Challenge: With all the work that has to be done before Christmas, Santa forgot the password to his phone. If he can’t make calls, he won’t be able to order all the gifts. Help him retrieve his password. It should be stored in this app.
Ah yes, Android. Thats more my field.
We’ll just throw this into http://www.javadecompilers.com/apk and see what we get. Last year we had a few interesting ones.
It’s an obfuscated android app, but the code is still readable a bit. It looks like you enter a text, that text is transformed and then compared to a predefined, already transformed text.
I couldn’t find a “de-obfuscation” tool fast enough, so I simply went and traced the code myself. Ends up its a simple table replacement.
Script: dec.php
Flag: xmas{r0ck1ng_a11_th3_way}
What did I learn: …
