When running the application in an emulator and executing ``` adb shell am broadcast \ -a com.example.oxidized_intentions.TICKET \ -n com.example.oxidized_intentions/.TicketReceiver \ --es seed "testseed123" ``` Following logs are written: ``` 08-30 16:28:14.359 6201 6201 D OXI : Got broadcast, seed=testseed123 08-30 16:28:15.550 6201 6201 D OXI : Required seed is: fe2o3rust 08-30 16:28:15.562 6201 6201 D OXI : Computing flag for seed='testseed123' ... 08-30 16:28:15.563 6201 6201 D OXI : Seed 'testseed123' is not expected; required seed is 'fe2o3rust' 08-30 16:28:15.585 6201 6201 D OXI : FLAG=FAKE{wrong_seed} ``` When using `fe2o3rust` as the seed output looks like this: ``` 08-30 16:34:30.981 7429 7429 D OXI : Got broadcast, seed=fe2o3rust 08-30 16:34:30.991 7429 7429 D OXI : Computing flag for seed='fe2o3rust' ... 08-30 16:34:32.021 7429 7429 D OXI : anti_hook_check elapsed=1007ms ``` Next idea: Just increase the anti_hook_check limit and see what happens Patching the binary: https://book.jorianwoltjer.com/mobile/patching-apks Patched Bytes: `00000000000047AD 0x1 68 6D` This is a marker to test if the right patched library is loaded (just change a letter in a log entry) `0000000000011D2A 0x1 07 3F` anti_hook_check now tests if execution took >4000ms and not only 500ms Current progress: ``` ❯ adb logcat | rg OXI 08-30 19:02:05.234 9868 9868 D OXI : Got broadcast, seed=fe2o3rust 08-30 19:02:05.397 9868 9868 D OXI : Required seed is: fe2o3rust 08-30 19:02:05.400 9868 9868 D OXI : Computing flag for seed='fe2o3rust' ... 08-30 19:02:06.403 9868 9868 D OXI : anti_mook_check elapsed=1000ms 08-30 19:02:06.437 9868 9868 D OXI : FLAG=FAKE{0000000358f228d7} ``` From where does the FAKE flag come from? The program checks if a magic number is set. Just invert the branch condition `0000000000011DE0 0x1 E1 E0` Changes B.NE to B.EQ