Draw APK - THCon 2021 14 solves 249 points First steps As the challenge creator tells me this app is “based on a Trojan Horse” and it is “not recommended to install it on a real smartphone”, even if there is actually “no malicious payload”, I am very reluctant at first to test the app, even in an emulator. So, I start off with my favorite static analysis combination: DroidLysis and JEB.

Good old friend The challenge provides an Android APK. Reversing the APK The main activity of this APK is party.thcon.y2021.level1.MainActivity. Its onCreate() method does the following: Anti-debug. If the app is being debugged, display an alert dialog saying “Find another way” and quit. 1 2 3 if((this.getApplicationInfo().flags & 2) != 0) { this.findanotherway("App is debuggable"); } Anti-root. Search for su in the PATH of the system. If it is not found, search for rooting apps or binaries such as Superuser.

The overall intent for Shakti CTF is for beginners, learn what is a CTF and get women interested in the topic. Therefore, the “easy” 50 points challenges are really very very easy, and 100-point challenges are still *really easy (far easier than baby challenges at Hack.Lu CTF ;-). Everybody has to start one day ;P so I’m okay with this rating as long as it remains consistent. Globally, this was the case, with the exception of a few challenges under/over rated.