Objection Practical - Changing the value of static variable

I have challenged my self to use tool Objection to solve the labs on the Android Frida Labs created by MobileHackingLab. For you that don't familiar with frida, the course is very easy to follow and teach you basic concept of using frida during mobile application pentest.

Now, we will continue with the next topic, Changing the value of static variable. I recommend you to read the material from the course and practice using frida before using Objection as this article will not cover the frida part.

We have covered the information of using android heap evaluate on previous article. It can be used to execute frida script on-the-fly. We will use the same feature to change value of static variable. Please take a note that using command "android heap" in objection is often unstable.

Prequisite :

1. Android studio Emulator or any other Emulator eg;( NOX
2. Frida server on android emulator
3. Frida-tools on your laptop/PC
4. Objection installed on your laptop
5. Enroll course here (it's free) https://www.mobilehackinglab.com/course/android-frida-labs.
6. Download app-debug.rar from section "Changing the value of a static variable".

1.?????? Running objection

objection -g com.mobilehackinglab.FridaThree explore

2.?????? List all activities

android hooking list activities

3.?????? Search classes inside package

android hooking search classes com.mobilehackinglab.FridaThree

4.?????? List class methods from class MainActivity

android hooking list class_methods com.mobilehackinglab.FridaThree.MainActivity

5.?????? List class methods from class Checker

android hooking list class_methods com.mobilehackinglab.FridaThree.Checker

6.?????? Checking jadx-gui

We can see on the onClick, it is call method onCreate$lambda$0().

The method itself have the logic that checking the getCode() return if it value is 256 then the flag will be displayed.

At the end of method, it also calling the increment() method from Checker

Check the checker class

It instantiate with no value, because of the integer type it defaults to 0.

getCode() is only returning the code

increment() is adding 1 to current code.

We can use evaluate to call the checker class and set the code variable to 256.

7.?????? Check the hashcode of current activity

android heap search instances com.mobilehackinglab.FridaThree.MainActivity

We got the hashcode : 203998512

8.?????? Use heap evaluate to run code

android heap evaluate 203998512

Below is the code :

var i = Java.use("com.mobilehackinglab.FridaThree.Checker");

i.code.value = 256;

or

Java.perform(function (){

var i = Java.use("com.mobilehackinglab.FridaThree.Checker");

i.code.value = 256;

})

?

[ESC] + [ENTER] to save

Open the app and click button “Click me”

?This article series is part of #menulis100hari process.

~Bandung , 15 February 2025

~18/100