droids3
Last updated
Was this helpful?
Last updated
Was this helpful?
Find the pass, get the flag. Check out this file. You can also find the file in /problems/droids3_0_b475775d8018b2a030a38c40e3b0e25c.
Use to decompile and look around in a GUI. Launch jadx-gui
and open three.apk
The FlagstaffHill
class (contains getFlag()
function) is as follows:
We can see that getFlag()
calls nope()
. yep()
is never called. The yep()
function most likely returns the flag.
Run apktool d three.apk --no-res
to decompile without resources (decompiling resources was causing build errors).
Edit three/smali/com/hellocmu/picoctf/FlagstaffHill.smali
: Change invoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->nope(Ljava/lang/String;)Ljava/lang/String;
to invoke-static {p0}, Lcom/hellocmu/picoctf/FlagstaffHill;->yep(Ljava/lang/String;)Ljava/lang/String;
Rebuild the application: apktool b three -o recompiled/recompiled_three.apk
Use to sign the app:
This produces the recompiled_three-aligned-debugSigned.apk
file, which can be installed.
Start an AVD in . Install the app by dragging the APK to the emulator. Enter any password and click the button to get the flag.
picoCTF{tis.but.a.scratch}