Reverse Engineering on Android consists of disassembling an application (APK) to study its logic, extract secrets, or modify its behavior (Patching). In this guide, we will cover patching vulnerabilities in InsecureBankv2 and bypassing checks in the famous KGB Messenger CTF.
Java/Kotlin code is compiled into a bytecode format called DEX. We have two paths:
JADX or dex2jar rebuild the Java code. It's great for reading, but cannot be recompiled back into an APK.Apktool, we convert DEX to Smali (Android VM assembly language). Smali is hard to read, but it can be altered and recompiled.# 1. Disassemble the APK:
apktool d InsecureBankv2.apk -o Source
# 2. Patch AndroidManifest.xml (Change android:exported to "false").
# 3. Rebuild the APK:
apktool b Source -o Patched.apk
# 4. Sign the new APK (Android requires signatures):
apksigner sign --ks my-release-key.keystore Patched.apkThe app checks if the device's locale is "Russia". If not, it exits. We need to patch the binary.
if (!locale.equals("RU")) { System.exit(0); }We find the conditional branch in MainActivity.smali:
invoke-virtual {v0, v1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v0
if-eqz v0, :cond_0 # "If Equal to Zero" (If not equal, jump to exit)The Patch: Change if-eqz to if-nez (If Not Equal to Zero). The logic inverts: the app will only exit if the device IS in Russian. Rebuild, sign, and install.
You have infiltrated the assembly code (Smali) of a banking Malware. The app performs a security check: it verifies if the device is "Rooted". Show your Reversing skills by indicating how to manipulate the instructions to bypass this defense.
>_ START CTF 27 CHALLENGEif-eqz v0, :cond - If Equal Zero (If v0 is false, jump)if-nez v0, :cond - If Not Equal Zero (If v0 is true, jump)move-result v0 - Save result of last method to v0