Young Mario was playing around with Android and wrongly built his app and crashed his app. Help him recover the flag he put in his server.

Xiomara_2k18.apk

We will decompile the apk. There are lots of different methods you can use like changing the extension to .zip and extracting .dex file and using dex2class or dex2jar etc. You can also decompile the resources using apktool. However, I got lazy and used this website which worked really fine. After downloading the decompiled files, we are ready to go.

Let’s check the MainActivity.java to understand the application’s logic.

We see that the application makes an http request as follows:

So, we need to find out what md5() call returns. When we look inside of the function, we see that it returns the md5 of getString(C0220R.string.mykey). Let’s look at res/values/strings.xml file.

We see mykey is h4ck3r801. Let’s calculate its md5 and make an request to see what the server returns for the correct apikey.

Here we got the flag xiomara{4ndr01d_15_1n_my_dn4}.