Find the pass, get the flag. Check out this file. You can also find the file in /problems/droids1_0_b7f94e21c7e45e6604972f9bc3f50e24.


  1. Decompile the APK using apktool, as suggested by the hint: apktool d one.apk:

     Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
     I: Using Apktool 2.4.1-dirty on one.apk
     I: Loading resource table...
     I: Decoding AndroidManifest.xml with resources...
     I: Loading resource table from file: /home/kali/.local/share/apktool/framework/1.apk
     I: Regular manifest package...
     I: Decoding file-resources...
     I: Decoding values */* XMLs...
     I: Baksmaling classes.dex...
     I: Copying assets and libs...
     I: Copying unknown files...
     I: Copying original files...

    Alternatively, you can use JADX to decompile and look around in a GUI. This is the method used in this write-up.

    JADX Install:

     wget https://github.com/skylot/jadx/releases/download/v1.1.0/jadx-1.1.0.zip
     unzip jadx-1.1.0.zip -d jadx
     cd jadx
     sudo mkdir /opt/jadx
     sudo mv * /opt/jadx
     cd /opt/jadx/bin
  2. Launch jadx-gui and open one.apk

  3. In the MainActivity the button click code can be seen:

     public void buttonClick(View view) {
         this.text_bottom.setText(FlagstaffHill.getFlag(this.text_input.getText().toString(), this.ctx));
  4. The getFlag() function is as follows:

     public static String getFlag(String input, Context ctx) {
         if (input.equals(ctx.getString(R.string.password))) {
             return fenugreek(input);
         return "NOPE";

    It checks if the input is R.string.password, and if it matches then the flag is shown.

  5. Go to R > string > password in the explorer to find public static final int password = 2131427375;. It is accessing resource `2131427375.

  6. Go to Resources > resources.arsc > res > values > strings.xml since the password is probably a string. We find: <string name="password">opossum</string>



Last updated