picoCTF Solutions
PathPart of the Digital Forensics path · Step 5 of 5: Multi-Layer and Advanced Challenges
picoCTF 2024ForensicsMedium

Mob psycho picoCTF 2024 Solution

Published: April 3, 2024

Description

Can you handle APKs? Download the android apk here.

Setup

APK unpacking

Download mobpsycho.apk and unzip it in a separate directory (APK unzip dumps lots of files).

Use strings/grep to hunt for "flag" within res/.

bash
wget https://artifacts.picoctf.net/c_titan/53/mobpsycho.apk && \
mkdir mobpsycho_dir && cd mobpsycho_dir && \
unzip ../mobpsycho.apk

Solution

Walk me through it
The Hex Dumps for CTF guide covers the xxd -r -p reverse-hex pattern at the heart of this solve, plus the recognition cues for hex-encoded strings hidden inside other formats.
  1. Step 1Find the flag file
    Recursively scan extracted files with find and strings, scoped to res/ for speed. The flag lives at res/color/flag.txt.
    bash
    find res -type f -exec strings {} + | grep flag
    bash
    find . -type f -name 'flag*'
    Learn more

    An APK (Android Package Kit) is simply a ZIP archive containing everything an Android app needs: compiled Dalvik bytecode (classes.dex), resources, assets, a manifest, and native libraries. Because it is a standard ZIP, any tool that can unzip an archive can explore its contents without needing a real Android device.

    find ... -exec strings {} + applies strings to every regular file under the path and pipes the union into grep. It's the safer alternative to a top-level strings *: that glob skips dotfiles, expands at most one level, and chokes on directories. Scoping to res/ avoids dumping classes.dex through strings just to look for a filename you already suspect lives in resources.

    • The res/ directory holds Android XML resources, drawables, and raw files, a common hiding spot for CTF secrets.
    • The assets/ directory is another frequent location for embedded files that are not compiled into the DEX.
    • For deeper analysis, tools like jadx or apktool decompile DEX bytecode back to readable Java/Smali.
  2. Step 2Decode the hex
    flag.txt contains hex; pipe it through xxd -r -p (or CyberChef's From Hex) to recover the ASCII flag.
    bash
    xxd -r -p res/color/flag.txt
    Learn more

    Hiding data as hexadecimal is a simple obfuscation technique: each byte of the original string is represented as two hex digits (e.g., the letter 'p' becomes 70). The value is human-unreadable at a glance but trivially reversible.

    xxd -r -p reverses a plain hex dump back to binary. The -r flag means "reverse" (hex to binary) and -p means the input is in plain/continuous hex format without address offsets. This combination is the standard Linux one-liner for hex decoding.

    CyberChef's From Hex recipe performs the same operation visually, making it useful when you want to see intermediate steps or chain multiple decodings (e.g., hex then base64 then ROT13). Real malware samples often layer encodings precisely to slow down analysts.

    The decoded output is pure ASCII printable text from p through }: that's the entire flag, copy it as-is. If you see \0 or other null bytes inside the output, that's a sign the input hex had odd-length bytes, stray spaces, or trailing whitespace that xxd -r -p mishandled, not part of the flag itself.

Flag

picoCTF{ax8mC0RU6ve_NX85l4ax8mCl_a3e...}

The decoded hex string inside res/color/flag.txt is the flag.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Tools used in this challenge

Related reading

Do these first

What to try next