Rating: 4.0
after decompiling the given apk, and reading some of the source code, it's so apparent two of the java code files get input (one for registeration and one for login), and each of those 3 side java files also call a native function with same name each in a native library.
I opened each library using cutter and decompiled the `stringFromJNI` functions and got the strings those returned:
```
http://37.152.186.157/api/login
http://37.152.186.157/api/register
http://37.152.186.157/api/updateCoin
```
the fields passed to these api endpoints are very apparent in java code files.
so... I registered and got a jwt token:
```
$ curl -X POST -d 'name=someone' -d '[email protected]' -d 'password=securitylaughes' http://37.152.186.157/api/register
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIxIiwianRpIjoiNGJjMjQ4OTJhYTIzZWRjMzM1YTdjN2NkYmI4OTIwMjlhZjEyMTZjYzRkZDg1NWJhMjQxMDM4MjI4MDQzY2VmY2Y1NzMxMzBjMmIyYTQ2YzgiLCJpYXQiOjE2MDM5ODczNTMsIm5iZiI6MTYwMzk4NzM1MywiZXhwIjoxNjM1NTIzMzUzLCJzdWIiOiIxMjciLCJzY29wZXMiOltdfQ.emDVUrS_haOlprK53U0syul0JTwUWsYEXhH6v2cD1niMExLfPNKzDKYVWTH6ryhmdonVDb-n2R7sb6qpwhbQ33x6a7MrblJlUD2zmViCZ-2YCuzblwpn0waSIpGmihXRmZUboiFxdqQIoeR5h6vB2vNZC0caJ9X66BW6U8AKrNvfUZFFqJl-V_3YJ5xGnZ1IjWrS39q5t7YOHBd7MxUWBLO2P4mkrB9cqWP55Rf7mCyzZ0tawcQgmgoZdlD5Ukz5UppPHHT9JiCEffrj-qRe_r9DKD8pm09AAS8EjgfJBdlld-_IfPRklnaEFphMe3lKhZ-rTt83BKNPkCYEZB5EmMEKIe5eCJUZH2BUSOjB-y3Xj9SCVQcsQdJ5i5Nu_aPnJASllwbw_U3HXY-SW9KZHeV1s-MRIU7ccFywW_Fqve5KSnI3wngj4yoGk7M2MoPznwkEiqfI54eLLD3ZC-ryL0kG7MbwGsJTPMx6QmHyMMVF3IH2b8JvojPDpHFHopDWq-0N1Rgj82Y4AVOKwlLqAUJzqa7UGQ0ZTgJaTBjjNENPf9_5PpC7q4X0xHFDHBtYBJLHo1pDHFK5p-B7MvLgHnJ-ND4_iVu9R2KrTrlMKc-9JHbah9m0wI90hiUYuBeKM3L6PCeJwqrM6F_PBvJvwQB2iltdorUkKNpunWskRhQ","coinCount":null,"message":"Signed Up"}
```
I saved the jwt token in a bash variable `token` for ease of use on later api calls.
now having a token and updateCoin api endpoint, I tried to change the coin amount as asked:
```
$ curl -X POST -H "Authorization: Bearer $token" -H 'Content-Type: application/json' -d "{\"token\": \"$token\", \"coinCount\": \"2000000000000000\"}" http://37.152.186.157/api/updateCoin
{"message":"The purchase was successful","coinCount":"2000000000000000","flag":"ZmRzdnNkRlNEcWUzQFFxZURXRUZEU1ZGU0RTNTVkc2Y1ZmV2c0RGcnEzNSRSI3J3ZnNlZnJ3IyQjJSNA"}
```
and we got the flag: `RaziCTF{ZmRzdnNkRlNEcWUzQFFxZURXRUZEU1ZGU0RTNTVkc2Y1ZmV2c0RGcnEzNSRSI3J3ZnNlZnJ3IyQjJSNA}`
this challenge could've been solved by either frida or wireshark (since http and not secure) too...
