# Google CTF 2018 - Shall We Play a Game?
🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
Download the APK here: I am going to upload the APK to [https://appetize.io/](https://appetize.io) (free account) to see how the apk is behaving: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(46\).png) Looks like you need to win 1000000 times to get the flag. Following the steps from [pentesting Android](/dashboard/mobile-pentesting/android-app-pentesting.md) you can decompile the application to get the smali code and read the Java code using jadx. Reading the java code: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(47\).png) It looks like the function that is going print the flag is **m().** ## **Smali changes** ### **Call m() the first time** Lets make the application call m() if the variable *this.o != 1000000* to do so, just cange the condition: ``` if-ne v0, v9, :cond_2 ``` to: ``` if-eq v0, v9, :cond_2 ``` ![Before](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(48\).png) ![After](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(49\).png) Follow the steps of [pentest Android](/dashboard/mobile-pentesting/android-app-pentesting.md) to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io) and lets see what happens: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(50\).png) Looks like the flag is written without being completely decrypted. Probably the m() function should be called 1000000 times. **Other way** to do this is to not change the instrucction but change the compared instructions: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(55\).png) **Another way** is instead of comparing with 1000000, set the value to 1 so this.o is compared with 1: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(57\).png) A forth way is to add an instruction to move to value of v9(1000000) to v0 *(this.o)*: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(58\).png) ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(52\).png) ## Solution Make the application run the loop 100000 times when you win the first time. To do so, you only need to create the **:goto\_6** loop and make the application **junp there if \_this.o**\_\*\* does not value 100000\*\*: ![](https://github.com/nirugima/hacktricks/blob/main/.gitbook/assets/image%20\(59\).png) You need to do this inside a physical device as (I don't know why) this doesn't work in an emulated device.
🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://breached.gitbook.io/dashboard/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.