# Strings
1. Let's install our app then open the application . we found that "Hello from c++" message appears on the home page. let’s analysis the app using Jadx tool
2. During Analysis the AndroidManifest.xml file we found 2 important Activity :
3. The First activity is `com.mobilehackinglab.challenge.MainActivity` Let’s analysis it’s code
1. it have a native Library `challenge`
2. `KLOW() function` : This code saves the current date in a **SharedPreferences** file named `DAD4` using the key `UUU0133`.
4. The Second Activity is a `com.mobilehackinglab.challenge.Activity2` , Exported and contain Schema Let’s analysis it’s code , and this contain many things :
1. first thing the app Reads the value associated with the key **`UUU0133`** stored in **SharedPreferences**.
2. Second is Compares the stored value (**`u_1`**) with some value returned by the method **`m144cd()`**
3. then Checks if the **URI** in the intent uses the **`mhl` scheme** and **`labs` host the app extracts a base64-encoded value, decodes, and attempts to decrypt it using AES and** If the decrypted value matches the secret key, the app loads the "flag" library, and call the`getflag()`, and displays the flag via a toast.
5. in this step we will `Decrypt the secret` we have :
* String : `bqGrDKdQ8zo26HflRsGvVA==`
* Key. : `your_secret_key_1234567890123456`
* IV : `1234567890123456` retrieved from `Activity2K`
6. i use this python script to decrypt the secret and this is the result `mhl_secret_1337`
```jsx
from base64 import b64decode
from Cryptodome.Cipher import AES
from Cryptodome.Util.Padding import unpad
# Inputs
secret = "bqGrDKdQ8zo26HflRsGvVA==" # Encrypted string (Base64 encoded)
key = b"your_secret_key_1234567890123456" # 32-byte key
iv = b"1234567890123456" # 16-byte IV
# Decode the Base64 encoded secret
cipher_text = b64decode(secret)
# Decrypt using AES CBC mode
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = unpad(cipher.decrypt(cipher_text), AES.block_size)
# Print the result
print("Decrypted Text:", decrypted.decode('utf-8'))
```
7. Then let’s create Frida script do this :
1. call `KLOW()` from the Main activity ⇒ to save the secret
2. call `m144cd` from the Activity2 ⇒ to return the today’s date as string with dd/mm/yyyy format
3. use this command with frida script : `frida -U -f com.mobilehackinglab.challenge -l frida.js`
```jsx
Java.perform(function () {
setTimeout(function () {
Java.choose("com.mobilehackinglab.challenge.MainActivity" , {
onMatch : function(instance){
console.log("Found instance: "+instance);
console.log("call KLOW func: " + instance.KLOW());
},
onComplete:function(){}
});
}, 1000);
setTimeout(function () {
Java.choose("com.mobilehackinglab.challenge.Activity2" , {
onMatch : function(instance){
console.log("Found instance: "+instance);
console.log("cd func: " + instance.cd());
console.log("native func: " + instance.getflag());
},
onComplete:function(){}
});
}, 10000);
});
```
8. call `Activity2` and pass `android.intent.action.VIEW` as action and `mhl://labs/secret-encoded-value` as data to the activity.
9. we get Success message in the application but flag doesn’t return !!
10. Lets search for our flag inside the memory
11. we have a lot of files let’s try to extract by reading all strings from all files and then filter for the start with MHL `MHL{IN_THE_MEMORY}`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kero0x1.gitbook.io/general/mobile-pentest/mobile-hacking-lab/strings.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
