Flare-On 7 2020 Challenge #5: TKApp

Image for post
Image for post

We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.

Image for post
Image for post

We need to find the four variables: Password, Note, Step, and Desc.

The password is being checked in the function OnLoginButtonClicked with the function IsPasswordCorrect:

Image for post
Image for post

The TKData.Password contains the encoded bytes:

public static byte[] Password = new byte[]
{
62,
38,
63,
63,
54,
39,
59,
50,
39
};

It is being decoded by the function Decode:

Image for post
Image for post

Using it on the encoded bytes and we will get the password: “mullethat”

The Note variable is being calculated in the StepList function:

Image for post
Image for post

Run it in C# and we will get: “keep steaks for dinner”

To find it, we see in the code that it takes it from the metadata file of the application, in our case: tizen-manifest.xml, and takes the value of the key “its”:

Image for post
Image for post

Inside tizen-manifest.xml we will find the value:

Image for post
Image for post

The value of Step is “magic”.

In the code there is a place where it sets the value of the ImageDescription in Desc:

Image for post
Image for post

Using exiftool we can see this value:

Image for post
Image for post

The value for Desc is “water”.

Image for post
Image for post
flag: n3ver_go1ng_to_recov3r@flare-on.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store