# Patching and Signing APKs for CTF ## Challenge: BsidesSF22-arboretum-android ### Challenge description : access flag.png. ### Primary analysis Opened the apk in Bytecode-Viewer-2.11.2. And found the function that creates a link to retrieve images. Then this link is converted to firebase dynamic link by the app itself and access image. In **`MainActivity$1.`**  This function is used to retrieve random tree photos by creating link and making it into a firebase dynamic link. ### Solution approach In this particular challenge, we need to change `/tree` to `/flag` and remove `String.valueOf(var2+1`). So this function can retrieve flag.png. We can get the flag by patching the apk and signing it. ### Solution ### 1. Disassemble apk ```bash apktool d -f -r arboretum.apk ``` ### 2. Analysis of disassembly #### i. Changing ```/tree``` to ```/flag``` In the directory `\arboretum\smali_classes4\com\bsidessf\arboretum` In `MainActivity$1.smali` file, change the `/tree` to `/flag` at .line 50.  In the same smali file, the result of the random is moving to v4.  Removing string builder which uses v4.  ### 3. Building the apk ```bash apktool b arboretum ``` Apk will be saved in the directory ```\arboretum\dist``` ### 4. Analysing the patched apk  ### 5. Signing and running the apk It's needed to sign using both the tools. #### i.Using one-click-apk-signer [one-click-apk-signer](https://forum.xda-developers.com/t/one-click-apk-signer-easiest-apk-signing-ever.822388/) #### ii.Using haibision-apk-signer [haibison-apk-signer](https://play.google.com/store/apps/details?id=com.haibison.apksigner) <img src="https://i.imgur.com/6InIzE8.png" alt="drawing" width="250"/> #### iii.Installing and running <img src="https://i.imgur.com/QWTXUhf.png" alt="drawing" width="250"/> ### Flag **Flag: CTF{L3afM3Al0n3}**