Strings
I will be using my own machine which I have setup with Android Studio and has Frida enabled. Launching the application displays a message
After unzipping the APK, I use jadx-gui to decompile source code. The first thing to look for is the AndroidManifest.xml file since it tells us how the app interacts with other system components
We can see the intent-filter tags being present with the VIEW action and BROWSABLE category.
In Android, Intents are messaging objects that facilitate communication between different app components (like activities, services, and broadcast receivers)
This setup allows it to be launched via a deep link with the scheme and host argument:
We can try to launch Activity2 by directly using the exported deep link using adb
Running this command will start the Intent
But it will close the app
Looking at the source code in MainActivity we can see two noticable parts:
The 1'st part attempts to load the library libchallenge.so .
In the 2nd part, we can observe that the KLOW() method attempts to retrieve a SharedPreferences file named DAD4 , sets up the date format, retrieves the current date and format it as a string.
A SharedPreferences object points to a file containing key-value pairs and provides simple methods to read and write them
And in this line, it stores the date string in the SharedPreferences file, DAD4 under the key UUUO133
Next, we will take a look at Activity2 in the getflag()function
In the upper part of this huge block it is checking the isActionView and isU1Matching making sure the u_1 variable which holds our UUU0133 string matches the output of cd() method.
Now, let's inspect the cd() method
Basically, it just retrieves the date format as a string and stores it in the shared variable cu_d .
It hardcodes the secret key for the AES encryption:
It also hardcodes the string we want to decrypt which is:
And in the multiple if blocks, it firsts checks the scheme and the host in the manifest file earlier and reads the last path segment of the URI and decodes it in base64. It compares it with str variable and if it passes it loads the Native library lib.flag.so and stores the flag in the s variable
To retrieve the correct base64 string to pass the checks, first we need to know the IV (Initialization Vector) . We can inspect the decrypt() method below
We can see it is retrieving the IV value from Activity2Kt.fixedIV
Great we now have the hardcoded IV value. To get the correct base64 string to validate the URI. We can use Cyberchef to:
Decode the hardcoded base64 string
AES decryption with hardcoded key and IV
And we get the string, mhl_secret_1337 . Now, we encode this in base64 it becomes:
And now we can send the Intent similar to earlier but with -d for sending the data string with the correct URI using adb
Let's check the Android emulator
We bypassed the checks! and it displays a new message. But the flag was nowhere to be found. Looking back at the description of the challenge, it guides us to scan the memory for the flag
I used fridump tool from this repo:
It's the same as a memory scanner but it dumps the output. It takes relatively simple arguments. Only the running app name is needed. We can find this by running frida:
And that is our app name. Now I used the fridump tool with -U option to specify it and the -O to output the dump files
And that's done. Let's check the dump files
Yep, that's a lot. Following the hint, we can just grep out the flag
Nice challenge. LETSGOOO
flag: MHL{IN_THE_MEMORY}
Last updated