> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-1-hooking-your-first-method-in-an-android-app.md).

# Lab 1 — Hooking Your First Method in an Android App

In this first lab, we’ll learn how to hook Android application methods using Frida.\
We’ll use a simple CTF‑style number‑guessing app.

***

### **1️⃣ Download & Launch the App**

Download the APK from the attachment given in the CTF, extract it using **7Zip**, and install it on your emulator or rooted device.

The app is a simple “guess the number” challenge.

Trying a number results in:

* ❌ Wrong number → “Try again!”
* ✔️ Correct number → A Base64‑encoded flag is displayed

But instead of guessing numbers manually, we will use **Frida**.

***

### **2️⃣ Inspecting the Source Code**

Relevant part of the Android code:

```kotlin
class MainActivity : AppCompatActivity() {
    private var randomNumber = 0
    
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedsavedInstanceState)
        setContentView(R.layout.activity_main)

        randomNumber = generateRandomNumber()
    }

    private fun generateRandomNumber(): Int {
        return Random().nextInt(999) + 1
    }
}
```

Key points:

* The random number is generated on app launch
* The flag appears only if the user enters the correct random number
* So our goal is to hook `generateRandomNumber()` and capture its value

***

## **3️⃣ First Attempt – Basic Hook**

We attach Frida and use a basic script:

```js
Java.perform(function() {
  var MainActivity = Java.use("com.mobilehackinglab.fridaone.MainActivity");

  MainActivity.generateRandomNumber.implementation = function() {
    console.log("Intercepted generateRandomNumber");
  };
});
```

But this fails — why?

👉 The app expects a number from this method\
👉 We didn’t return anything → crash or error\
👉 And the method already executed during app launch

***

## **4️⃣ Fixing the Issue — Hook at App Start Using `-l`**

Run the app with Frida from the beginning:

```
frida -U -f com.mobilehackinglab.fridaone -l script.js
```

Now Frida injects before the method is executed.

***

## **5️⃣ Returning a Custom Value**

Let’s force the method to always return `5`:

```js
Java.perform(function() {
  var MainActivity = Java.use("com.mobilehackinglab.fridaone.MainActivity");

  MainActivity.generateRandomNumber.implementation = function() {
    console.log("Intercepted generateRandomNumber()");
    console.log("Returning 5...");
    return 5;
  };
});
```

Enter **5** → **Flag obtained!**

But this is not enough — the goal is to capture the *original* random number.

***

## **6️⃣ Capturing the Actual Return Value**

To get the real number, we must:

* Call the original method
* Capture the return value
* Return it back to the app so it doesn't crash

Correct script:

```js
Java.perform(function() {
    var MainActivity = Java.use("com.mobilehackinglab.fridaone.MainActivity");

    MainActivity.generateRandomNumber.implementation = function() {
        console.log("This method is hooked");

        var ret_val = this.generateRandomNumber();
        console.log("The return value is " + ret_val);

        return ret_val; 
    }
});
```

This hook:

* Keeps the app working normally
* Shows the actual random number
* Lets you enter the correct number manually

If the output is `499`, enter it → **Flag displayed** 🎉

<figure><img src="/files/nIJPRUeicWzNTtwvsOgD" alt=""><figcaption></figcaption></figure>

***

## **🔚 Lab 1 Summary**

By the end of this lab, you learned:

✔ What hooking is\
✔ How to inject Frida scripts into Android\
✔ How to override a method return value\
✔ How to capture the original return value\
✔ How to hook methods that run early in the app lifecycle

This lab lays the foundation for the next Frida challenges we solved today.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-1-hooking-your-first-method-in-an-android-app.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.