Rating: 5.0
Congratz, I'm the author of the challenge. Great writeup btw.
You can read the btnChecked function statically, then by knowing that it called 2 testFunction, you can use frida to change the return value of one of those two. It will give you the flag.
