Find the pass, get the flag. Check out this file. You can also find the file in /problems/droids3_0_b475775d8018b2a030a38c40e3b0e25c.


  1. The FlagstaffHill class (contains getFlag() function) is as follows:

     public class FlagstaffHill {
         public static native String cilantro(String str);
         public static String nope(String input) {
             return "don't wanna";
         public static String yep(String input) {
             return cilantro(input);
         public static String getFlag(String input, Context ctx) {
             return nope(input);

    We can see that getFlag() calls nope(). yep() is never called. The yep() function most likely returns the flag.

  2. Run apktool d three.apk --no-res to decompile without resources (decompiling resources was causing build errors).

  3. Edit three/smali/com/hellocmu/picoctf/FlagstaffHill.smali: Change invoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->nope(Ljava/lang/String;)Ljava/lang/String; to invoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->yep(Ljava/lang/String;)Ljava/lang/String;

  4. Rebuild the application: apktool b three -o recompiled/recompiled_three.apk

  5. Use patrickfav/uber-apk-signer latest release to sign the app:

     wget https://github.com/patrickfav/uber-apk-signer/releases/download/v1.1.0/uber-apk-signer-1.1.0.jar
     java -jar uber-apk-signer-1.1.0.jar --apks recompiled

    This produces the recompiled_three-aligned-debugSigned.apk file, which can be installed.



Last updated