APKey - HackTheBox

Description

Android reverse engineering challenge involving an APK file with obfuscated code protecting a flag. The application implements a login screen with hardcoded credentials, and upon successful authentication, decrypts and displays the flag.

Analysis

Initial Reconnaissance

1. Extracted APK (password: hackthebox)

   • Standard Android application package
   • Contains obfuscated Java code

2. Decompiled with jadx to obtain Java source:

   • Main logic in com.example.apkey.MainActivity
   • Obfuscated helper classes in c.b.a.* package (single-letter class names)

Authentication Flow

The MainActivity implements a simple authentication check:

• Username must equal "admin"
• Password MD5 hash must equal a2a3d412e92d896134d9c9126d756f
• On success, calls c.b.a.g.a() to get encrypted data and c.b.a.b.a() to decrypt

Obfuscation Pattern

The obfuscation uses multiple helper classes, each returning a string from an array at a specific index:

Class	Method	Returns	Array Index
h	a()	"kHtZuV"	6
i	a()	"rSE6qY"	4
f	a()	"6HxWkw"	1
e	a()	"HyeaX9"	7
c	a()	"FlEGyL"	4
d	a()	"wAxcoc"	0
a	a()	"85S94kFpV1"	3

Key Functions

• g.a() - Builds Base64-encoded encrypted string by concatenating values from multiple arrays
• g.b() - Returns "AES" (cipher algorithm) built from d.a()[1] + i.a()[2] + i.a()[1]
• b.a() - Decrypts using AES-ECB with key built from character positions across helper functions

Reconstructed Values

Encrypted string (Base64):

1UlBm2kHtZuVrSE6qY6HxWkwHyeaX92DabnRFlEGyLWod2bkwAxcoc85S94kFpV1

AES Key (16 bytes):

kV9qhuzZkvvrgW6F

Key construction uses specific character positions from helper functions with some lowercase transformations.

Solution

...