Flare-On 7 2020 Challenge #5: TKApp

We received a packed TPK file that we can just unpack with 7zip. Inside the “bin” folder we had number of interesting DLLs, the one that was the most interesting was the “TKApp.dll”, so we analyzed it with dnSpy.

We need to find the four variables: Password, Note, Step, and Desc.

Password

The password is being checked in the function OnLoginButtonClicked with the function IsPasswordCorrect:

The TKData.Password contains the encoded bytes:

public static byte[] Password = new byte[]
{
62,
38,
63,
63,
54,
39,
59,
50,
39
};

It is being decoded by the function Decode:

Using it on the encoded bytes and we will get the password: “mullethat”

Note

The Note variable is being calculated in the StepList function:

Run it in C# and we will get: “keep steaks for dinner”

Step

To find it, we see in the code that it takes it from the metadata file of the application, in our case: tizen-manifest.xml, and takes the value of the key “its”:

Inside tizen-manifest.xml we will find the value:

The value of Step is “magic”.

Desc

In the code there is a place where it sets the value of the ImageDescription in Desc:

Using exiftool we can see this value:

The value for Desc is “water”.

flag: n3ver_go1ng_to_recov3r@flare-on.com

--

--

--

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Anomaly Detection Patterns using Azure Stream Analytics

30 Days of MLOps : Day 1

MY GIT NOTES…

Test SNS and SQS with LocalStack local development environment.

SSH Permission denied (publickey) on GCE

Hi All,

Change Data Capturing from Siddhi

My Web Development Learning Tools For 2020

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eviatar Gerzi

Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

More from Medium

[ Try Hack Me ] Regular expressions

Tool for making zip files with malicious content

NIKTO THE SCANNING TOOL

Nikto web scanner

A Simplified Explanation of the OSI 7 Layer System