2019 Flare-on Challenge Writeups: Challenge 3

Category: CTF

Tags: reverse-engineering, android, flareon6

December 08, 2019

Challenge 3

flarebear.apk

Description

We at Flare have created our own Tamagotchi pet, the flarebear. He is very fussy. Keep him alive and happy and he will give you the flag.

Walkthrough

In this challenge, we are given the file, flarebear.apk. I run the following command to convert the apk to a jar.

d2j-dex2jar.exe .\flarebear.apk

Next, I open up jd-gui in order to decompile the jar file. Once open, I explore the different folders, the most interesting one being com.fireeye.flarebear, which contains the source code for the flarebear app.

JDGui

I expand the FlareBearActivity class and look for any interesting methods.

FlareBearActivity

The method that sticks out the most is danceWithFlag(), so I look to see where its called. I find that it gets called in the setMood() method, which also calls the isHappy() and isEcstatic() methods.

setMoodFunction

The danceWithFlag() method only gets called if isEcstatic() returns True, so I explore that first.

isEcstaticFunction

Great, so it looks like this returns True if the three stats (Mass, Happy, Clean) have the following values.

Mass is 72
Happy is 30
Clean is 0

The next step is to figure out how these values are set, but before I continue analyzing the code, I decide to run the app to get a feel for it. Upon starting up the app, you’re greeted with a basic start screen and the option to name your bear. The main screen has three buttons you can click, each representing the three actions you can take, “Feed”, “Play”, and “Clean”. At this point, I go back to the code.

FlareBearMain

I find the three methods that correspond with the three actions, feed(), play(), and clean().

playFunction

cleanFunction

Each action you take affects the three stats, so we have system of equations with three unknowns - the number of actions required to get to the Ecstatic state. I’ve summarized the the changes each action has on the stats below.

Feed

+10 Mass
+2 Happy
-1 Clean

Play

-2 Mass
+4 Happy
-1 Clean

Clean

+0 Mass
-1 Happy
+6 Clean

This gives us the following three equations.

\[Mass = 10 * feed - 2 * play + 0 * clean\] \[Happy = 2 * feed + 4 * play - 1 * clean\] \[Clean = - 1 * feed - 1 * play + 6 * clean\]

Plugging in the desired final stats and solving.

\[72 = 10 * feed - 2 * play + 0 * clean\] \[30 = 2 * feed + 4 * play - 1 * clean\] \[0 = - 1 * feed - 1 * play + 6 * clean\] \[Feed = 8\] \[Play = 4\] \[Clean = 2\]

Jumping back to our emulator, making a new bear, and hitting each action the required number of times leads us to an ecstatic bear and the flag.

win

Flag for Challenge 3: th4t_was_be4rly_a_chall3nge@flare-on.com