> For the complete documentation index, see [llms.txt](https://ctf.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.zeyu2001.com/2022/nahamcon-ctf-2022/click-me.md). # Click Me This was a "clicker" mobile application. The goal was to get more than 99999999 clicks. After decompiling the APK, we could see the following relevant part of the source code. ```java public final void cookieViewClick(View view) { int i = this.CLICKS + 1; this.CLICKS = i; if (i >= 13371337) { this.CLICKS = 13371337; } ((TextView) findViewById(R.id.cookieCount)).setText(String.valueOf(this.CLICKS)); } public final void getFlagButtonClick(View view) { Intrinsics.checkNotNullParameter(view, "view"); if (this.CLICKS == 99999999) { Toast.makeText(getApplicationContext(), getFlag(), 0).show(); return; } Toast.makeText(getApplicationContext(), "You do not have enough cookies to get the flag", 0).show(); } ``` We could find the instruction where the `CLICKS` is compared with 99999999, patch it, and recompile the APK. Looking at the Smali code, we see the following portion that corresponds to the check in `getFlagButtonClick`. ```smali .line 34 iget p1, p0, Lcom/example/clickme/MainActivity;->CLICKS:I const/4 v0, 0x0 const v1, 0x5f5e0ff if-ne p1, v1, :cond_0 .line 35 invoke-virtual {p0}, Lcom/example/clickme/MainActivity;->getFlag()Ljava/lang/String; ``` In a nutshell, if the current number of clicks is not equal to 0x5f5e0ff (99999999), the code jumps over the `getFlag()` call to the `cond_0` label somewhere below. All we have to do is to change this instruction to ```smali if-gt p1, v1, :cond_0 ``` and [recompile the APK](https://gist.github.com/PuKoren/d0ec0c98350c0e92f467). Now the check is bypassed! ![](/files/ojayg9gLR3UZLm4DHsxG) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.zeyu2001.com/2022/nahamcon-ctf-2022/click-me.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.