Fork me on GitHub

Hi everyone. I’m working on a CTF (Capture The Flag) challenge which is about apk reverse engineering and I’ve got some Java code for Android here, that I’m trying to analyse. Unfortunately my knowledge in Java is not that good and I’m stuck with one specific function. I was wondering if anyone who knows java could help me out a bit?


Maybe post a link to a gist or something so as not to take up too much room here? I’d take a look.


sure, thank you! that’d be a great help


so I’m including this one specific function and + strings.xml that I managed to extract. so I’m trying to find out where are the requests going to basically


with my little knowledge, I think one of the addresses is

(which comes from strings.xml)


You want to understand this line?

HttpPost httpPost = new HttpPost("http://" + this.context.getResources().getStringArray(2131099648)[i] + this.context.getString(2131034123));


Is it possible to run the APK and use a network sniffer?


What class does the check_domain_200 method appear in?


It looks like it has its own Context object, and that context has a getResources() method that returns an instance of a class that has a getStringArray method. If you can track down which class that is, you should get a better understanding of where the data is being stored.


I wasn’t able to track down getResources unfortunately. So I assumed that it was coming from that strings.xml file


now that I think about it, I might be wrong


It’s possible that the locations aren’t coded, and that the app is getting the data from either a remote source or from some kind of local storage, since the 2131099648 is such a high value.


First step is to find the definition for the class that check_domain_200 appears in, and look at its constructor, to see what it’s setting this.context to.


It’s a bit confusing because it also defines Context context at the top of the method, but context and this.context are different variables.


oh, ok I got that part now


Actually, let’s thread this so we don’t consume too much space in #off-topic .


So the class is:

public class webServiceRobot {
   Context context;

   // and the method goes here


The constructor will give you the class that’s being stored in this.context. It’ll either be instantiated directly, or passed in as a constructor arg.


Ok, you’ve got the class, can you see where this.context is being set to a value? Or is it just a setContext method?


there is a setContext method which just sets it

public void setContext(Context paramContext) {
  this.context = paramContext;
so I guess it is being set from outside of this class


so I need to find that now


Yeah, you’re probably not going to find a list of IPs anywhere in the source code, I’m guessing. 2131099648 as a string index is too big to be the array index of a list of strings in a config file somewhere, so that’s most likely going to be a db ID into some kind of local storage, which suggests the data is coming in from some remote server somewhere.


Although it could be a generated ID from a compiled XML file like @UJRDALZA5 suggested outside the the thread.


All the strings in strings.xml (and there can be multiple strings.xml) are compiled into a huge String array in Android.


Don't remember the internals too much.


thank you both. I’ll try to see if I can find another useful xml file

Bill Phillips14:03:29

android developer here

Bill Phillips14:03:22

in source, this.context.getResources().getStringArray(2131099648) would look something like this: this.context.getResources().getStringArray(R.array.my_array)

Bill Phillips14:03:16

R.array.my_array is generated from the strings.xml file as it’s being packaged into the apk

Bill Phillips14:03:51

so in xml that would look something like:

    <string-array name="my_array">

Bill Phillips14:03:39

re: strings.xml, resources have a “configuration” system which allow for switching between different resources under different situations… for strings, this is often used for locale/language

Bill Phillips14:03:44

so in source you might have res/values/strings.xml and then a second res/values-es/strings.xml for translation

Bill Phillips14:03:17

i think that may be relevant in your case because this strings.xml doesn’t have any string arrays in it. it appears to be a translation.

Bill Phillips14:03:23

this string array is storing endpoints, so it’s almost certainly using the default strings.xml, not a localization

Bill Phillips14:03:26

(the default is res/values/strings.xml)

Bill Phillips14:03:59

i don’t know how to find the map that translates the integer into a string… if you have access to a runtime system, that can be done with an instance of the Resources object


hey @U010GL90FN0, 4 months later, I just saw this, sorry. thanks for taking time explaining this to me! :)


getResources() et. al. are coming from strings.xml in a way. The strings.xml is actually compiled into a class. As far as I remember. I did some Android almost 6 years back.