# Mobile CTF Challenges "Strings" > Hello CTF Fighters ๐Ÿ‘‹ > > Iโ€™m Adam (0x0dooom), and today Iโ€™d like to share a challenge solution from a mobile hacking lab. Reverse the `apk`using `jadx-gui` navigate to AndroidManifest.xml, letโ€™s to investigate
maybe we know what is the vulnerable part we have here We will start with the basic exploitation level using the following command `adb shell am ACTIVTYNAME/.CLASS` ```bash doom@0x0DOoOM:~$ adb -s emulator-5556 shell am start com.mobilehackinglab.challenge/.Activity2 -a "android.intent.action.VIEW" -c "android.intent.category.DEFAULT" ``` ```bash Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.mobilehackinglab.challenge/.Activity2 } ``` ```bash doom@0x0DOoOM:~$ adb -s emulator-5556 shell am start com.mobilehackinglab.challenge/.Activity2 -a "android.intent.action.VIEW" -c "android.intent.category.BROWSABLE" ``` ```bash Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.mobilehackinglab.challenge/.Activity2 } ``` -c โ†’ for the category in intent & -a โ†’ for action in intent the two commands open the activity but close immediately letโ€™s to move forward ๐Ÿ™‚ we will open MainActivity to analyze
with small search we achieve the understand
The **System.loadLibrary** method loads the native library named **libchallenge.so** into memory.
we also found a function have a preferences which it load file called DAD4 and 0 indicates that the file is private to the application fuckinnnnn pooooooor information !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! dig dive into the Activity2
Now we have a good relation between sharedpref and the vulnerable activity and we know the algorithm used in decryption. Also we have an important thing more ```java Uri uri = getIntent().getData(); if (uri != null && Intrinsics.areEqual(uri.getScheme(), "mhl") && Intrinsics.areEqual(uri.getHost(), "labs")) { String base64Value = uri.getLastPathSegment(); byte[] decodedValue = Base64.decode(base64Value, 0); } ``` **uri.getScheme()** checks the scheme of the URI, expecting it to be **mhl**. **uri.getHost()** checks the host of the URI, which should be **labs**. **uri.getLastPathSegment()** retrieves the last segment of the URI, which is expected to be data encoded in **Base64**. ```java String ds = new String(decodedValue, Charsets.UTF_8); byte[] bytes = "your_secret_key_1234567890123456".getBytes(Charsets.UTF_8); String str = decrypt("AES/CBC/PKCS5Padding", "bqGrDKdQ8zo26HflRsGvVA==", new SecretKeySpec(bytes, "AES")); if (str.equals(ds)) { System.loadLibrary("flag"); String s = getflag(); Toast.makeText(getApplicationContext(), s, 1).show(); return; } ``` Uses the decrypt method with the AES/CBC/PKCS5Padding algorithm to decrypt the data. Encrypted time: ุตุญุตุญ ู…ุนุงูŠุงุงุง ุงุญู†ุง ุฏู„ูˆู‚ุช ู…ุนุงู†ุง ู‚ูŠู…ู‡ ุจุงู„ base64 ุนุงูˆุฒูŠู† ู†ุดูˆูู‡ุง ูˆ ู…ุนุงู†ุง ุงู† ู‡ูŠ ู…ุนู…ูˆู„ู‡ุง ุชุดููŠุฑ ุจุงู„ AES ูˆ ู…ุนุงู†ุง ุงู„ key ูˆ ุงู„ IV navigate to
Key โ†’ your\_secret\_key\_1234567890123456 IV โ†’ 1234567890123456
the secret is (mhl\_secret\_1337) *** solve it using frida ! yalla n7awel keda ```java Java.perform(function () { var sharedPreferencesClass = Java.use("android.app.SharedPreferencesImpl"); sharedPreferencesClass.getString.overload('java.lang.String', 'java.lang.String').implementation = function (key, defValue) { if (key === "UUU0133") { var value = this.getString(key, defValue); console.log("UUU0133 value: " + value); return value; } return this.getString(key, defValue); }; }); ``` `frida-ps -Ua`
`frida -U -f "com.mobilehackinglab.challenge" -l frida.js`
Now wait from us a value will give it the next (UUU0133 value: 29/09/2025) cause of this
done ๐Ÿ‘น ```java Java.perform(function() { var lib = Process.getModuleByName("libflag.so"); console.log("libflag.so =>", JSON.stringify(lib)); //"MHL{"=4D 48 4C 7B(HEX) var pattern = "4D 48 4C 7B"; Memory.scan(lib.base, lib.size, pattern, { onMatch: function(address, size) { console.log(" Match found at address:", address, "size:", size); console.log(hexdump(address, { length: 64 })); var flagString = Memory.readCString(address); console.log("Flag:", flagString); }, onComplete: function() { console.log("Memory scan complete"); } }); }); ``` MHL{IN\_THE\_MEMORY} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://get-bountyordie.gitbook.io/get-bountyordie-docs/our-write-ups/mobile-pentest-write-ups/mobile-ctf-challenges-strings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.