Flare-On 7 2020 Challenge #5: TKApp

We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.

We need to find the four variables: Password, Note, Step, and Desc.

The password is being checked in the function OnLoginButtonClicked with the function IsPasswordCorrect:

The TKData.Password contains the encoded bytes:

public static byte[] Password = new byte[]

It is being decoded by the function Decode:

Using it on the encoded bytes and we will get the password: “mullethat”

The Note variable is being calculated in the StepList function:

Run it in C# and we will get: “keep steaks for dinner”

To find it, we see in the code that it takes it from the metadata file of the application, in our case: tizen-manifest.xml, and takes the value of the key “its”:

Inside tizen-manifest.xml we will find the value:

The value of Step is “magic”.

In the code there is a place where it sets the value of the ImageDescription in Desc:

Using exiftool we can see this value:

The value for Desc is “water”.

flag: n3ver_go1ng_to_recov3r@flare-on.com



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)