Guess – Reversing

Task

I was rummaging around some old files and found this badly made app (not mine by the way). Do you think you can uncover any hidden information hiding in when running it? You can download it here (guess.apk).

Solution

We get a guess.apk file:

szczygielka@hacks$ file guess.apk 
guess.apk: Android package (APK), with APK Signing Block

We can decompile it using this online tool. Within the directory sources/com/example/guess we can locate a MainActivity.java file. Inside this file, there is a class named flag which contains a function named end:

public static String end() {
    return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz");
}

The end function calls another function called whatTheFunction, which code is as follows:

private static String whatTheFunction(String evilString) {
    String fornameN = null;
    if (Build.VERSION.SDK_INT >= 26) {
        fornameN = new String(Base64.getDecoder().decode(evilString));
    }
    StringBuilder recursiveCharArray = new StringBuilder();
    String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==";
    char[] finalrray = undecryptedencryptedString.toCharArray();
    int kentucky = 0;
    for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) {
        char glaf = finalrray[kentucky];
        finalrray[kentucky] = finalrray[xortrad];
        finalrray[xortrad] = glaf;
        kentucky++;
    }
    for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) {
        recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1));
    }
    for (char c : finalrray) {
        if (Build.VERSION.SDK_INT >= 26) {
            undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c;
        }
    }
    return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString;
}

BecausewhatTheFunction manipulates a Base64 strings, I assumed that this function may store the flag. So I decided to check how this function works. To compile Java code I used this website.

After a few modifications, we can call the end function and whatTheFunction function:

import java.util.Base64;

class Flag {
    public static String end() {
        return whatTheFunction("cmpkdjNjYzE6MzUuU1R8aHY0dHR6YGd2b2R1MnBvfi46MTI0M3M6amcz");
    }
    private static String whatTheFunction(String evilString) {
        String fornameN = null;
        
        fornameN = new String(Base64.getDecoder().decode(evilString));
    
        StringBuilder recursiveCharArray = new StringBuilder();
        String undecryptedencryptedString = "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==";
        char[] finalrray = undecryptedencryptedString.toCharArray();
        int kentucky = 0;
        for (int xortrad = finalrray.length - 1; kentucky < xortrad; xortrad--) {
            char glaf = finalrray[kentucky];
            finalrray[kentucky] = finalrray[xortrad];
            finalrray[xortrad] = glaf;
            kentucky++;
        }
        for (int everyOther = 0; everyOther < fornameN.length(); everyOther++) {
            recursiveCharArray.append((char) (fornameN.charAt(everyOther) - 1));
        }
        for (char c : finalrray) {
            
                undecryptedencryptedString = new String(Base64.getEncoder().encode("SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==".getBytes())) + c;
            
        }
        return "SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==" + recursiveCharArray + undecryptedencryptedString;
    }
    public static void main(String[] args){
        System.out.println(end()); 
    }
}

As expected, after executing the function we get a flag in the output string:

SGF2ZSB5b3UgZXZlciB1c2VkIEZyaWRhPw==qicu2bb0924-RS{gu3ssy_funct1on}-90132r9if2U0dGMlpTQjViM1VnWlhabGNpQjFjMlZrSUVaeWFXUmhQdz09S

As expected, there is a flag in this string.

Flag:

Guess: RS{gu3ssy_funct1on}