PlaidCTF 2011 – 08 – The App Store! – 250 pts

This is my writeup for the eighth challenge in the PlaidCTF 2011 competition. The information for the challenge was:

“We found the mobile phone that’s left in one of the office.
Out of all applications, The Color Game App seemed suspicious.

We believe the solution to this game is the password of the user for the computer next to it.
Solve it! and get the password!

Key is the color sequence of the buttons in all lower case with no spaces [e.g. redyellowbluegreenred]

These are the screenshot of the game:

This challenge consisted of an iPhone application, compiled for x86 so it can be used with the iPhone Simulator included with the iOS SDK. To analyze the code I used IDA Pro and for dynamically analyzing in runtime I used GDB, attaching to it after I’ve started it with the iPhone Simulator.

With IDA Pro I started with analyzing the viewDidLoad() method for the reverseMeViewController object. Scattered throughout the function are calls to the addObject() method of the NSMutableArray object named holyHandGrenadeOfAntioch. The objects added to the array are of type CFConstantStringClassReference and the strings that are added are, in order:
Blue, Green, Yellow, Blue, Red, Red, Red, Blue, Purple, Yellow, Green, Orange, Blue, Blue

By listing the cross references to the holyHandGrenadeOfAntioch object I find the reverseMeViewController.sheepFucker() method, which compares the contents of holyHandGrenadeofAntioch array with the contents of another array named donkeyFucker, and by listing the cross references to the donkeyFucker object I find that it is referenced in the following methods:

  • allDayHomeBoy
  • myLifeBeLike
  • weAreTheKnightsWhoSayNi
  • blameGalgara
  • bitch
  • brooooooooo

These are the handlers that are called when the addRed/addYellow/etc buttons are pressed in the applications, and by analyzing them in IDA I can see that they add the following strings to the donkeyFucker object:

  • allDayHomeBoy – Blue
  • myLifeBeLike – Green
  • weAreTheKnightsWhoSayNi – Yellow
  • blameGalgara – Purple
  • bitch – Red
  • brooooooooo – Orange

Now, a hasty assumption would be that the strings added to the array equals the actual colors that are seen in the GUI. In this case our key would be:

Of course, this is not the case. We have a little bit of work to do still, and I chose to take the easy route of simply using GDB and setting a breakpoint on each of the button press handlers.

First, we start the application in the iPhone Simulator:

Second, we attach to the process in GDB and set our breakpoints:

I now simply press each button in order (red, yellow, green, purple, blue, orange) and see which handler is called for which color:

This gives me the following mapping between handler and color:

  • allDayHomeBoy – Red
  • myLifeBeLike – Yellow
  • weAreTheKnightsWhoSayNi – Green
  • blameGalgara – Purple
  • bitch – Blue
  • brooooooooo – Orange

Combined with the knowledge of which string is added to the donkeyFucker array in each of these handlers, I can now map a string in the array to the actual color in the GUI:

  • Blue -> Red
  • Green -> Yellow
  • Yellow -> Green
  • Purple -> Purple
  • Red -> Blue
  • Orange -> Orange

Applying this to the list of strings in the holyHandGrenadeOfAntioch array we get:
Blue, Green, Yellow, Blue, Red, Red, Red, Blue, Purple, Yellow, Green, Orange, Blue, Blue
Red, Yellow, Green, Red, Blue, Blue, Blue, Red, Purple, Green, Yellow, Orange, Red, Red

Trying this in the emulator, we get a picture of a happy face. :)

Thus, our key is: