BlueBox Android Challenge

Some weeks (? I don’t even remember the time frame) ago I was made aware by a friend of this challenge. Basically injection of Dalvik code through native code. I found some minutes this morning to look into it and while I’m sure somebody else has already solved it, it’s a nice way of showing a bit of how to reverse engineer Android applications with the Profiler.

The first problem we encounter is that the APK (which is a Zip archive) has been tampered with. It asks incorrectly for a decryption key because all file headers have had their GeneralPurposeBit modifed, e.g.:

A few lines of code to fix this field for all file entries in the Zip archive:

Now we can explore the contents of the APK with the Profiler. We have the usual ‘classes.dex’ file plus the native library ‘lib/armeabi/’. Let’s open the library with IDA. You’ll notice the functions it contains aren’t many and just by looking at them we’ll stumble at this function:

It’s clear that at some point during the execution of the Dalvik code this function is triggered which writes the array ‘inject’ into the memory space of the DEX module. We can verify that they are indeed Dalvik opcodes with the appropriate filter. Select the bytes representing the array in the hex view and then open the filter view:

Dalvik filter

The functions called before the actual injection locate the exact position of the code. They help us as well: back to the Profiler, let’s find the method “L-ÿava/lang/String;”:”add”:


From here we get the class index and name. Just by looking at the disassembled class we’ll notice a method filled with nops:

Method with nops

The code size of the method matches the payload size (111 * 2 = 0xDE):


Let’s write back the instructions to the DEX module:

Write payload

We could do this with a filter just as well by the way:

And now we can analyze the injected code:

And that’s it. It took much more time to write the post than the rest (about 10 minutes of time if that). Reverse engineering the crackme to find the correct key is beyond the scope of the post, although I’m sure it’s fun as well.

Thanks to BlueBox for the crackme!

4 thoughts on “BlueBox Android Challenge”

  1. Hello, thanks for this nice tuto!
    Just one question: how did you edit/create repaired.apk file starting from the original one?
    I mean, can’t Cerbero directly edit GeneralPurposeBit?!?


    1. Hello x0r3d,
      I used the following code as shown in the article:

      from Pro.UI import *

      obj = proContext().currentScanProvider().getObject()
      n = obj.GetEntryCount()
      for i in range(n):
      obj.GetEntry(i).Set("GeneralBitFlag", 0)
      s = obj.GetStream() + "_fixed")

      You can run the code by pressing Ctrl+Alt+R. It would also be possible to use the hex editor to edit the field or use the hex view and then “Copy into new file”.

      Hopes this helps!


      1. Hello Erik,
        one million thanks for your answer!
        Cerbero is simply great and the perfect swiss knife multi-purpose, but even the best can keep getting better! Hommage! 😉

        1. Hey x0red,
          thank you! You’re right! 🙂 We’re working hard to make Cerbero even better, stay tuned!
          Kind regards

Leave a Reply

Your email address will not be published. Required fields are marked *