Guess – Reversing
Task
I was rummaging around some old files and found this badly made app (not mine by the way). Do you think you can uncover any hidden information hiding in when running it? You can download it here (guess.apk).
Solution
We get a guess.apk file:
szczygielka@hacks$ file guess.apk
guess.apk: Android package (APK), with APK Signing BlockWe can decompile it using this online tool. Within the directory sources/com/example/guess we can locate a MainActivity.java file. Inside this file, there is a class named flag which contains a function named end:
public static String end() {
return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz");
}The end function calls another function called whatTheFunction, which code is as follows:
private static String whatTheFunction(String evilString) {
String fornameN = null;
if (Build.VERSION.SDK_INT >= 26) {
fornameN = new String(Base64.getDecoder().decode(evilString));
}
StringBuilder recursiveCharArray = new StringBuilder();
String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==";
char[] finalrray = undecryptedencryptedString.toCharArray();
int kentucky = 0;
for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) {
char glaf = finalrray[kentucky];
finalrray[kentucky] = finalrray[xortrad];
finalrray[xortrad] = glaf;
kentucky++;
}
for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) {
recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1));
}
for (char c : finalrray) {
if (Build.VERSION.SDK_INT >= 26) {
undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c;
}
}
return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString;
}BecausewhatTheFunction manipulates a Base64 strings, I assumed that this function may store the flag. So I decided to check how this function works. To compile Java code I used this website.
After a few modifications, we can call the end function and whatTheFunction function:
import java.util.Base64;
class Flag {
public static String end() {
return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz");
}
private static String whatTheFunction(String evilString) {
String fornameN = null;
fornameN = new String(Base64.getDecoder().decode(evilString));
StringBuilder recursiveCharArray = new StringBuilder();
String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==";
char[] finalrray = undecryptedencryptedString.toCharArray();
int kentucky = 0;
for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) {
char glaf = finalrray[kentucky];
finalrray[kentucky] = finalrray[xortrad];
finalrray[xortrad] = glaf;
kentucky++;
}
for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) {
recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1));
}
for (char c : finalrray) {
undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c;
}
return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString;
}
public static void main(String[] args){
System.out.println(end());
}
}
As expected, after executing the function we get a flag in the output string:
SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==qicu2bb0924-RS{gu3ssy_funct1on}-90132r9if2U0dGMlpTQjViM1VnWlhabGNpQjFjMlZrSUVaeWFXUmhQdz09SAs expected, there is a flag in this string.
Flag:
Guess: RS{gu3ssy_funct1on}Last updated