310 words
2 minutes
Missing Homework
2026-02-21
Reversing
BKCTF

Write-up of the challenge “Missing Homework”#

This challenge is part of the “Reversing” category and earns 187 points.

Goal of the challenge#

The objective of the challenge is to find the b64 encoded flag in the android file (.apk).

Program structure#

dec.xml
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="36" android:compileSdkVersionCodename="16" package="com.example.helloworld" platformBuildVersionCode="36" platformBuildVersionName="16">
    <permission android:name="com.example.helloworld.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION" android:protectionLevel="signature"/>
    <uses-permission android:name="com.example.helloworld.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION"/>
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules" android:debuggable="true" android:extractNativeLibs="false" android:fullBackupContent="@xml/backup_rules" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.Helloworld">
        <activity android:exported="true" android:name="com.example.helloworld.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <meta-data android:name="flag" android:value="hidden"/>
        <provider android:authorities="com.example.helloworld.androidx-startup" android:exported="false" android:name="androidx.startup.InitializationProvider">
            <meta-data android:name="androidx.emoji2.text.EmojiCompatInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.lifecycle.ProcessLifecycleInitializer" android:value="androidx.startup"/>
            <meta-data android:name="androidx.profileinstaller.ProfileInstallerInitializer" android:value="androidx.startup"/>
        </provider>
        <receiver android:directBootAware="false" android:enabled="true" android:exported="true" android:name="androidx.profileinstaller.ProfileInstallReceiver" android:permission="android.permission.DUMP">
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.INSTALL_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SKIP_FILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.SAVE_PROFILE"/>
            </intent-filter>
            <intent-filter>
                <action android:name="androidx.profileinstaller.action.BENCHMARK_OPERATION"/>
            </intent-filter>
        </receiver>
    </application>
</manifest>
Homework.py
import struct
import zipfile
import os
import sys
from base64 import b64encode


FLAG = ''
APK_File = "hiddenfile.apk"




def inject_into_androidmanifest(apk_file, string_to_inject):
    # Sequentially put the base64 encoded string character by character into the AndroidManifest file
    # https://android.googlesource.com/platform/frameworks/base/+/56a2301/include/androidfw/ResourceTypes.h
    characters = list(string_to_inject)
    output_file = "hiddenfile.apk"


    # TODO: YOUR CODE HERE
    pass




apk_file = sys.argv[1]
string_to_inject = b64encode(FLAG.encode()).decode()
print(string_to_inject)


if not os.path.exists(apk_file):
    print(f"[!] Error: File not found: {apk_file}")
    sys.exit(1)


try:
    inject_into_androidmanifest(apk_file, string_to_inject)
except Exception as e:
    print(f"\n[!] Error: {e}")
    import traceback
    traceback.print_exc()
    sys.exit(1)

Problem#

The first problem was how could I decompile android files? and it came up to my mind why not use jadax to look at it but I did a different approach and that was to use apktool.

Security breach#

The secuirty breach was the comment they wrote, because of it now we know that the flag is base64 encoded:

    # Sequentially put the base64 encoded string character by character into the AndroidManifest file
    # https://android.googlesource.com/platform/frameworks/base/+/56a2301/include/androidfw/ResourceTypes.h

Solution#

So what I did first was decompile it using apktool:

apktool d hiddenfile.apk

Then I searched through strings in the AndroidManifest.xml:

strings -e l -n 1 AndroidManifest.xml | grep -E ""

Preview Image

and later I put it in cyberchef:

Preview Image

Missing Homework
https://fuwari.vercel.app/posts/missing-homework/01/
Author
a.b.h.a
Published at
2026-02-21
License
CC BY-NC-SA 4.0
Egghead
Tiny blog
© 2026 a.b.h.a. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari