<h1> Description </h1>

Who's That Pokemon? Enter the Pokemon's name to find the flag!

---

We have an apk file which is used to run apps on android devices. So to run it, we need an android emulator and a decompiler for the file. [Android Studio][android studio] is probably the best tool for android app development and comes with a built in emulator while giving you easy access to all the code. After playing around with it for a bit, I couldn't get my emulator working so I had to try a different route.

Moving over to the [bluestacks][bluestacks] emulator which had a pretty quick process to upload local apk files although it took a few tries to realize it will only run with administrator privilege.

Right when I launch the game, there is a screen that takes one input and that is the guess of the pokemon. Inputting a random answer doesn't do anything beyond making a sound. This doesn't seem to have any other info, so it is time to decompile it with APKTool to get the individual files and can then delve further.

The syntax to decompile this file after installing apktool is ``` apktool d apk_file.apk -o output_folder_name ```

From there I began to just search around all the files and see what kind of stuff I could find. After a while of searching around, I came across the *strings.smali* file which looked promising (smali_classes2/com/example/whosthatpokemon/R$strings.smali).

It contained a list of memory addresses and variable names of the different strings in hex. We see that there's a **pokemon** string with a corresponding value of ***0x7f100096***. I assumed that if we could then find a reference to this hex address or the string name itself then we would find the answer. While researching basic reverse engineering of android applications, I saw mention that these values can be found within the res/values folder.

So either grepping this entire folder for 'pokemon' and/or the hex address or narrowing down the search by seeing what kind of data is held in each of the files is the next step. I let grep run in the background and decided to look around the files myself while I waited. Starting easy, I assumed that things such as the integers, drawables, bools, and colors wouldn't be of much help. The only files that I found anything interesting in was the public.xml and strings.xml files. The public.xml gave me the information I already had so I guess this could have been a good place to start instead of where I did.

{% highlight bash %}
grep "pokemon" public.xml
<public type="drawable" name="whos_that_pokemon" id="0x7f0700df" />
<public type="raw" name="whosthatpokemon" id="0x7f0f0003" />
<public type="string" name="pokemon" id="0x7f100096" />
<public type="style" name="Theme.Whosthatpokemon" id="0x7f110262" />
{% endhighlight %}

Repeating the above step with strings.xml showed not only the string names but also their values. Using grep to see if the pokemon string is there, we get the name of the pokemon, *Terrapulseonic*.

{% highlight bash %}
grep "pokemon" strings.xml
<string name="app_name">whos_that_pokemon</string>
<string name="pokemon">Terrapulseonic</string>
{% endhighlight %}

Heading back over to the our game, we enter the name and we get a new screen with the flag **UMDCTF{Andr01d_$triNgs_@re_n0T_secUr3}**

[android studio]: https://developer.android.com/studio
[bluestacks]: https://www.bluestacks.com/
[reference writeup]: https://infosecwriteups.com/android-ctf-kgb-messenger-d9069f4cedf8