When you look at the second challenge, the objective says to find out what is hardcoded and where
There are different ways to check the hardcoded values in an Android app, but most popular method is to decompile the APK file and look at the pseudo-source code.
Before directly jumping into decompilation tools, lets learn a few basics.
APK is a package file format used by Android operating system. One could view the contents of the APK file by just unzipping it. Android apps are coded in Java, but when you compile the app using Android Studio, the java code is converted to Dalvik bytecode instead of Java bytecode. All the Java code is collectively compiled into a single Dalvik bytecode file called
classes.dex. Inorder to view the code of an app, we have to decompile the
Let's start hunting for the hardcoded value.
Right click the apk file and click
Extract Here option to unzip the file.
Now the contents will be in the directory
jakhar.aseem.diva-1.apk_FILES. (It may differ in your case as the folder is created as per the apk file's name.) Enter the folder and you can see a few folders and files.
As mentioned before, to view the code we have to decompile
classes.dex file. We can use a tool called
dex2jar. It converts Android
.dex file to Java
.jar file. Execute
d2j-dex2jar.sh classes.dex. The command creates a new file
Now we can use a Java decompiler to view the code in the created
.jar file. Execute
jd-gui classes-dex2jar.jar. This command create a GUI window and displays the Java pseudo-code of the
classes-dex2jar.jar file. From the name of the challenge we understand that its class name would be something like HardcodeActivity.class. Click on the class file. On viewing the code, it is clearly visible that the app checks for the value
Type the key in the Android app.
- APK is a file packaging format and could be unzipped
- Java gets compiled to Dalvik bytecode when you build an app
dex2jar- converts the
jd-gui- Java decompiler which can be used to decompile
.jarfiles and show the pseudo-code contained in them.