Juicy Bar CTF - Static Code Analysis
In this post, we’ll walk through the solutions for all four static analysis challenges.
Code Obfuscation
1 - Description
2 - Obtaining 1st Flag
Since this was a static code analysis level, I used JADX to reverse engineer the APK file. After decompiling the code, I focused on the “Code Obfuscation” level. This section contained many functions, but one function named g() stood out as it appeared to contain a suspicious secret. I extracted the secret and used it for validation, which successfully worked and revealed the first flag.
3 - Obtaining 2nd Flag
The second flag was found using a similar approach. Inside the JuicyDataClass class, I noticed a suspicious string that stood out from the rest of the code. I used this string for validation, and it successfully revealed the second flag.
Hardcoded Secrets
1 - Description
2 - Obtaining 1st Flag
In the “Hardcoded Secrets” level, the first flag was obtained by simply decoding a Base64-encoded string found inside a function, which revealed the secret.
3 - Obtaining 2nd Flag
The second secret was found in the strings.xml file, where a hardcoded API key was stored.
4 - Obtaining 3rd Flag
The third secret was a PEM file located inside the app’s resources.
Reverse Engineering
1 - Description
2 - Obtaining 1st Flag
In the “Reverse Engineering” challenge, there were four flags hidden across four functions named like flagOneValid(), flagTwoValid(), and so on. The first flag was straightforward—it was simply a Base64-encoded string that, once decoded, revealed the flag.
3 - Obtaining 2nd Flag
The second secret resembled Morse code, containing patterns like ..– and …-. Each group of four characters represented a single lowercase alphabet letter. To decode it, I wrote a Python script that mapped each 4-character pattern to its corresponding letter. Running the script successfully revealed the second secret.
4 - Obtaining 3rd Flag
The function containing the third flag was working with a string that resembled a Bash script at first glance. However, it applied a transformation that stripped all characters except whitespace, tabs (\t), and newlines (\n). It then replaced \n with n, \t with t, and spaces with s. After some research, I realized this was likely Whitespace programming language code. I used a Python script to extract the Whitespace characters into a file, then ran it through an online Whitespace interpreter. This successfully compiled the code and revealed the third flag.
5 - Obtaining 4th Flag
The fourth flag in this challenge was the most difficult. It involved a file named dexterity, which was AES-encrypted. After analyzing the related function in the app, I extracted the encrypted file and wrote a Python script to decrypt it. The output turned out to be a DEX file. I then opened the DEX file in JADX and located a relevant function. To retrieve the secret, I wrote another Python script to generate a valid input for that function, which ultimately returned the fourth flag.
Bad Hash
1 - Description
2 - Obtaining 1st Flag
The “Bad Hash” challenge was the easiest for me. I used CrackStation to reverse the first hashed secret. The result included a 123 suffix that was concatenated to the original value. After removing 123, I obtained the actual secret.
3 - Obtaining 2nd Flag
The second flag used a CRC32 hash of a 4-character string. To solve it, I wrote a Python script to brute-force all possible 4-character combinations and compare their CRC32 values with the target hash. This approach successfully revealed the correct string and the second flag.