Tags: rev java android
Rating:
# Open sesame
We were given [this](https://gr007.tech/writeups/2023/backdoor/rev/open_sesame/open_sesame.apk) app to reverse engineer. This app asks for a user and password as input when installed. We will look into it's source code using [jadx](https://github.com/skylot/jadx). It also comes with a gui.
```sh
backdoor/rev/open_sesame on master [?]
❯ jadx open_sesame.apk
INFO - loading ...
INFO - processing ...
ERROR - finished with errors, count: 30
```
The important part is the following inside the `MainActivity.java` file:
```java
private static final int[] valid_password = {52, AppCompatDelegate.FEATURE_SUPPORT_ACTION_BAR, 49, 98, 97, 98, 97};
private static final String valid_user = "Jack Ma";
private Button buttonLogin;
private EditText editTextPassword;
private EditText editTextUsername;
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_main);
this.editTextUsername = (EditText) findViewById(R.id.editTextUsername);
this.editTextPassword = (EditText) findViewById(R.id.editTextPassword);
Button button = (Button) findViewById(R.id.buttonLogin);
this.buttonLogin = button;
button.setOnClickListener(new View.OnClickListener() { // from class: com.example.open_sesame.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
MainActivity.this.validateCredentials();
}
});
}
/* JADX INFO: Access modifiers changed from: private */
public void validateCredentials() {
String trim = this.editTextUsername.getText().toString().trim();
String trim2 = this.editTextPassword.getText().toString().trim();
if (trim.equals(valid_user) && n4ut1lus(trim2)) {
String str = "flag{" + flag(Integer.toString(sl4y3r(sh4dy(trim2))), "U|]rURuoU^PoR_FDMo@X]uBUg") + "}";
return;
}
showToast("Invalid credentials. Please try again.");
}
```
We see that valid_password is already declared inside it. A quick google and we can tell that `AppCompatDelegate.FEATURE_SUPPORT_ACTION_BAR` is a constant in the `AppCompatDelegate` class with value equaling `108`.
[appcompatdelegate](https://gr007.tech/writeups/2023/backdoor/rev/open_sesame/AppCompatDelegate.png)
This app only shows toast when the user password combination is wrong and only calculates the flag upon entering the correct credentials. We can just take the whole code and write our own [solution](https://gr007.tech/writeups/2023/backdoor/rev/open_sesame/Sol.java) that will print the flag.
```sh
backdoor/rev/open_sesame on master [?] via ☕ v21
❯ javac Sol.java
backdoor/rev/open_sesame on master [?] via ☕ v21
❯ java Sol
flag{aLiBabA_and_forty_thiEveS}
```
flag: `flag{aLiBabA_and_forty_thiEveS}`
