Strings

Hello everyone , In this blog post , I will try to explain my solution steps for Strings challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

1. Let's install our app then open the application . we found that "Hello from c++" message appears on the home page. let’s analysis the app using Jadx tool

2. During Analysis the AndroidManifest.xml file we found 2 important Activity :

   

   image.png
3. The First activity is com.mobilehackinglab.challenge.MainActivity Let’s analysis it’s code

   1. it have a native Library challenge

   2. KLOW() function : This code saves the current date in a SharedPreferences file named DAD4 using the key UUU0133.

      
4. The Second Activity is a com.mobilehackinglab.challenge.Activity2 , Exported and contain Schema Let’s analysis it’s code , and this contain many things :

   1. first thing the app Reads the value associated with the key UUU0133 stored in SharedPreferences.

   2. Second is Compares the stored value (u_1) with some value returned by the method m144cd()

   3. then Checks if the URI in the intent uses the mhl scheme and labs host the app extracts a base64-encoded value, decodes, and attempts to decrypt it using AES and If the decrypted value matches the secret key, the app loads the "flag" library, and call thegetflag(), and displays the flag via a toast.

   
5. in this step we will Decrypt the secret we have :

   • String : bqGrDKdQ8zo26HflRsGvVA==

   • Key. : your_secret_key_1234567890123456

   • IV : 1234567890123456 retrieved from Activity2K

6. i use this python script to decrypt the secret and this is the result mhl_secret_1337

   from base64 import b64decode
   from Cryptodome.Cipher import AES
   from Cryptodome.Util.Padding import unpad
   
   # Inputs
   secret = "bqGrDKdQ8zo26HflRsGvVA=="  # Encrypted string (Base64 encoded)
   key = b"your_secret_key_1234567890123456"  # 32-byte key
   iv = b"1234567890123456"  # 16-byte IV
   
   # Decode the Base64 encoded secret
   cipher_text = b64decode(secret)
   
   # Decrypt using AES CBC mode
   cipher = AES.new(key, AES.MODE_CBC, iv)
   decrypted = unpad(cipher.decrypt(cipher_text), AES.block_size)
   
   # Print the result
   print("Decrypted Text:", decrypted.decode('utf-8'))

7. Then let’s create Frida script do this :

   1. call KLOW() from the Main activity ⇒ to save the secret

   2. call m144cd from the Activity2 ⇒ to return the today’s date as string with dd/mm/yyyy format

   3. use this command with frida script : frida -U -f com.mobilehackinglab.challenge -l frida.js

      Java.perform(function () {
      
        setTimeout(function () {
      
          Java.choose("com.mobilehackinglab.challenge.MainActivity" , {
            onMatch : function(instance){ 
              console.log("Found instance: "+instance);
              console.log("call KLOW func: " + instance.KLOW());
            },
            onComplete:function(){}
          
          });
        }, 1000);
      
        setTimeout(function () {
          Java.choose("com.mobilehackinglab.challenge.Activity2" , {
              onMatch : function(instance){ 
                console.log("Found instance: "+instance);
                console.log("cd func: " + instance.cd());
                console.log("native func: " + instance.getflag());
              },
              onComplete:function(){}
            
            });
          }, 10000);
        
      });

1. call Activity2 and pass android.intent.action.VIEW as action and mhl://labs/secret-encoded-value as data to the activity.

2. we get Success message in the application but flag doesn’t return !!

   
3. Lets search for our flag inside the memory

   
4. we have a lot of files let’s try to extract by reading all strings from all files and then filter for the start with MHL MHL{IN_THE_MEMORY}