> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-4-calling-methods-of-a-non-static-class-using-frida.md).

# Lab 4 — Calling Methods of a Non‑Static Class Using Frida

In this chapter, we’ll learn a powerful and very common Frida technique:

#### 👉 **How to create an instance of a non‑static Java class and call its methods directly.**

This allows us to execute functions that the app never calls in its UI — perfect for CTF challenges, pentesting tasks, and reverse‑engineering exercises.

***

## **📱 App Overview**

When launching the APK on the device, we only see a simple **“Hello World!”** text.\
Nothing else seems to happen.

Let’s inspect the decompiled code.

#### **MainActivity**

```kotlin
class MainActivity : AppCompatActivity() {
    // Nothing interesting here
}
```

Nothing is happening in the UI — the flag is definitely not displayed here.

***

## **🔍 Inspecting the Check Class**

Inside the package `com.mobilehackinglab.FridaFour`, we find:

```kotlin
package com.mobilehackinglab.FridaFour

class Check {

    fun getFlag(code: Int): String {
        var result = ""
        if (code == 1337) {
            val xore_str = "X]YnMZGPQJSYTRh"

            for (i in xore_str) {
                result += Char(i.toInt() xor 0x15)
            }
        }
        return result
    }
}
```

#### Key Observations:

✔ `getFlag()` returns the decoded flag\
✔ The string is XOR‑decoded using key **0x15**\
✔ **The function is never called anywhere in the app**\
✔ The flag is only returned when `code == 1337`\
✔ So the only way to get the flag is to **manually call getFlag(1337)**

This is exactly the type of problem Frida is built for.

***

## **📌 The Goal**

We will:

1️⃣ Create a new instance of the `Check` class\
2️⃣ Call the method `getFlag(1337)`\
3️⃣ Capture and print the returned flag

***

## **🛠 Static vs Non‑Static Method (Important Concept)**

In previous labs, we called **static** methods (class-level methods).\
But `getFlag()` is a **non-static** method — meaning:

🔹 It belongs to an object\
🔹 We must create an instance first\
🔹 Then call the method on that instance

This is how it looks in Java:

```java
Check ch = new Check();
String flag = ch.getFlag(1337);
```

Now let’s do the same thing using Frida.

***

## **📜 Frida Template: Calling Non‑Static Methods**

Frida provides a built‑in method called **`$new()`** to instantiate Java classes:

```javascript
Java.perform(function() {
    var ClassRef = Java.use("<package>.<class>");
    var instance = ClassRef.$new();        // Create object
    instance.<method>(args);               // Call method
});
```

***

## **🧪 Writing the Real Script**

#### **Package name:** `com.mobilehackinglab.FridaFour`

#### **Class:** `Check`

#### **Method:** `getFlag(int)`

Here is the full script:

```javascript
Java.perform(function() {

    var check = Java.use("com.mobilehackinglab.FridaFour.Check");

    var check_obj = check.$new(); // Create object instance

    var res = check_obj.getFlag(1337); // Call the method

    console.log("FLAG: " + res);
});
```

***

## **🚀 Running the Script**

Start Frida and spawn the app:

```
frida -U -f com.mobilehackinglab.FridaFour
```

Paste the script into the REPL or load it with:

```
%load script.js
```

***

## **🏁 Result**

Frida outputs:

```
FLAG: MHL{...}
```

🎉 **Congratulations — you successfully executed a private, unreachable method and retrieved the flag.**\
All without modifying the APK or pressing anything in the UI.

***

## **🔚 Lab 4 Summary**

In this lab you learned:

✔ How to instantiate a non‑static Java class with `$new()`\
✔ How to call methods that require object creation\
✔ How to pass arguments to internal functions\
✔ How to extract hidden values from unreachable code\
✔ A key Frida technique used heavily in real-world Android pentesting


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/frida-labs-writeups/lab-4-calling-methods-of-a-non-static-class-using-frida.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
