Pedometer - Hack The Box
Lets start analzying the apk using JADX-GUI.
We have one activity, MainActivity.
1 | package com.rloura.pedometer; |
Things to note from this activity:
- It uses the
SensorManagerto register a listener for the accelerometer sensor (sensor type 1). - It checks for the
ACTIVITY_RECOGNITIONpermission and requests it if not granted. - Its registered listener is an instance of
C0974a, which is where our challenge resides. - Also, an instance of
C0976cis created, which actually reads an asset file namedaand stores itsInputStreamand also initialize aStackobject.
Here is the content of the asset file a in hex:
1 | ❯ xxd a |
Lets take a look at C0974a class. (Will be showing the important code as some parts of code are not disassembled properly)
1 | InputStream inputStream = c0976c.f4097b; |
- Basically, it reads one byte from the asset file
a, XORs it withf4099d(which is initialized to 0) and then compares with an enumEnumC0975b.
Here is the structure of the enum:
1 | 0 - > 0x0 => STOP |
- This is looking like a custom stack-based virtual machine with 20 opcodes.
- To solve this challenge, we need to implement this virtual machine and execute the bytecode from the asset file
ato get the flag. - The important part is to understand how each opcode works and how the stack and the value of
f4099dare manipulated during the execution.
Here is the solver script in Python:
1 | data_bytes = [ |
Here is the output:
1 | ... (truncated) |
Everything is working as expected and we got the flag.
Ending Thoughts
This was my first time solving a VM-based challenge and it took me a while to understand the opcodes and how the stack works.
Hope you find it useful :)