> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-2-hooking-class-fields-and-modifying-app-logic.md). # Lab 2 – Hooking Class Fields & Modifying App Logic In this lab, we move beyond hooking simple methods and learn how to **modify class fields** at runtime using Frida.\ This is extremely common in Android security challenges, especially in crackmes, premium unlocks, and bypassing boolean checks. *** ## **📌 Challenge Description** We are given an Android application from the Mobile Hacking Lab “FridaTwo”.\ The app has a hidden flag that is only revealed when `showFlag()` is triggered under special conditions. Inside the APK, we identify the relevant code: ```java public class MainActivity extends AppCompatActivity { private int code = 123; public void showFlag() { if (code == 256) { Toast.makeText(this, "Flag: XYZ123", Toast.LENGTH_LONG).show(); } else { Toast.makeText(this, "Wrong Code", Toast.LENGTH_LONG).show(); } } } ``` Key insight: * A private class field `code` controls the flag * `showFlag()` only works when `code == 256` * We cannot modify the field directly inside the UI * So we will modify the internal class variable using **Frida** *** ## **1️⃣ Attaching to the App** Run the app, then attach: ``` frida -U -n com.mobilehackinglab.fridatwo ``` *** ## **2️⃣ Hooking the Class & Changing the Field** Frida allows us to access class fields through `.value`. ```javascript Java.perform(function () { var mainActivity = Java.use("com.mobilehackinglab.fridatwo.MainActivity"); mainActivity.code.value = 256; // Modify private field }); ``` Explanation: * `Java.use` loads the class into our script * `.code.value` accesses the private field * We directly set the value to `256` Now the app logic thinks the correct code has been entered. *** ## **3️⃣ Triggering the Flag** After running the hook, simply trigger any UI action that calls: ``` showFlag() ``` or call it manually from Frida: ```javascript Java.perform(function () { var mainActivity = Java.use("com.mobilehackinglab.fridatwo.MainActivity"); mainActivity.showFlag(); }); ``` You now get: ``` Flag: ``` *** ## **🔚 Lab 2 Summary** In this lab, you learned a powerful technique: #### ✔ Modifying private fields at runtime #### ✔ Bypassing logic checks without touching the APK #### ✔ Calling application methods manually from Frida #### ✔ Understanding how Frida interacts with Java object instances This technique is essential when dealing with: * License checks * Boolean logic bypasses * Feature unlocking * CTF crackmes --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-2-hooking-class-fields-and-modifying-app-logic.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.