256 lines
11 KiB
Markdown
256 lines
11 KiB
Markdown
# Frida Tutorial 2
|
||
|
||
<details>
|
||
|
||
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|
||
|
||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FwdlXOpyZOVGNzyhOiiFK%2Fimage%20(1).png?alt=media&token=13f4d279-7d3f-47ce-a68e-35f9a906973f" alt=""><figcaption></figcaption></figure>
|
||
|
||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||
|
||
{% embed url="https://www.stmcyber.com/careers" %}
|
||
|
||
|
||
|
||
**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Parts 2, 3 & 4)\
|
||
**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
|
||
|
||
The part 1 is so easy.
|
||
|
||
**Some parts of the original code doesn't work and have been modified here.**
|
||
|
||
## Part 2
|
||
|
||
Here you can see an example of how to **hook 2 functions with the same name** but different parameters.\
|
||
Also, you are going to learn how to **call a function with your own parameters**.\
|
||
And finally, there is an example of how to **find an instance of a class and make it call a function**.
|
||
|
||
```javascript
|
||
//s2.js
|
||
console.log("Script loaded successfully ");
|
||
Java.perform(function x() {
|
||
console.log("Inside java perform function");
|
||
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
|
||
//Hook "fun" with parameters (int, int)
|
||
my_class.fun.overload("int", "int").implementation = function (x, y) { //hooking the old function
|
||
console.log("original call: fun(" + x + ", " + y + ")");
|
||
var ret_value = this.fun(2, 5);
|
||
return ret_value;
|
||
};
|
||
//Hook "fun" with paramater(String)
|
||
var string_class = Java.use("java.lang.String");
|
||
my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function
|
||
console.log("*")
|
||
//Create a new String and call the function with your input.
|
||
var my_string = string_class.$new("My TeSt String#####");
|
||
console.log("Original arg: " + x);
|
||
var ret = this.fun(my_string);
|
||
console.log("Return value: " + ret);
|
||
console.log("*")
|
||
return ret;
|
||
};
|
||
//Find an instance of the class and call "secret" function.
|
||
Java.choose("com.example.a11x256.frida_test.my_activity", {
|
||
onMatch: function (instance) {
|
||
console.log(tring, and the it has"Found instance: " + instance);
|
||
console.log("Result of secret func: " + instance.secret());
|
||
},
|
||
onComplete: function () { }
|
||
});
|
||
});
|
||
```
|
||
|
||
You can see that to create a String first is has referenced the class _java.lang.String_ and then it has created a _$new_ object of that class with a String as content. This is the correct way to create a new object of a class. But, in this case, you could just pass to `this.fun()` any String like: `this.fun("hey there!")`
|
||
|
||
### Python
|
||
|
||
```python
|
||
//loader.py
|
||
import frida
|
||
import time
|
||
|
||
device = frida.get_usb_device()
|
||
pid = device.spawn(["com.example.a11x256.frida_test"])
|
||
device.resume(pid)
|
||
time.sleep(1) #Without it Java.perform silently fails
|
||
session = device.attach(pid)
|
||
script = session.create_script(open("s2.js").read())
|
||
script.load()
|
||
|
||
#prevent the python script from terminating
|
||
raw_input()
|
||
```
|
||
|
||
```
|
||
python loader.py
|
||
```
|
||
|
||
## Part 3
|
||
|
||
### Python
|
||
|
||
Now you are going to see how to send commands to the hooked app via Python to call function:
|
||
|
||
```python
|
||
//loader.py
|
||
import time
|
||
import frida
|
||
|
||
def my_message_handler(message, payload):
|
||
print message
|
||
print payload
|
||
|
||
|
||
device = frida.get_usb_device()
|
||
pid = device.spawn(["com.example.a11x256.frida_test"])
|
||
device.resume(pid)
|
||
time.sleep(1) # Without it Java.perform silently fails
|
||
session = device.attach(pid)
|
||
with open("s3.js") as f:
|
||
script = session.create_script(f.read())
|
||
script.on("message", my_message_handler)
|
||
script.load()
|
||
|
||
command = ""
|
||
while 1 == 1:
|
||
command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:")
|
||
if command == "1":
|
||
break
|
||
elif command == "2":
|
||
script.exports.callsecretfunction()
|
||
elif command == "3":
|
||
script.exports.hooksecretfunction()
|
||
```
|
||
|
||
The command "**1**" will **exit**, the command "**2**" will find and **instance of the class and call the private function** _**secret()**_ and command "**3**" will **hook** the function _**secret()**_ so it **return** a **different string**.
