[SECCON 2018 QUALS] shooter – RE 434

shooter
Enjoy the game!
Download

In every challenge, we first use it to get the overview of the app, so install the apk and open it to see what it does

Shoot game?

End, input name to be ranked!

Uh…oh… why are so many strange names? We can guess the app connect to the server and receive/send the records.

Turn on burp suite to do a dynamic analysis. Quickly found:

Now i can be on top by modify the score which is sent to server, but its useless :(. After a hour fuzzing, i realize that this is in reverse category (=.=), so i decide to decompile apk and read the source code instead.

The very first file to look at is AndroidManifest.xml, found Unity (a cross-platform game engine)

The second place to look is lib folder

libil2cpp.so? First time heard about this, so google is your friend~

What is IL2CPP?
– An ahead-of-time (AOT) compiler
– A runtime library to support the virtual machine
– Some of the uses for IL2CPP include increasing the performance, security, and platform compatibility of your Unity projects.
=> All the strings used in your original source code will be stored separately in another file call global-metadata.dat so that you are not able to find any strings when you load the game binary to IDA.

The game is compiled to native assembly, all the symbols like class names or function names are removed from the binary. This significantly makes the static analysis of these games more difficult and is usually considered to be un-hackable.

Without experience on this stuff, i decide to find a tool that help me, and here it is:

https://github.com/nevermoe/unity_metadata_loader

How to use it?

just clone the repository, copy the unity_decoder.exe in Release folder to the same folder of global-metadata.dat, then run it:

Now you got two new files:
– method_name.txt
– string_literal.txt
which are the functions and symbols

let take a look, some stranger domain appear:

There are nothing to do here, so i use dirsearch on each domain to see if there are some folders located

Well, we found the admin panel!
http://staging.shooter.pwn.seccon.jp/admin/sessions/new

try with tsu:tsu (redirect back to login page)

try with tsu:' (error)

So we can guess it is vulnerabled to SQL injection, after some fuzzing, we found the correct payload:

try with tsu:'))) or 1-- -

So the last things to do is wrote the script to extract the database!

Table: flags
Column: | id | value | created_at | updated_at |
Query: Select value from flags
=> SECCON{1NV4L1D_4DM1N_P4G3_4U+H3NT1C4T10N}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s