The goal of this challenge is to change the app’s runtime behavior so the protection method returns true and the treasure is unlocked and the flag is revealed. - The steps below show my solution

Note: Im not patching the application binary because of the requirements is to solve the lab using dynamic analysis only.

- By looking at the application UI there is one button, and it is mostly the button which is linked with the target method. But for further analysis let's dump the application UI looking if there are any hidden views.

- After Dumping the UI, there is only one button and no hidden views.

- Now we are going to trace this button and find what class and method are involved with this button. For this I will use this simple frida script to hook UIControl actions:

if (ObjC.classes.UIControl) {
    var UIControl = ObjC.classes.UIControl;

    var sendAction = UIControl["- sendAction:to:forEvent:"];
    Interceptor.attach(sendAction.implementation, {
        onEnter: function (args) {
            var selector = new ObjC.Object(args[2]);
            var target   = new ObjC.Object(args[3]);

            console.log("[UIControl Action]");
            console.log("  Selector: " + selector);
            console.log("  Target:   " + target.$className);
            console.log("  Event:    " + args[4]);
        }
    });
}

- We have found the related class that we are going to target which is SwizzleMeTimbers.Q9V0

- Now we are going to watch the target class SwizzleMeTimbers.Q9V0 to see what method is being called when the button is presses.

- After watching the target class, there is two methods being called t4G0 and _9zB

- Now we are going to watch the return value of these methods and modify it during runtime.

- Let's start with _9zB

- As we see the method _9zB returns fasle 0x0

- Now we are going to modify the return value of the method _9zB and let it return true 0x1 instead of false.

- We unlocked the treasure