# \[3] Deploy method hooks using frida REPL

Alright, so - time to move on to DBI and inject Frida into our app!

#### Inject Frida

In the command prompt, navigate to the course scripts directory and type the following:

`frida -U --runtime=v8 -l privatePhotoVault.js -F`

To quickly pick apart the extra arguments we're passing:

* `-U` tells frida to look for a device connected via USB (virtually or otherwise)
* `--runtime=v8` tells frida to use a newer version of JavaScript which has a number of quality of life improvements. I generally always use it.
* `-l privatePhotoVault.js` tells frida to inject our course script with some pre-made functions useful for reversing.
* For more reading on frida command line arguments, see [frida](/frida-tool-reference/frida.md).

This should get you to the following terminal view (hereinafter called the [REPL](/frida-tool-reference/frida.md)):

![](/files/-M-A5kmuF55L6uCFgofl)

If you made it here – excellent! Now, we’re ready to have some fun. If you’ve never written code before, that’s about to change! Don’t worry, we’ll take it slow!

#### Autocomplete / Intellisense

One thing Frida does that can make life a bit easier is provide a bit of good old intellisense. This means when you start typing, an autocomplete box appears which you can navigate with the up and down arrow keys.

![](/files/-M6WX99p7pWCpYEWO4zI)

In [Lab 2](/lab/2-perform-static-analysis-to-locate-some-functions-of-interest.md), we identified the pinsMatch function as a candidate for method hooking, so let's start with that.

#### Get your hooks in!

To apply a method hook, we will use the traceMethod command. traceMethod is from the Raptor iOS tracing script and takes the class name as a string.

`traceMethod('com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch')`

If successful, you should see a message from Frida saying:

`Tracing com.github.browep.privatephotovault.crypto.CryptoUtils.pinsMatch [1 overload(s)]`

{% hint style="warning" %}
If a class has multiple implementations of the same function name (each with different parameters), these are called **overloads**. This is common when an application has been obfuscated.
{% endhint %}

Time to see if we are on the right track! Enter the PIN on the device or emulator.

![](/files/-M6WYWSKwY9Sv_3_y8KP)

Excellent, so it appears our pinsMatch function is indeed getting called twice. The parameters are the same, except for argument\[1] which is "pin" and "pin\_decoy".

Now we will head back to our static analysis tool. From here, we have some options. Since our goal is to learn, we'll do a little bit of everything!

* Continue to push through via static analysis, building our understanding up as we go. This option may appeal to those with more programming experience. \[[Lab 4a](/lab/4a-moar-static-analysis.md)]<br>
* Cast a wider net with method hooks, hooking additional functions of interest, or even an entire class worth of functions. \[[Lab 4b](/lab/4b-cast-a-wider-net-with-dbi.md)]<br>
* Go full ham and write a PIN bruteforce, because it's fun (and **relatively** easy!) \[[Lab 4c](/lab/4c-pin-bruteforce.md)]


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://summit-labs.frida.ninja/lab/3-deploy-method-hooks-using-frida-repl.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.