Frida Scripts

`Java.use` - A JavaScript wrapper for Java classes

It also allows us to instantiate instances of that class.
Example :-
- Here using the String class of Java we assigned a string (instance of that class) using constructor $new and then normally use any Java functions to that variable (si).
- Normally we will not use $dispose but if we use make sure to not call that var that has been disposed otherwise it will create a very long error.

[Android Emulator 5554::FridaTarget ]-> var sc = Java.use("java.lang.String")
[Android Emulator 5554::FridaTarget ]-> sc
"<class: java.lang.String>"
[Android Emulator 5554::FridaTarget ]-> var si = sc.$new("$new is the frida way to call a new constructor and this is a
n insatance of previous class")
[Android Emulator 5554::FridaTarget ]-> si
"<instance: java.lang.String>"
[Android Emulator 5554::FridaTarget ]-> si.toStri
[Android Emulator 5554::FridaTarget ]-> si.toString()
"$new is the frida way to call a new constructor and this is an insatance of previous class"
[Android Emulator 5554::FridaTarget ]-> si.charAt(5)
"i"
[Android Emulator 5554::FridaTarget ]->si.$dispose()

`Java.enumerateLoadedClasses(callbacks)` and `Java.enumerateLoadedClassesSync()` - To list all available Java classes

Java.enumerateLoadedClasses(callbacks) : returns callback for each loaded classes
Java.enumerateLoadedClassesSync() : returns a list of all loaded classes (in an array)

Changing implementation of a class

Can be used to change the original implementation and return what we want.
useful when working with native libraries.

string_class.charAt.implementation = (c) => {
    console.log("charAt overridden!");
    return "X";
}

simple example to change the implementation of charAt.

`Java.perform(() ⇒ {//my custom code here})`

while writing a frida script make sure to wrap it in Java.perform(() ⇒ {//my custom code here}) to make sure it runs inside java vm where all the classes have already been loaded and easily accessible.
Example code to run a function/method from frida (frida target hextree example)

Java.perform(() => {
    let FlagClass = Java.use("io.hextree.fridatarget.FlagClass");
    let flagclassinstance = FlagClass.$new();
    console.log(flagclassinstance.flagFromStaticMethod());
    console.log(flagclassinstance.flagFromInstanceMethod());
    console.log(flagclassinstance.flagIfYouCallMeWithSesame("sesame"));
})

Tracing Activities

Tracing Fragments

Intercepting Arguments and Return values

Interception Arguments and return values is not that much different from the actual logging thing.
Example Snippet:-

Java.perform(() => {
    let InterceptionFragment = Java.use("io.hextree.fridatarget.ui.InterceptionFragment");
    InterceptionFragment.function_to_intercept.implementation = function (argument){
        console.log("Original Argument: " + argument);
        
        // return this.function_to_intercept("i want to pass this")
        // or 
        return "ye bhi chalega";
        
    };
    let LicenseManager = Java.use("io.hextree.fridatarget.LicenseManager");
    LicenseManager.isLicenseValid.implementation = function(){
        return true;
    };
    LicenseManager.isLicenseStillValid.implementation = function (context, unixTimestamp) {
        console.log(`LicenseManager.isLicenseStillValid is called: context=${context}, unixTimestamp=${unixTimestamp}`);
        unixTimestamp = 1672531260
        this.isLicenseStillValid(context, unixTimestamp);
    };
})

PreviousFrida & Objection NextTracing Activities

Last updated 2 days ago

Was this helpful?

Java.use - A JavaScript wrapper for Java classes

Java.enumerateLoadedClasses(callbacks) and Java.enumerateLoadedClassesSync() - To list all available Java classes

Changing implementation of a class

Java.perform(() ⇒ {//my custom code here})

Intercepting Arguments and Return values

`Java.use` - A JavaScript wrapper for Java classes

`Java.enumerateLoadedClasses(callbacks)` and `Java.enumerateLoadedClassesSync()` - To list all available Java classes

`Java.perform(() ⇒ {//my custom code here})`