Flare-On 7 2020 Challenge #5: TKApp

Eviatar Gerzi
Oct 29, 2020

We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.

We need to find the four variables: Password, Note, Step, and Desc.

Password

The password is being checked in the function OnLoginButtonClicked with the function IsPasswordCorrect:

The TKData.Password contains the encoded bytes:

public static byte[] Password = new byte[]
{
62,
38,
63,
63,
54,
39,
59,
50,
39
};

It is being decoded by the function Decode:

Using it on the encoded bytes and we will get the password: “mullethat”

Note

The Note variable is being calculated in the StepList function:

Run it in C# and we will get: “keep steaks for dinner”

Step

To find it, we see in the code that it takes it from the metadata file of the application, in our case: tizen-manifest.xml, and takes the value of the key “its”:

Inside tizen-manifest.xml we will find the value:

The value of Step is “magic”.

Desc

In the code there is a place where it sets the value of the ImageDescription in Desc:

Using exiftool we can see this value:

The value for Desc is “water”.

flag: n3ver_go1ng_to_recov3r@flare-on.com

--

--

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)