Part 2

3. What is the username and password embedded in the APK?

After unzipping the file, we are left with an APK. There are two routes we can go to analyze this:

Use apktool to disassemble the apk, which gives us smali code. This is great if we just want to make minor tweaks and convert it back into a valid apk but smali code is not the easiest to read. For example, defining a variable such as password can span over multiple lines.
Use dex2jar to convert the heart of the application into a regular jar which can be decompiled into java code, which is very easy to read. The downside is that this format cannot easily be converted back into an APK.

Since we are just looking for passwords, decompiling is the way to go. Both APK and JAR use zip to bundle files together.

Unzip the SantaGram APK file to get a copy of the dex file. unzip SantaGram_4.2.apk.
Use dex2jar to convert classes.dex to a jar file. dex2jar classes.dex
Unzip the newly created jar file. unzip classes_dex2jar.jar
Go into the directory created by the zip and decompile all class files with jad. find . -name *.class | xargs jad
Use grep to find hardcoded passwords grep -r password . – This command should reveal the account guest:busyreindeer78.

This method doesn’t preserve the directory structure, and there are certainly better ways to go about it. But it’s quick, easy and allows us to achieve our goal of searching for sensitive hard coded data.

Below is an example of the Smali Code and Disassembled code for defining the password. Notice how little information is on each line in Smali, which makes it difficult to find code via grep.

Smali Disassemle JAD Decompile

const-string v1, “username” jsonobject.put(“username”, “guest”);

const-string v2, “guest” jsonobject.put(“password”, “busyreindeer78”);

const-string v1, “password”

const-string v2, “busyreindeer78”

Smali Disassemle		JAD Decompile
const-string v1, “username”		jsonobject.put(“username”, “guest”);
const-string v2, “guest”		jsonobject.put(“password”, “busyreindeer78”);
const-string v1, “password”
const-string v2, “busyreindeer78”

Note: You can skip the converting dex -> jar process by using jadx. However, that program isn’t on the Kali Repo and I avoid running programs directly from github when I can as they tend to be untested and harder to troubleshoot.

4. What is the name of the audible component (audio file) in the SantaGram APK file?

This one is easy, go to the directory where you unzipped the apk file and just run find . | grep mp3. It should return: ./res/raw/discombobulatedaudio1.mp3