Hardcoding Issues
When you look at the second challenge, the objective says to find out what is hardcoded and where

There are different ways to check the hardcoded values in an Android app, but most popular method is to decompile the APK file and look at the pseudo-source code.
Before directly jumping into decompilation tools, lets learn a few basics.
APK is a package file format used by Android operating system. One could view the contents of the APK file by just unzipping it. Android apps are coded in Java, but when you compile the app using Android Studio, the java code is converted to Dalvik bytecode instead of Java bytecode. All the Java code is collectively compiled into a single Dalvik bytecode file called classes.dex
. Inorder to view the code of an app, we have to decompile the classes.dex
file.
Let's start hunting for the hardcoded value.
Right click the apk file and click Extract Here
option to unzip the file.

Now the contents will be in the directory jakhar.aseem.diva-1.apk_FILES
. (It may differ in your case as the folder is created as per the apk file's name.) Enter the folder and you can see a few folders and files.

As mentioned before, to view the code we have to decompile classes.dex
file. We can use a tool called dex2jar
. It converts Android .dex
file to Java .jar
file. Execute d2j-dex2jar.sh classes.dex
. The command creates a new file classes-dex2jar.jar

Now we can use a Java decompiler to view the code in the created .jar
file. Execute jd-gui classes-dex2jar.jar
. This command create a GUI window and displays the Java pseudo-code of the classes-dex2jar.jar
file. From the name of the challenge we understand that its class name would be something like HardcodeActivity.class. Click on the class file. On viewing the code, it is clearly visible that the app checks for the value vendorsecretkey
.

Type the key in the Android app.

Takeaway
- APK is a file packaging format and could be unzipped
- Java gets compiled to Dalvik bytecode when you build an app
dex2jar
- converts theclasses.dex
file to.jar
filejd-gui
- Java decompiler which can be used to decompile.jar
files and show the pseudo-code contained in them.