picoCTF Solutions
picoCTF 2023Reverse EngineeringMedium

timer

Published: April 26, 2023

Description

The TIMER Android APK hides its flag within the Java source. Reverse the application to recover the hard-coded string before the countdown completes.

Setup

Download timer.apk

Install jadx (or another APK decompiler) along with Java if it is not already present.

Decompile timer.apk and search the decompiled sources for picoCTF or timer-related strings.

wget https://artifacts.picoctf.net/c/449/timer.apk
sudo apt install default-jre default-jdk
wget https://github.com/skylot/jadx/releases/download/v1.2.0/jadx-1.2.0.zip && unzip -q jadx-1.2.0.zip
./jadx-1.2.0/bin/jadx-gui timer.apk

Solution

  1. Step 1Inspect MainActivity
    Within the decompiled sources, MainActivity (or the timer helper class) builds the flag string character by character. The string literal appears plainly.
    Learn more

    APK files (Android Package) are ZIP archives containing compiled Android app code. The code itself is in Dalvik bytecode (inside classes.dex), which is a compact bytecode format for Android's Dalvik/ART virtual machine. Unlike native binaries, Dalvik bytecode decompiles cleanly back to human-readable Java - making Android apps significantly easier to reverse engineer than native C/C++ code.

    jadx is a powerful open-source decompiler that converts .dex bytecode back into Java source code. The GUI version (jadx-gui) provides a navigable source tree, search functionality, and cross-reference analysis. MainActivityis always the entry point of an Android app - it's the first Activity launched when the user opens the app, making it the natural starting point for analysis.

    Hard-coded strings in Android apps are a common security mistake. Developers sometimes embed API keys, secrets, or (in this case) flags directly in the source. Tools like jadx and apktool make these trivially recoverable. In real security audits of Android apps, searching for hard-coded credentials is one of the first steps - the OWASP Mobile Top 10lists "Insecure Data Storage" as a leading mobile vulnerability.

  2. Step 2Copy the assembled flag
    Concatenate the displayed pieces (often inside onCreate or verifyFlag) to recreate the picoCTF flag without running the APK.
    Learn more

    Some apps obfuscate strings by building them from multiple concatenated pieces or by applying simple transforms at runtime, making naive string searches miss them. However, decompiling to Java source exposes the construction logic directly - you can trace the flow of the variable that holds the flag through onCreate, helper methods, or static initializers.

    Static analysis (examining code without running it) is often sufficient for simple Android challenges. For more advanced apps with runtime obfuscation, dynamic analysisusing tools like Frida (a dynamic instrumentation toolkit) can hook into the running app to capture values after they're computed. Frida lets you inject JavaScript into a running Android process to intercept function calls and read memory - it's an essential tool for advanced Android reversing.

    Other APK analysis tools to know:

    • apktool - decodes resources and smali (Dalvik assembly), useful when jadx decompilation fails
    • MobSF - automated mobile security framework that generates a full static analysis report
    • Ghidra - handles native .so libraries bundled in the APK
    • dex2jar - converts .dex to .jar for analysis with Java-based tools

Flag

picoCTF{t1m3r_r3...496}

No dynamic analysis required-jadx reveals the flag literal when you search for “picoCTF”.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Reverse Engineering

Related reading

What to try next