> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-3-modifying-static-variables-in-singleton-classes.md).

# Lab 3 – Modifying Static Variables in Singleton Classes

In this lab, we analyze and exploit the logic of the **FridaThree** challenge application.\
This challenge introduces a common Android pattern: **a Singleton class with a static field controlling the app’s behavior**.

Your goal was simple:

✅ Modify the static variable `code` so the app reveals the flag\
❌ Without reversing, you cannot reach the required value manually\
🔥 With Frida, this becomes trivial

Let’s walk through the entire process.

***

## **📌 App Logic Overview**

We begin by examining the decompiled code.\
The application contains a `Checker` class implemented as a **Kotlin object**, which behaves like a Java Singleton:

```kotlin
object Checker {
    var code: Int = 0

    fun getCode(): Int {
        return code
    }

    fun increment() {
        code++
    }
}
```

The click‑handler inside `MainActivity` looks like this:

```kotlin
if (Checker.INSTANCE.getCode() == 256) {
    Toast.makeText(this, "Congrats you got the flag", Toast.LENGTH_SHORT).show()

    val decoded = Base64.getDecoder().decode("TUhMe01PRElGSUVEX1ZBUklBQkxFfQ==")
    val decodedString = String(decoded)

    tv.setText(decodedString)
    btn.setEnabled(false)
} else {
    Toast.makeText(this, "Not yet", Toast.LENGTH_SHORT).show()
}

Checker.INSTANCE.increment()
```

#### 🔍 Key Observations

* `code` starts at **0**
* Every button press increments it (0 → 1 → 2 → …)
* You must reach **256** to get the flag\
  → This normally requires **256 clicks**, which the challenge clearly wants you to bypass

The solution? **Set the static field using Frida**.

***

## **1️⃣ Attaching Frida to the App**

Start the app with Frida attached:

```
frida -U -f com.mobilehackinglab.FridaThree
```

Once the Frida prompt loads, we can inject our script.

***

## **2️⃣ Accessing the Singleton Class**

Because Kotlin `object` classes become Java `Singleton` classes, the reference becomes:

```
com.mobilehackinglab.FridaThree.Checker
```

Using Frida:

```javascript
Java.perform(function () {
    var checker = Java.use("com.mobilehackinglab.FridaThree.Checker");
    checker.code.value = 256;
});
```

#### ✔ What this does:

* Loads the Checker singleton class
* Accesses the static variable `code`
* Sets its value to 256 instantly
* Bypasses all app logic and checks

***

## **3️⃣ Triggering the Flag**

Now simply click the button *once* inside the app UI.

The condition:

```
Checker.INSTANCE.getCode() == 256
```

is true, so the app:

* Shows a success Toast
* Decodes the Base64 flag
* Displays it inside the `TextView`
* Disables the button

🎉 **Flag retrieved successfully with zero effort.**

<figure><img src="/files/Mmk32xWXwWiou1hIUo6A" alt=""><figcaption></figcaption></figure>

***

## **🔚 Lab 3 Summary**

This lab demonstrated one of the most common and powerful Frida tactics:

#### ✔ Modifying static variables in Singleton classes

#### ✔ Overriding app logic without modifying the APK

#### ✔ Bypassing counter‑based or increment‑based protections

#### ✔ Quickly reaching protected code paths

This technique is extremely useful for:

* Premium feature unlocks
* Trial/reset bypasses
* CTF reverse engineering
* Logic bypass challenges
* Authentication bypasses tied to counters


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-3-modifying-static-variables-in-singleton-classes.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.