Lego Clicker — umasscybersec

Description

Hackers have taken over and corrupted your beloved Lego Clicker game, can you reclaim the top of the leaderboard? Note: There are fake flags throughout the challenge which should be obvious to tell based on contents

English summary: the challenge provides an Android APK for a fake clicker game. Reaching the top of the leaderboard triggers reward logic, but the real solution requires separating deliberate fake flags from the actual flag reconstruction path.

Challenge Summary

This was a mobile reversing challenge with a strong native component. The APK decompiles cleanly enough to expose the app structure, but the interesting flag logic sits behind JNI calls in liblegocore.so.

The key to the solve is not trusting the first flag-looking strings you see. The APK contains multiple decoys, and the Java layer gives the decisive constraint: the final accepted answer must look like UMASS{...}.

Recon and Decompilation

After unpacking the APK with apktool and jadx, the app structure immediately showed that the package name is com.example.LegoClicker and that the important native library is legocore.

Useful files and classes:

• com.example.LegoClicker.RA — leaderboard activity
• com.example.LegoClicker.SessionValidator — JNI entry points and library loading
• com.example.LegoClicker.FCA — native-backed dialog path with extra decoy behavior
• defpackage/n0.java — result handling and final format checks

SessionValidator.java is the first important hint:

• it loads the native library with System.loadLibrary(...)
• it exposes JNI methods such as refreshTileMap, syncBrickCache, and validateBrickToken
• helper a(long j, long j2) resolves and invokes a native method by reflection

RA.java shows the intended user flow. If the player reaches the top of the leaderboard, the app calls native validation and then displays a reward string. That makes the leaderboard path look like the intended flag trigger.

...