# Reverse Android Memory Creation: BlockCTF - Protect Your API Key
first i reversed the apk the MainActivity
```java
public class MainActivity extends AppCompatActivity {
private ActivityMainBinding binding;
public native void run(Context context, String str);
public native String stringFromJNI();
static {
System.loadLibrary("app");
}
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
this.binding = inflate;
setContentView(inflate.getRoot());
this.binding.sampleText.setText(stringFromJNI());
new Thread(new Runnable() { // from class: com.some.better.practice.app.MainActivity$$ExternalSyntheticLambda0
@Override // java.lang.Runnable
public final void run() {
MainActivity.this.m125lambda$onCreate$0$comsomebetterpracticeappMainActivity();
}
}).start();
}
/* JADX INFO: Access modifiers changed from: package-private */
/* renamed from: lambda$onCreate$0$com-some-better-practice-app-MainActivity, reason: not valid java name */
public /* synthetic */ void m125lambda$onCreate$0$comsomebetterpracticeappMainActivity() {
run(this, "com.some.real.better.practice.myapplication.RideHailing");
}
}
```
it caught my attention that it loads native lib called app, and that class`com.some.real.better.practice.myapplication.RideHailing` does not exist i opned ida , then it turns out that it created this class `RideHailing` on memory !.
i used this frida script[ ](/kiro-mageds-blog/reverse-android-memory-creation/reverse-android-memory-creation-blockctf-protect-your-api-key.md) to dump this class from memory
grapped this dump.dex using adb, then dex2jar to create jar to use jadx on it and the class src code was
```java
/* loaded from: dump-dex2jar.jar:com/some/real/better/practice/myapplication/RideHailing.class */
public class RideHailing extends Thread {
public static String decryptMsg(byte[] bArr) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(2, secretKeySpec);
return new String(cipher.doFinal(bArr), "UTF-8");
}
public static byte[] encryptMsg(String str) throws Exception {
SecretKeySpec secretKeySpec = new SecretKeySpec("er34rgr3443.,g,3-09gjs@[wpef9j3j".getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(1, secretKeySpec);
return cipher.doFinal(str.getBytes("UTF-8"));
}
private void logLocation(Navigator navigator) {
Log.v(Navigator.class.getName(), "Your location is " + navigator.locate());
}
@Override // java.lang.Thread
public void start() {
try {
logLocation(new Entry().initialization(decryptMsg(Base64.decode("9Bmk+Nc8i7oz2+sRYI9Q1fZ/metvBlUzoMMdC2aLstA=", 2))));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
```
so simply i created a simllar java app to get the encrypted key, and I got the flag
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kiro-maged.gitbook.io/kiro-mageds-blog/reverse-android-memory-creation/reverse-android-memory-creation-blockctf-protect-your-api-key.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.