picoCTF Solutions
picoCTF 2019Reverse EngineeringHard

droids4 picoCTF 2019 Solution

Published: April 2, 2026

Description

The hardest Android challenge. Multiple layers of protection in droids4.apk.

Setup

Download the APK file.

bash
wget <url>/droids4.apk

Solution

Walk me through it
  1. Step 1Static analysis: decompile and map the app
    Start with jadx decompilation. Understand the app structure: where is the password validation? Does it involve native code, obfuscated strings, reflection, or runtime class loading?
    bash
    jadx droids4.apk -d droids4_java/
    bash
    unzip droids4.apk -d droids4_raw/
    bash
    ls droids4_raw/
    Learn more

    Advanced Android protections may include: ProGuard/R8 obfuscation (class/method name mangling), string encryption (strings decrypted at runtime), reflection (dynamic method calls), DexGuard (commercial obfuscator), and APK split/multi-dex.

    Start by finding the entry point (MainActivity), then trace all function calls from the button click handler inward to find the validation logic.

  2. Step 2Analyze native libraries
    Unzip the APK and examine any .so files in the lib/ directory. Load them in Ghidra and look for the JNI entry points. The flag validation may be entirely in native code.
    bash
    ls droids4_raw/lib/
    bash
    file droids4_raw/lib/x86/*.so
    bash
    strings droids4_raw/lib/x86/*.so | grep -i pico
    Learn more

    Even in obfuscated native code, string literals are often stored in plain text in the .rodata section. The strings command extracts printable sequences of 4+ characters from any file, which can quickly reveal hardcoded flags or keys.

  3. Step 3Dynamic analysis with Frida
    If static analysis is insufficient, use Frida to hook key methods at runtime. Hook the final comparison or any method that receives the flag string. Use frida-trace to automatically trace all method calls.
    bash
    frida-trace -U -f com.example.droids4 -j '*!check*'
    bash
    frida-trace -U -f com.example.droids4 -j '*!*' -J '*!equals*'
    Learn more

    frida-trace automatically generates hook scripts for matched methods and prints their arguments. The -j flag matches Java methods by class and method name pattern. This is useful when you need to discover which method to hook without reading all the source first.

    For APK patching: use apktool to decompile, modify the smali to bypass the check or log the expected value, recompile with apktool b, sign with a debug certificate, and install the patched APK.

Flag

picoCTF{...}

Combine static analysis (jadx + Ghidra) with dynamic analysis (Frida hooks) to extract the flag through multiple protection layers.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Reverse Engineering

Related reading

What to try next