[Write Up] HackCon 2016 – You Can’t See Me

We are given an apk which is a simple activity with no buttons or menus when installed and run on a device.


Since the name of the challenge was  “You Can’t See Me ” ( which was not really  relevant ), I thought it might be something related to the logcat.

So I tried

adb logcat | grep oracle


Nothing useful. It just showed that the MainActivity was launched.

Next I thought I’ll go check the apk.  Inspecting the apk using an archive manager, I understood it did not carry any native libraries because there was no lib directory. By now I was pretty much sure it was something to do with the source.

So, I quickly extracted the jar file from the apk using dex2jar :


On opening the extracted jar using JD-GUI ( any Java decompiler would do ), I understood that there were two functions namely :

genLoginForm1()    and  genLoginForm2()

which add up few numbers and alphabets and concatinate them into a string :


These functions were not being called and were hidden from the MainActivity ( maybe that’s why they decided to call it “You Can’t See Me” ).

So, now all I had to do was write a java program that would print the two strings for me :

class HackCon
 public static String genLoginForm1()
 Integer localInteger = Integer.valueOf(656);
 return Integer.valueOf(686964656).toString() + "c" + Integer.valueOf(696).toString() + "b" + Integer.valueOf(656163).toString() + Integer.valueOf(68616).toString() + "d" + localInteger.toString() + "c" + localInteger.toString() + "f6e";

public static String genLoginForm2()
 Integer localInteger = Integer.valueOf(696);
 return Integer.valueOf(6265).toString() + Integer.valueOf(66696).toString() + Integer.valueOf(57263656).toString() + "c" + localInteger.toString() + "b" + Integer.valueOf(65616).toString() + "c" + localInteger.toString() + "f6e";

 public static void main(String args[])
 String x = genLoginForm1();
 String y = genLoginForm2();

 System.out.println("x : " +x);         //First string
 System.out.println("y : " +y);         //Second string
 System.out.println("x+y : " + (x+y));  //Concatination of both the strings 


Running this code generates a hexadecimal string :


Converting this hex :


To string gives us the flag :



3 thoughts on “[Write Up] HackCon 2016 – You Can’t See Me

Add yours

      1. That is also very grateful to your reply,
        I am a novice and want to reproduce your experiment


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: