tictactoe – June 28, 2018, 11:24 a.m.

Congratz, I'm the author of the challenge. Great writeup btw.
You can read the btnChecked function statically, then by knowing that it called 2 testFunction, you can use frida to change the return value of one of those two. It will give you the flag.

---