picoCTF Solutions
picoCTF 2019Reverse EngineeringHard

droids3 picoCTF 2019 Solution

Published: April 2, 2026

Description

Dynamic analysis needed for droids3.apk. Use Frida to instrument the app at runtime.

Setup

Download the APK and set up an Android emulator with Frida.

bash
wget <url>/droids3.apk
bash
pip3 install frida-tools

Solution

Walk me through it
  1. Step 1Decompile and identify the target method
    Decompile with jadx. Find the password check method in MainActivity. Note the class name and method name - you will hook this with Frida to intercept the expected password.
    bash
    jadx droids3.apk -d droids3_java/
    bash
    cat droids3_java/sources/com/example/droids3/MainActivity.java
    Learn more

    Frida is a dynamic instrumentation toolkit that lets you inject JavaScript into running Android (and iOS, Linux, Windows) processes. You can hook Java methods, read their arguments and return values, and even replace their implementation.

  2. Step 2Set up Frida on the Android emulator
    Start an Android emulator (e.g., from Android Studio AVD), push frida-server to it, and run it. Then install the APK.
    bash
    # Download frida-server for Android x86
    bash
    adb push frida-server /data/local/tmp/
    bash
    adb shell chmod 755 /data/local/tmp/frida-server
    bash
    adb shell /data/local/tmp/frida-server &
    bash
    adb install droids3.apk
    Learn more

    frida-server runs on the Android device and exposes a Frida RPC interface. The frida Python tools on your desktop communicate with it over ADB to inject scripts into target processes.

  3. Step 3Write and run a Frida hook script
    Write a Frida script to hook the password check method. When the method is called, print both the user-supplied input and the expected password argument.
    js
    cat << 'EOF' > hook.js
Java.perform(function() {
    var MainActivity = Java.use('com.example.droids3.MainActivity');
    MainActivity.check.implementation = function(input) {
        console.log('[*] check() called with: ' + input);
        var result = this.check(input);
        console.log('[*] Result: ' + result);
        return result;
    };
});
EOF
frida -U -f com.example.droids3 -l hook.js --no-pause
    Learn more

    Frida's Java API lets you intercept any Java method by class name and method name. The implementation property replaces the method body. Calling this.method(args) inside the replacement invokes the original method.

    You can also force the check to return true by replacing the implementation with return true;, bypassing the password validation entirely.

Flag

picoCTF{...}

Use Frida to hook the password check method at runtime - log or bypass the check to retrieve the flag.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Reverse Engineering

Related reading

What to try next