[Write Up] HackCon 2016 – You Can’t See Me

We are given an apk which is a simple activity with no buttons or menus when installed and run on a device.

avdhackcon

Since the name of the challenge was  “You Can’t See Me ” ( which was not really  relevant ), I thought it might be something related to the logcat.

So I tried

adb logcat | grep oracle

logcathackcon

Nothing useful. It just showed that the MainActivity was launched.

Next I thought I’ll go check the apk.  Inspecting the apk using an archive manager, I understood it did not carry any native libraries because there was no lib directory. By now I was pretty much sure it was something to do with the source.

So, I quickly extracted the jar file from the apk using dex2jar :

d2j

On opening the extracted jar using JD-GUI ( any Java decompiler would do ), I understood that there were two functions namely :

genLoginForm1()    and  genLoginForm2()

which add up few numbers and alphabets and concatinate them into a string :

formhackcon

These functions were not being called and were hidden from the MainActivity ( maybe that’s why they decided to call it “You Can’t See Me” ).

So, now all I had to do was write a java program that would print the two strings for me :


class HackCon
 {
 public static String genLoginForm1()
 {
 Integer localInteger = Integer.valueOf(656);
 return Integer.valueOf(686964656).toString() + "c" + Integer.valueOf(696).toString() + "b" + Integer.valueOf(656163).toString() + Integer.valueOf(68616).toString() + "d" + localInteger.toString() + "c" + localInteger.toString() + "f6e";
 }

public static String genLoginForm2()
 {
 Integer localInteger = Integer.valueOf(696);
 return Integer.valueOf(6265).toString() + Integer.valueOf(66696).toString() + Integer.valueOf(57263656).toString() + "c" + localInteger.toString() + "b" + Integer.valueOf(65616).toString() + "c" + localInteger.toString() + "f6e";

}
 public static void main(String args[])
 {
 String x = genLoginForm1();
 String y = genLoginForm2();

 System.out.println("x : " +x);         //First string
 System.out.println("y : " +y);         //Second string
 System.out.println("x+y : " + (x+y));  //Concatination of both the strings 
}
 }

 

Running this code generates a hexadecimal string :

flaghex

Converting this hex :

 686964656c696b65616368616d656c656f6e62656669657263656c696b65616c696f6e

To string gives us the flag :

hidelikeachameleonbefiercelikealion

Advertisement

3 thoughts on “[Write Up] HackCon 2016 – You Can’t See Me

Add yours

      1. That is also very grateful to your reply,
        I am a novice and want to reproduce your experiment

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: