strings

manifest analyzing

we have two activity to analyze:

• the main activity

• Activity2 that expects a deep link

---

1) Main activity code analysis

📌java code

only the the ui updates the text view using a string from the native function

and we have this weird function

KLOW is supposed to store the current date in SharedPreferences under the key "UUU0133" in an xml file called DAD4.xml .

it is weird because it is never called i made sure using androguard call graph

it only calls one function and it is never called,so i think we have keep this note for now.

📌Native code

it creates a text view loaded using a native function

1. loading

       static {
           System.loadLibrary("challenge");
       }

   the shared object file name is libchallenge.so

2. definition

   public final native String stringFromJNI();

   takes no args and returns a string

3. calling

the string returned from the native function is then displayed on the activity text view like this

take a look at jni trace and we have the return value

Native lib reverse engineering

anyways i don’t think this function is interesting, but let’s use ghidra to reverse it

apktool d com.mobilehackinglab.strings.apk

now we get the libchallenge.so from the path lib/<abi> and import it in ghidra and view stringFromJNI() function

manually returning the code closer to the original form

#include <jni.h>
#include <string>

extern "C" JNIEXPORT jstring JNICALL
Java_com_mobilehackinglab_challenge_MainActivity_stringFromJNI(JNIEnv* env, jobject /* this */) {
    std::string hello = "Hello from C++";
    return env->NewStringUTF(hello.c_str());
}

looking at the native method we will realize it just returns a static string value “Hello from C++”

---

2)Activity2 code analysis

📌java code

in the oncreate method we have 4 if statement we should satisfy to get the flag:

1- checks if the intent action is android.intent.action.VIEW and

📌native lib reverse engineering

it is obufuscated

---

📌exploitation

my strategy for now is :

1- pass all the if conditions to make the native function get called

2- search the memory for the flag that starts with MHL

Bypassing if statements

frida script to run the klow function

Java.perform(function () {

    Java.choose("com.mobilehackinglab.challenge.MainActivity", {
        onMatch: function (instance) {
            console.log("Found instance: " + instance);
            try{
                instance.KLOW();
            }catch(e){
                console.log(e);
            }
            
        },
        onComplete: function () {
            console.log("Completed searching for instances of MainActivity");
        }
    });
});

now if we send an intent with a view action we will pass the first if statement

2- if we send a data uri with the write scheme and host we will pass the second check

adb shell am start -a android.intent.action.VIEW -d "mhl://labs" -n com.mobilehackinglab.challenge/.Activity2

3- the last segment of the uri has to be in b64 and has to be not null

4- the decoded b64 value has to equal the following string value

str = decrypt("AES/CBC/PKCS5Padding", "bqGrDKdQ8zo26HflRsGvVA==", new SecretKeySpec(bytes, "AES"));

to decrypt we need this info

1- cipher text bqGrDKdQ8zo26HflRsGvVA==

2- IV is retrieved from Activity2Kt.fixedIV ⇒ 1234567890123456

3- secret key your_secret_key_1234567890123456

our secret is mhl_secret_1337

now lets send it in base 64 bWhsX3NlY3JldF8xMzM3 as the last path in the data uri with the intent

adb shell am start -a android.intent.action.VIEW -d "mhl://labs/bWhsX3NlY3JldF8xMzM3" -n com.mobilehackinglab.challenge/.Activity2

we get success now we know we passed all the if statements and the native function been called

now we want to search the memory for the flag

setTimeout(() => {
    const module = Process.findModuleByName("libflag.so");
    if (!module) {
        console.log("libflag.so not found!");
        return;
    }

    const hexPattern = "4D 48 4C";

    Memory.scan(module.base, module.size, hexPattern, {
        onMatch: (address) => {
            console.log(`Found match at: ${address}`);

            const memoryBuffer = Memory.readByteArray(ptr(address), 25);
            
            if (memoryBuffer) {
                console.log(`Memory contents read: ${memoryBuffer}`);
                console.log(hexdump(memoryBuffer, {
                    offset: 0,
                    length: 25,
                    header: true,
                    ansi: true,
                }));
            } else {
                console.log("Failed to read memory.");
            }
        },
        onError: (error) => {
            console.log(`Memory scan failed: ${error}`);
        },
    });
}, 0);