Android Reverse Enginnering#1

I was given two android application to find the flag from it.

The flag format is in userid:password.

Lets start..

Crepe

Application 1 : Backdoor1.apk

I installed the first application on emulator and the application asks for a username and password. I have to find out that.

Crepe

First, i used apktool to decompile the android application.

apktool d Backdoor1.apk -o Backdoor1

After that i checked the strings.xml file, and i found some username and password from there.

Crepe

But to confirm this i used jadx to reverse engineer the application and verified that the username and password found in strings.xml are the correct credentials needed by the application.

#Login function
public void onClick(View view) {
    if (!TaskActivity.this.edtUserName.getText().toString().equals(TaskActivity.this.getResources().getString(R.string.Ustr)) || !TaskActivity.this.edtPassword.getText().toString().equals(TaskActivity.this.getResources().getString(R.string.Pstr))) {
         Toast.makeText(TaskActivity.this, "Please enter valid data!", 1).show();
         return;
    }
    Intent mIntent = new Intent(TaskActivity.this, SuccessActivity.class);
    Toast.makeText(TaskActivity.this, "You gotchhha!!", 1).show();
    TaskActivity.this.startActivity(mIntent);
    TaskActivity.this.finish();
 }

This was an easy find.

Note : strings.xml file is an important file. most of the time some important information will be leaked there.

Flag : RandomUser1:Rand0mP@ss1

Application 2 : Backdoor2.apk

Installed the second application on emulator and it was similar to first challenge. After opening the application there is a login activity which asks for username and password. We have to find that.

Crepe