picoCTF Solutions
picoCTF 2019Reverse EngineeringHard

droids2 picoCTF 2019 Solution

Published: April 2, 2026

Description

Find the flag in droids2.apk. A native library is involved.

Setup

Download the APK file.

bash
wget <url>/droids2.apk

Solution

Walk me through it
  1. Step 1Decompile the APK and identify the native call
    Decompile with jadx. Find the MainActivity - it will show a method declared with the 'native' keyword. This method is implemented in a shared library (.so file) bundled in the APK.
    bash
    jadx droids2.apk -d droids2_java/
    bash
    grep -r 'native' droids2_java/
    bash
    unzip droids2.apk -d droids2_raw/
    bash
    ls droids2_raw/lib/
    Learn more

    Android Native Interface (JNI) allows Java/Kotlin code to call C/C++ functions in .so shared libraries. The Java method is marked native and Android links it to the corresponding JNI function in the .so file at runtime.

    The .so files live in lib/armeabi-v7a/, lib/arm64-v8a/, or lib/x86/ inside the APK. For analysis, use the x86 version if available, as it is easier to analyze on a desktop system.

  2. Step 2Analyze the .so with Ghidra
    Load the .so file into Ghidra. Find the JNI function (it will have a name like Java_com_example_droids2_MainActivity_nativeCheck). Analyze it to find the hardcoded password or flag.
    bash
    ls droids2_raw/lib/x86/
    bash
    # Open the .so in Ghidra
    bash
    ghidra &
    Learn more

    JNI function naming convention: Java_ + package name (dots replaced with underscores) + _ + class name + _ + method name. For example, Java_com_example_droids2_MainActivity_getFlag.

    In Ghidra, use the Symbol Tree (Window > Symbol Tree) to navigate to the JNI function. The decompiled view shows the C logic. Look for string literals, character arrays, or XOR operations that produce the flag.

  3. Step 3Extract the flag from the native code
    Read the flag from the Ghidra decompilation. It may be a hardcoded string or computed from a simple algorithm.
    Learn more

    Native library analysis is harder than Java analysis because decompilation loses more information (variable names, types). However, string literals, function calls, and control flow are usually clear enough to extract the relevant logic.

Flag

picoCTF{...}

Unzip the APK to get the .so file, then use Ghidra to find the hardcoded flag in the JNI native function.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Reverse Engineering

Related reading

What to try next