XGitHubLinkedInInstagram

Frida Scripts

Java.use - A JavaScript wrapper for Java classes

  • It also allows us to instantiate instances of that class.

  • Example :-

    • Here using the String class of Java we assigned a string (instance of that class) using constructor $new and then normally use any Java functions to that variable (si).

    • Normally we will not use $dispose but if we use make sure to not call that var that has been disposed otherwise it will create a very long error.

[Android Emulator 5554::FridaTarget ]-> var sc = Java.use("java.lang.String")
[Android Emulator 5554::FridaTarget ]-> sc
"<class: java.lang.String>"
[Android Emulator 5554::FridaTarget ]-> var si = sc.$new("$new is the frida way to call a new constructor and this is a
n insatance of previous class")
[Android Emulator 5554::FridaTarget ]-> si
"<instance: java.lang.String>"
[Android Emulator 5554::FridaTarget ]-> si.toStri
[Android Emulator 5554::FridaTarget ]-> si.toString()
"$new is the frida way to call a new constructor and this is an insatance of previous class"
[Android Emulator 5554::FridaTarget ]-> si.charAt(5)
"i"
[Android Emulator 5554::FridaTarget ]->si.$dispose()

Java.enumerateLoadedClasses(callbacks) and Java.enumerateLoadedClassesSync() - To list all available Java classes

  • Java.enumerateLoadedClasses(callbacks) : returns callback for each loaded classes

  • Java.enumerateLoadedClassesSync() : returns a list of all loaded classes (in an array)

Changing implementation of a class

  • Can be used to change the original implementation and return what we want.

  • useful when working with native libraries.

string_class.charAt.implementation = (c) => {
    console.log("charAt overridden!");
    return "X";
}

  • simple example to change the implementation of charAt.

Java.perform(() ⇒ {//my custom code here})

  • while writing a frida script make sure to wrap it in Java.perform(() ⇒ {//my custom code here}) to make sure it runs inside java vm where all the classes have already been loaded and easily accessible.

  • Example code to run a function/method from frida (frida target hextree example)

Java.perform(() => {
    let FlagClass = Java.use("io.hextree.fridatarget.FlagClass");
    let flagclassinstance = FlagClass.$new();
    console.log(flagclassinstance.flagFromStaticMethod());
    console.log(flagclassinstance.flagFromInstanceMethod());
    console.log(flagclassinstance.flagIfYouCallMeWithSesame("sesame"));
})
Tracing ActivitiesTracing Fragments

Intercepting Arguments and Return values

  • Interception Arguments and return values is not that much different from the actual logging thing.

  • Example Snippet:-

Java.perform(() => {
    let InterceptionFragment = Java.use("io.hextree.fridatarget.ui.InterceptionFragment");
    InterceptionFragment.function_to_intercept.implementation = function (argument){
        console.log("Original Argument: " + argument);
        
        // return this.function_to_intercept("i want to pass this")
        // or 
        return "ye bhi chalega";
        
    };
    let LicenseManager = Java.use("io.hextree.fridatarget.LicenseManager");
    LicenseManager.isLicenseValid.implementation = function(){
        return true;
    };
    LicenseManager.isLicenseStillValid.implementation = function (context, unixTimestamp) {
        console.log(`LicenseManager.isLicenseStillValid is called: context=${context}, unixTimestamp=${unixTimestamp}`);
        unixTimestamp = 1672531260
        this.isLicenseStillValid(context, unixTimestamp);
    };
})
PreviousFrida & ObjectionNextTracing Activities

Last updated

Was this helpful?