droids3
Problem
Find the pass, get the flag. Check out this file. You can also find the file in /problems/droids3_0_b475775d8018b2a030a38c40e3b0e25c.
Solution
Use JADX to decompile and look around in a GUI. Launch
jadx-gui
and openthree.apk
The
FlagstaffHill
class (containsgetFlag()
function) is as follows:public class FlagstaffHill { public static native String cilantro(String str); public static String nope(String input) { return "don't wanna"; } public static String yep(String input) { return cilantro(input); } public static String getFlag(String input, Context ctx) { return nope(input); } }
We can see that
getFlag()
callsnope()
.yep()
is never called. Theyep()
function most likely returns the flag.Run
apktool d three.apk --no-res
to decompile without resources (decompiling resources was causing build errors).Edit
three/smali/com/hellocmu/picoctf/FlagstaffHill.smali
: Changeinvoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->nope(Ljava/lang/String;)Ljava/lang/String;
toinvoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->yep(Ljava/lang/String;)Ljava/lang/String;
Rebuild the application:
apktool b three -o recompiled/recompiled_three.apk
Use patrickfav/uber-apk-signer latest release to sign the app:
wget https://github.com/patrickfav/uber-apk-signer/releases/download/v1.1.0/uber-apk-signer-1.1.0.jar java -jar uber-apk-signer-1.1.0.jar --apks recompiled
This produces the
recompiled_three-aligned-debugSigned.apk
file, which can be installed.Start an AVD in Android Studio. Install the app by dragging the APK to the emulator. Enter any password and click the button to get the flag.
Flag
picoCTF{tis.but.a.scratch}
Last updated
Was this helpful?