picoCTF Solutions
PathPart of the Digital Forensics path · Step 5 of 5: Multi-Layer and Advanced Challenges
picoCTF 2024ForensicsMedium

Mob psycho

Published: April 3, 2024

Description

Can you handle APKs? Download the android apk here.

Setup

APK unpacking

Download mobpsycho.apk and unzip it in a separate directory (APK unzip dumps lots of files).

Use strings/grep to hunt for "flag" within res/.

wget https://artifacts.picoctf.net/c_titan/53/mobpsycho.apk && \
mkdir mobpsycho && cd mobpsycho && \
unzip ../mobpsycho.apk

Solution

  1. Step 1Find the flag file
    strings * | grep flag or ls -R | grep flag -B 20 shows res/color/flag.txt.
    strings * | grep flag
    Learn more

    An APK (Android Package Kit) is simply a ZIP archive containing everything an Android app needs: compiled Dalvik bytecode (classes.dex), resources, assets, a manifest, and native libraries. Because it is a standard ZIP, any tool that can unzip an archive can explore its contents without needing a real Android device.

    strings extracts printable ASCII sequences from binary files. Piping its output through grep flagquickly surfaces any path, string, or filename containing "flag", even when that text is buried inside a compiled binary or resource blob. This is a foundational reconnaissance technique in mobile CTFs.

    • The res/ directory holds Android XML resources, drawables, and raw files - a common hiding spot for CTF secrets.
    • The assets/ directory is another frequent location for embedded files that are not compiled into the DEX.
    • For deeper analysis, tools like jadx or apktool decompile DEX bytecode back to readable Java/Smali.
  2. Step 2Decode the hex
    flag.txt contains hex; pipe it through xxd -r -p (or CyberChef's From Hex) to recover the ASCII flag.
    cat res/color/flag.txt | xxd -r -p
    Learn more

    Hiding data as hexadecimal is a simple obfuscation technique: each byte of the original string is represented as two hex digits (e.g., the letter 'p' becomes 70). The value is human-unreadable at a glance but trivially reversible.

    xxd -r -p reverses a plain hex dump back to binary. The -r flag means "reverse" (hex to binary) and -p means the input is in plain/continuous hex format without address offsets. This combination is the standard Linux one-liner for hex decoding.

    CyberChef's From Hex recipe performs the same operation visually, making it useful when you want to see intermediate steps or chain multiple decodings (e.g., hex then base64 then ROT13). Real malware samples often layer encodings precisely to slow down analysts.

Flag

picoCTF{ax8mC0RU6ve_NX85l4ax8mCl_a3e...}

The decoded hex string inside res/color/flag.txt is the flag.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Forensics

Related reading

Do these first

What to try next