ICMTC CTF — DFIR Challenge Writeup “Mega Mind”

First, this was my first time analyzing an APK file.
When I searched how to analyze it I found that I can use apktool, jadx, or frida for hooking the app. I will go with jadx GUI.
These are the challenge files:

Challenge Description:
` While analyzing one of the phones of an arrested cybercriminal group I found an interesting app called “MEGA”, Unfortunately the suspects locked the app with a pattern, and I believe they used it to spread malicious files
Anyway, I pulled the application and its database files, in case you can help to find the name of the file the suspect uploaded. `
We have database files and APK
Let’s start with the database. I will use sqlite browser to show what it contains.
After some search, I found megapreferences have table name ’compltedtransfers’. Let’s show it:

We have base64 encoded text. Let’s try to decode it :

We got noting. Let’s search what is that or how megastore stores tokens or data in megapreferences.
I found a good article in this link:
https://askclees.com/2022/05/10/decrypting-megas-megaprefences-sqlite-database/
Now, I know where I will search in the APK file, for encryption and decryption functions. Let’s go to jadx:

I will search for an AES Key, because in the article you will find encryption is with AES-ECB mode:

The key is:

And I found it more than 32 bytes.
Let’s write a python script for decryption:
This is the script:
from Cryptodome.Cipher import AES
import base64
def decrypt_aes_ecb(ciphertext, key):
cipher = AES.new(key, AES.MODE_ECB)
return cipher.decrypt(ciphertext).decode()
# Base64 encoded ciphertext
encoded_ciphertext = ‘bDYn7kAniulcMw5N9PyQ3XQ5kjZpkrKdOD6ID+S2Mdo=’
# AES-ECB key (256 bits / 32 bytes)
key = b’4ndr0!d_3gc3rt8 w4y*(Nc$G*(G($*GG*(#)*huio13337$G’
# Decode the Base64 ciphertext
decoded_ciphertext = base64.b64decode(encoded_ciphertext)
# Decrypt using AES-ECB
decrypted_text = decrypt_aes_ecb(decoded_ciphertext, key[0:32])
print(“Decrypted Text:”)
print(decrypted_text)
I am slicing the key to 32 bytes to decrypt the text, and the result is:
The flag is:
EGCERT{W3ll_D0n3_M3g4_M!nd}
Lessons learned:
Trying to know how things work and the search can help you to almost achieve anything.