|
||
|
||
The, if you call "**2**" you will get the **real secret**, but if you call "**3**" and then "**2**" you will get the **fake secret**.
|
||
|
||
### JS
|
||
|
||
```javascript
|
||
console.log("Script loaded successfully ");
|
||
var instances_array = [];
|
||
function callSecretFun() {
|
||
Java.perform(function () {
|
||
if (instances_array.length == 0) { // if array is empty
|
||
Java.choose("com.example.a11x256.frida_test.my_activity", {
|
||
onMatch: function (instance) {
|
||
console.log("Found instance: " + instance);
|
||
instances_array.push(instance)
|
||
console.log("Result of secret func: " + instance.secret());
|
||
},
|
||
onComplete: function () { }
|
||
|
||
});
|
||
}
|
||
else {//else if the array has some values
|
||
console.log("Result of secret func: " + instances_array[0].secret());
|
||
}
|
||
|
||
});
|
||
}
|
||
|
||
function hookSecret() {
|
||
Java.perform(function () {
|
||
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
|
||
var string_class = Java.use("java.lang.String");
|
||
my_class.secret.overload().implementation = function(){
|
||
var my_string = string_class.$new("TE ENGANNNNEEE");
|
||
return my_string;
|
||
}
|
||
});
|
||
}
|
||
rpc.exports = {
|
||
callsecretfunction: callSecretFun,
|
||
hooksecretfunction: hookSecret
|
||
};
|
||
```
|
||
|
||
## Part 4
|
||
|
||
Here you will see how to make **Python and JS interact** using JSONs objects. JS use the `send()` function to send data to the python cliente, and Python uses `post()` functions to send data to ths JS script. The **JS will block the execution** until is receives s response from Python.
|
||
|
||
### Python
|
||
|
||
```python
|
||
//loader.py
|
||
import time
|
||
import frida
|
||
|
||
def my_message_handler(message, payload):
|
||
print message
|
||
print payload
|
||
if message["type"] == "send":
|
||
print message["payload"]
|
||
data = message["payload"].split(":")[1].strip()
|
||
print 'message:', message
|
||
data = data.decode("base64")
|
||
user, pw = data.split(":")
|
||
data = ("admin" + ":" + pw).encode("base64")
|
||
print "encoded data:", data
|
||
script.post({"my_data": data}) # send JSON object
|
||
print "Modified data sent"
|
||
|
||
|
||
device = frida.get_usb_device()
|
||
pid = device.spawn(["com.example.a11x256.frida_test"])
|
||
device.resume(pid)
|
||
time.sleep(1)
|
||
session = device.attach(pid)
|
||
with open("s4.js") as f:
|
||
script = session.create_script(f.read())
|
||
script.on("message", my_message_handler) # register the message handler
|
||
script.load()
|
||
raw_input()
|
||
```
|
||
|
||
### JS
|
||
|
||
```javascript
|
||
console.log("Script loaded successfully ");
|
||
Java.perform(function () {
|
||
var tv_class = Java.use("android.widget.TextView");
|
||
tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) {
|
||
var string_to_send = x.toString();
|
||
var string_to_recv = "";
|
||
send(string_to_send); // send data to python code
|
||
recv(function (received_json_object) {
|
||
string_to_recv = received_json_object.my_data;
|
||
}).wait(); //block execution till the message is received
|
||
console.log("Final string_to_recv: "+ string_to_recv)
|
||
return this.setText(string_to_recv);
|
||
}
|
||
});
|
||
```
|
||
|
||
There is a part 5 that I am not going to explain because there isn't anything new. But if you want to read it is here: [https://11x256.github.io/Frida-hooking-android-part-5/](https://11x256.github.io/Frida-hooking-android-part-5/)
|
||
|
||
|
||
|
||
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FwdlXOpyZOVGNzyhOiiFK%2Fimage%20(1).png?alt=media&token=13f4d279-7d3f-47ce-a68e-35f9a906973f" alt=""><figcaption></figcaption></figure>
|
||
|
||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||
|
||
{% embed url="https://www.stmcyber.com/careers" %}
|
||
|
||
<details>
|
||
|
||
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|