picoCTF Solutions
picoCTF 2019Reverse EngineeringHard

droids1 picoCTF 2019 Solution

Published: April 2, 2026

Description

Find the password in droids1.apk. The password check compares input against a string resource - decompile the APK with jadx to find the password, then enter it in the emulator to get the flag.

Setup

Download the APK file.

bash
wget <url>/droids1.apk

Solution

Walk me through it
  1. Step 1Decompile with jadx and find the password check
    Decompile droids1.apk with jadx. Open MainActivity and find the getFlag method. It compares the user input against a string fetched from resources via getString(R.string.password). Look in the strings.xml resource file to read the actual password value.
    bash
    jadx droids1.apk -d droids1_java/
    bash
    cat droids1_java/resources/res/values/strings.xml | grep password
    Learn more

    Android app logic lives in Java/Kotlin classes compiled to DEX bytecode. The main entry point is typically MainActivity.java. Button click handlers call validation methods. In jadx, search for methods containing string comparisons (equals(), compareTo()) to find password checks.

  2. Step 2Find the password construction
    Read the decompiled check method. The password may be: a string literal, built by concatenating string constants, derived from a formula, or loaded from a resource. Extract the exact string.
    Learn more

    Common obfuscation patterns in Android: StringBuilder used to concatenate parts of the password, Base64 decoding of an encoded string at runtime, or character arrays that are harder for decompilers to identify as strings. The jadx decompiler handles most of these transparently.

  3. Step 3Enter the password in the emulator to get the flag
    Install the APK in an Android emulator using ADB. Launch the app, type the password you found in strings.xml into the text field, and press the button. The app displays the flag when the correct password is entered.
    bash
    adb install droids1.apk
    bash
    # Launch the emulator, open the app, type the password from strings.xml, and press the button
    Learn more

    ADB (Android Debug Bridge) allows you to install, run, and interact with apps on connected devices or emulators. The am start command launches an Activity by its package and class name.

Flag

picoCTF{...}

The password is stored as a string resource in strings.xml - readable by jadx. Enter it in the emulator to display the flag.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Reverse Engineering

Related reading

What to try next