Kony Mobile Frameworks Reverse Engineering | Write Up Wreck IT 2022 CTF Quals
Here is analysis of kony frameworks based on Wreckit Reversing Quals.
Challenge
There provided one APK files with package name id.seclab.ctf.wreckit. APK can be downloaded here. apk
APK compiled with kony framework that used packer. To get the flag, we should retrieve decrypted code.
TLDR
Hook LZF Native Function With Frida to retrieve the zipped source files and flag retrieved on the source code. Below is solver code
Solution
The program only show the blank page with text WreckIT to catch a flag! when run on the device.
There are no information or button that we can executed. So analysis continued to static analysis the APK files. Open the APK files on the Jadx-Gui to view decompiled of java code
From java code, we know that application import kony library. Kony is framework on mobile application that would pack the source code to encrypted files and run the files on the runtime.
Kony packer would pack Javascript source code on the encrypted files and processed in native library named libkonyjsvm.so. On the application resources, we know that there are js files with extension .kfm and startup.js, that encrypted and libkonyjsvm.so.
Analysis and breakdown kony on the mobile application already explained well on this and this. On the blog post there are tools to decrypt the source code named konyutils However these tools cannot be used on the application.
Kony plugins version that use on the application is 8.4.28, had different version than the tutorial had so decryption method on the blog or the tools is did not work
Next, we continued the analysis on the files libkonyjsvm.so on the ghidra. Our analysis start with function kony_loadFilesToVM on the library based on the blog post before and java code loaded this function.
In general kony packer would work with this schema
When APK file compiled, kony would compress all Javascript files to zip, and the zip files would encrypted. This logic based on the konyutils save decrypted data with zipped files
When application launched, application would decrypt the files to zip files and extract the files to Javascript again and executed on inside Javascript runner inside the kony.
On the article here the decrypting method would hook function named simpleSHA256 on the library libkonyjsvm.so to steal the key. However on the version used, function simpleSHA256 did not call or reference on any address.
We tried another approach to get the key via strcat, but key cannot be used to decrypt with konyutils tools. There are assumption that decryption method is different than version on the article.
After trying few approach, according the diagram how kony works, application supposed to extract zip files after files is decrypted. So there are must be extracted zip files that process on the some kind of function
After we analyze the libkonyjsvm.so, we found this code
On the blue highlighted code, there are function lzf called. lzf function according to the C and Linux documentation, is function that used on the compress or uncompress a files and used by zip, so our hypothesis that this function is used by the program to extract decrypted files
On the third parameter on the lzf is the pointer of zip memory that would uncompress and forth parameter is length bytes of the zip.
After we know this, we tried hook native function lzf with frida native hooks. Below is frida code.
This code in general would hook forth parameter to get length bytes of decrypted zip files, and then read memory pointer on third parameter to retrieve the zip files. And write the zip files to directory /data/data/id.seclab.ctf.wreckit/A.zip where A is incremental.
Load the script with frida would spawn the application
Check the directory and move the files to local machine
Now extract the files, now we already acquired the source code on the program
Find the flag with grep and we got the flag
Conclusion
On this challenge I learn a lot about hooking native function with frida, debugging packer and how packer works. Good game for the problem setter for creating challenge that had real world hacking problem. Cheers.
