frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Installation

Client

pip3 install frida-tools

Server

Download server for architecture from https://github.com/frida/frida/releases.

xz -d frida-server-16.5.6-android-arm64.xz
adb root
adb push frida-server-16.5.6-android-arm64 /data/local/tmp
adb shell
cd /data/local/tmp
chmod +x frida-server-16.5.6-android-arm64
./frida-server-16.5.6-android-arm64

Commands

Connection

frida -U targetAPK (connect to APK)
frida -U -l script.js targetAPK (execute script and connect to APK)

frida-trace

Trace all calls on com.testapp.*:

frida-trace -U -j 'com.testapp.*!*' TestApp

Trace all calls from native library:

frida-trace -U -I 'native-lib' -j 'com.testapp.*!*' TestApp

Tracing

Activities

Java.perform(() => {
    let ActivityClass = Java.use("android.app.Activity");
    ActivityClass.onResume.implementation = function() {
        console.log("[*] Activity resumed:", this.getClass().getName());
        this.onResume();
    }
})

Fragments

Java.perform(() => {
    let FragmentClass = Java.use("androidx.fragment.app.Fragment");
    FragmentClass.onResume.implementation = function() {
        console.log("[*] Fragment resumed:", this.getClass().getName());
        this.onResume();
    }
})

Returning a different output:

Java.perform(() => {
    var InterceptionFragment = Java.use("io.hextree.fridatarget.ui.InterceptionFragment");
    InterceptionFragment.function_to_intercept.implementation = function(argument) {
        this.function_to_intercept(argument);
        return "SOMETHING DIFFERENT";
    }
})

Disable SSL Pinning

Bypass Network Security Config and SSLContext:

Java.perform(() => {
    var PlatformClass = Java.use("com.android.org.conscrypt.Platform");
    PlatformClass.checkServerTrusted.overload('javax.net.ssl.X509TrustManager', '[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'com.android.org.conscrypt.AbstractConscryptSocket').implementation = function() {
        console.log("Check server trusted");
    }
})

OKHTTP3 Bypass

Java.perform(() => {
    var BuilderClass = Java.use("okhttp3.OkHttpClient$Builder");
    BuilderClass.certificatePinner.implementation = function() {
        console.log("Certificate pinner called");
        return this;
    }
})

JADX and Frida

If we want to load a class from jadx to Frida we can Right Click > Copy as frida snippet. Now paste it into Java.perform sentence:

Java.perform(() => {
    let ExampleClass = Java.use("io.hextree.fridatarget.ExampleClass");
})

Having this class:

package io.hextree.fridatarget;

/* loaded from: classes6.dex */
public class ExampleClass {
    public String returnDecryptedString() {
        return FlagCryptor.decodeFlag("ViBueiBpcmVsIGZycGhlcnlsIHJhcGVsY2dycSE=");
    }

    public String returnDecryptedStringIfPasswordCorrect(String password) {
        if (password.equals("VerySecret")) {
            return FlagCryptor.decodeFlag("WWhweHZ5bCBWIGpuZiBjbmZmamJlcSBjZWJncnBncnEh");
        }
        return null;
    }
}

For example we can create an instance of the ExampleClass and console.log the result. Example script:

Java.perform(() => {
    let ExampleClass = Java.use("io.hextree.fridatarget.ExampleClass");
    let ExampleInstance = ExampleClass.$new();
    console.log(ExampleInstance.returnDecryptedString());
    console.log(ExampleInstance.returnDecryptedStringIfPasswordCorrect("VerySecret"));
})

It's so much faster than manually reversing!

References

Last updated