We start off with a single apk given. Running this through jadx-gui, we quickly find a list of API endpoints (some without the actual URL) in APIInterface and a base URL of (found in Utils): PostUserProf: no url yet getConf: api/get_config/{rolid} getDex: api/get_dex/{dex} getReg: api/userClass/register/{name} getShopItem: no url yet getShopOrder: no url yet getShopOrderD: no url yet getUserProf: no url yet Following through the logic for SplashScreen, we register a user for ourselves, and receive an encryption key, a role id and a uuid which serves as our authentication token.