

bravilogy16:07:43

hey @, 4 months later, I just saw this, sorry. thanks for taking time explaining this to me! :)

hindol.adhya13:03:11

getResources() et. al. are coming from strings.xml in a way. The strings.xml is actually compiled into a class. As far as I remember. I did some Android almost 6 years back.