Objection Practical - Invoking Method using Objection

Objection Practical - Invoking Method using Objection

Romi Syuhada Romi Syuhada

Romi Syuhada

OSCP | CRTE | CRTP | CPSA - Cyber Security Consultant - Moslem

发布日期: 2025年2月12日
+ 关注

I have challenged my self to use tool Objection to solve the labs on the Android Frida Labs created by MobileHackingLab. For you that don't familiar with frida, the course is very easy to follow and teach you basic concept of using frida during mobile application pentest.


I have written how to hook and watch method using Objection yesterday. You can visit the article here : https://www.dhirubhai.net/pulse/objection-practical-introduction-hooking-watching-using-syuhada-6rzic/

Now, we will continue with the next topic, invoking method. I recommend you to read the material from the course and practice using frida before using Objection as this article will not cover the frida part.

Prequisite :

  1. Android studio Emulator or any other Emulator eg;( NOX
  2. Frida server on android emulator
  3. Frida-tools on your laptop/PC
  4. Objection installed on your laptop
  5. Enroll course here (it's free) https://www.mobilehackinglab.com/course/android-frida-labs.
  6. Download app-debug.rar from section "Invoking a method using Frida".



1.?????? Running objection

objection -g com.mobilehackinglab.fridatwo explore


2.?????? List all activities

android hooking list activities


3.?????? List class methods from class MainActivity

android hooking list class_methods com.mobilehackinglab.fridatwo.MainActivity

There is static method decryptFlag() and static void method showFlag()


Checking the code using jadx-gui we can see that the showFlag() never called by the activity.


4. Get instance's hashcode??????

Objection have “android heap” command that can be used to call the methods. But first we need to know the hashcode of the Class MainActivity.

android heap search instances com.mobilehackinglab.fridatwo.MainActivity


领英推荐

We get the hashcode : 85345637


5.?????? Using “android heap execute” we can call the method showFlag

android heap execute <hashcode> <methods>

android heap execute 85345637 showFlag


6.?????? Other way, we can use “android heap evaluate” to execute script

android heap evaluate <hashcode>

android heap evaluate 85345637


  • Add code :

var i = Java.use("com.mobilehackinglab.fridatwo.MainActivity");

i.showFlag();

?

  • Click [Esc] and then [ENTER].




?

This article series is part of #menulis100hari process.

~Bandung , 12 February 2025

~17/100


Bima Ikhsan

Bug Hunter | Penetration Tester | Cyber Security Enthusiast

3 周

Alvin Dhiyaul Hayyi nih pake ini

赞
回复
1 次回应
MobileHackingLab

1 个月

Nice follow up with clear solutions, keep up the good work!

赞
回复
1 次回应
查看更多评论

要查看或添加评论,请登录

Romi Syuhada的更多文章

  • Objection Practical - Plugin Hookhelper
    2025年3月15日

    Objection Practical - Plugin Hookhelper

    Several days ago I have introduce Objection plugin hookhelper. Today we will try the plugin to solving the lab.

  • Objection Practical - Calling the method of a non-static class
    2025年2月24日

    Objection Practical - Calling the method of a non-static class

    I have challenged my self to use tool Objection to solve the labs on the Android Frida Labs created by…

    2 条评论
  • Objection Practical - Changing the value of static variable
    2025年2月15日

    Objection Practical - Changing the value of static variable

    I have challenged my self to use tool Objection to solve the labs on the Android Frida Labs created by…

  • Objection Practical - Introduction to Hooking (and watching) using Objection
    2025年2月11日

    Objection Practical - Introduction to Hooking (and watching) using Objection

    Learning Frida is great. It helps a lot during mobile app testing and complements the static analysis process.

    2 条评论
  • Frida & Objection
    2025年2月6日

    Frida & Objection

    Berikut ada beberapa tips dan trick yg mungkin akan membantu kamu mempermudah hidupmu ketika menggunakan Frida ataupun…

    1 条评论
  • Secure by obsecurity - berhasilkah?
    2025年2月5日

    Secure by obsecurity - berhasilkah?

    Biar nggak pada penasaran, kujawab aja di awal post. Entah lah.

    2 条评论
  • SSL pinning terdeteksi? - Coba ini nih
    2025年1月24日

    SSL pinning terdeteksi? - Coba ini nih

    Sudah berhasil setting proxy dan memaksa aplikasi melewatkan koneksinya ke burpsuite dahulu, tapi ternyata error…

    3 条评论
  • Hooking in Objection - Watching classes and methods
    2025年1月20日

    Hooking in Objection - Watching classes and methods

    Objection have a function that will make your live more easier during static analysis. Sometime you will find the…

  • Ketemu Root Detection? - Tips yang patut di coba
    2025年1月20日

    Ketemu Root Detection? - Tips yang patut di coba

    Membahas pentest android app ketika diawal pentest mobile, Biasanya hal yang paling pertama ketemu adalah ada root…

  • Seberapa sering kamu mendiskusikan rencanamu?
    2025年1月19日

    Seberapa sering kamu mendiskusikan rencanamu?

    Dalam sebuah riwayat, Nabi Muhammad shollallohu alaihi wasallam pernah menyatakan bahwa "Tidak akan gagal siapapun yang…

    2 条评论

社区洞察

其他会员也浏览了