# HTB | Supermarket **Machine** - **File** - Supermarket.apk **Description** - My supermarket list is too big and I only have $50. Can you help me get the Discount code? **Skill Learned** * Android Reverse Engineering. * Reading decompiled Java code. ## Enumeration ### Running the application

### Analyzing the Source code We have found a class `textWatcher` which have an `onTextChanged` the function which is responsible for decrypting and checking the discount code: * `String obj = MainActivity.this.f2075q.getText().toString();` - Retrieves the text input from a UI element (likely an `EditText`). * `stringFromJNI()` seems to return a Base64-encoded encrypted string. * A secret key is constructed from `stringFromJNI2()` and cipher type from `stringFromJNI3()`. * The cipher is initialized in decrypt mode (mode `2`). * `if (!obj.equals(new String(cipher.doFinal(Base64.decode(stringFromJNI, 0)), "utf-8")))` * Decrypts the encrypted string and compares it to the user input. * If it **doesn't match**, a list is filled from `this.f2085c`, and a variable `f2076r` is set to `5.0d`. * If it **matches**, the list is filled from `this.f2084b`, and `f2076r` is set to `2.5d`. * So if we get the encrypted string, we can get the discount code (maybe ?)

There is another onCreate which is responsible for all the calculations we see on the UI/ front end

### Decompiling and analyzing a native library We can see that the `libsupermarket.so` is being loaded ```jsx static { System.loadLibrary("supermarket"); } ``` We can also see the methods `stringFromJNI()`, `stringFromJNI2()`, and `stringFromJNI3()`, which are **native method calls** defined in Java, typically using JNI (Java Native Interface), and implemented in native code — usually C or C++ ```jsx String stringFromJNI = mainActivity.stringFromJNI(); // Encrypted base64 string SecretKeySpec secretKeySpec = new SecretKeySpec(mainActivity.stringFromJNI2().getBytes(), mainActivity.stringFromJNI3()); Cipher cipher = Cipher.getInstance(mainActivity.stringFromJNI3()); ``` | Method | Purpose | | ------------------ | ------------------------------------------------------------------------------------------------------------------- | | `stringFromJNI()` | Returns a Base64-encoded string — probably encrypted data (maybe the *correct* discount code). | | `stringFromJNI2()` | Returns the encryption key (used to create `SecretKeySpec`). | | `stringFromJNI3()` | Returns the cipher algorithm string, e.g., `"AES"` or `"AES/CBC/PKCS5Padding"` — used in `Cipher.getInstance(...)`. | Now we need to reverse the `libsupermarket.so` and find all three functions. For this purpose, we will load the `libsupermarket.so` in the Ghidra tool #### Analyzing the libsupermarket.so We can see the three functions

**stringFromJNI()** We can see that it is doing some logic and returning the value (probably encrypted discount code)

**stringFromJNI2()** Same as **stringFromJNI()** it is also doing some logic and math and returning the variable (probably encryption key)

**stringFromJNI3()** Same as **stringFromJNI()** it is also doing some logic and math and returning the variable (probably Cipher encryption algorithm)

## Exploiting the APK ### Frida We can use Frida to hook the functions and get what is being returned ```jsx Java.perform(function () { var myActivity = Java.use("com.example.supermarket.MainActivity"); Java.choose("com.example.supermarket.MainActivity", { onMatch: function (instance) { let JNI = instance.stringFromJNI(); let JNI2 = instance.stringFromJNI2(); let JNI3 = instance.stringFromJNI3(); console.log("JNI: " + JNI); console.log("JNI2: " + JNI2); console.log("JNI3: " + JNI3); }, onComplete: function () { console.log("Search complete."); }, }); }); ``` We found encrypted text(discount code ?), key and cipher algorithm

Now, to crack this, we will use online [AES decryption](https://www.devglan.com/online-tools/aes-encryption-decryption), and we got the flag