# Guess – Reversing ## Task I was rummaging around some old files and found this badly made app (not mine by the way). Do you think you can uncover any hidden information hiding in when running it? You can download it here (guess.apk). ## Solution We get a `guess.apk` file: ``` szczygielka@hacks$ file guess.apk guess.apk: Android package (APK), with APK Signing Block ``` We can decompile it using [this](https://www.decompiler.com/) online tool. Within the directory `sources/com/example/guess` we can locate a `MainActivity.java` file. Inside this file, there is a class named `flag` which contains a function named `end`:

public static String end() {
    return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz");
}

The `end` function calls another function called `whatTheFunction`, which code is as follows:

private static String whatTheFunction(String evilString) {
    String fornameN = null;
    if (Build.VERSION.SDK_INT >= 26) {
        fornameN = new String(Base64.getDecoder().decode(evilString));
    }
    StringBuilder recursiveCharArray = new StringBuilder();
    String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==";
    char[] finalrray = undecryptedencryptedString.toCharArray();
    int kentucky = 0;
    for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) {
        char glaf = finalrray[kentucky];
        finalrray[kentucky] = finalrray[xortrad];
        finalrray[xortrad] = glaf;
        kentucky++;
    }
    for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) {
        recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1));
    }
    for (char c : finalrray) {
        if (Build.VERSION.SDK_INT >= 26) {
            undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c;
        }
    }
    return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString;
}

Because`whatTheFunction` manipulates a Base64 strings, I assumed that this function may store the flag. So I decided to check how this function works. To compile Java code I used [this](https://www.programiz.com/java-programming/online-compiler/) website. After a few modifications, we can call the `end` function and `whatTheFunction` function: ``` import java.util.Base64; class Flag { public static String end() { return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz"); } private static String whatTheFunction(String evilString) { String fornameN = null; fornameN = new String(Base64.getDecoder().decode(evilString)); StringBuilder recursiveCharArray = new StringBuilder(); String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw=="; char[] finalrray = undecryptedencryptedString.toCharArray(); int kentucky = 0; for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) { char glaf = finalrray[kentucky]; finalrray[kentucky] = finalrray[xortrad]; finalrray[xortrad] = glaf; kentucky++; } for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) { recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1)); } for (char c : finalrray) { undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c; } return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString; } public static void main(String[] args){ System.out.println(end()); } } ```

As expected, after executing the function we get a flag in the output string: ``` SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==qicu2bb0924-RS{gu3ssy_funct1on}-90132r9if2U0dGMlpTQjViM1VnWlhabGNpQjFjMlZrSUVaeWFXUmhQdz09S ``` As expected, there is a flag in this string. Flag: ``` Guess: RS{gu3ssy_funct1on} ```