Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Some parts of the original code doesn't work and have been modified here.
Part 2
Here you can see an example of how to hook 2 functions with the same name but different parameters.
Also, you are going to learn how to call a function with your own parameters.
And finally, there is an example of how to find an instance of a class and make it call a function.
//s2.jsconsole.log("Script loaded successfully ");Java.perform(functionx() {console.log("Inside java perform function");var my_class =Java.use("com.example.a11x256.frida_test.my_activity");//Hook "fun" with parameters (int, int)my_class.fun.overload("int","int").implementation=function (x, y) { //hooking the old functionconsole.log("original call: fun("+ x +", "+ y +")");var ret_value =this.fun(2,5);return ret_value; };//Hook "fun" with paramater(String)var string_class =Java.use("java.lang.String");my_class.fun.overload("java.lang.String").implementation=function (x) { //hooking the new functionconsole.log("*")//Create a new String and call the function with your input.var my_string =string_class.$new("My TeSt String#####");console.log("Original arg: "+ x);var ret =this.fun(my_string);console.log("Return value: "+ ret);console.log("*")return ret; };//Find an instance of the class and call "secret" function.Java.choose("com.example.a11x256.frida_test.my_activity", {onMatch:function (instance) {console.log(tring, and the it has"Found instance: "+ instance);console.log("Result of secret func: "+instance.secret()); },onComplete:function () { } });});
You can see that to create a String first is has referenced the class java.lang.String and then it has created a $new object of that class with a String as content. This is the correct way to create a new object of a class. But, in this case, you could just pass to this.fun() any String like: this.fun("hey there!")
Python
//loader.pyimport fridaimport timedevice = frida.get_usb_device()pid = device.spawn(["com.example.a11x256.frida_test"])device.resume(pid)time.sleep(1)#Without it Java.perform silently failssession = device.attach(pid)script = session.create_script(open("s2.js").read())script.load()#prevent the python script from terminatingraw_input()
python loader.py
Part 3
Python
Now you are going to see how to send commands to the hooked app via Python to call function:
The command "1" will exit, the command "2" will find and instance of the class and call the private functionsecret() and command "3" will hook the function secret() so it return a different string.
The, if you call "2" you will get the real secret, but if you call "3" and then "2" you will get the fake secret.
JS
console.log("Script loaded successfully ");var instances_array = [];functioncallSecretFun() {Java.perform(function () {if (instances_array.length==0) { // if array is emptyJava.choose("com.example.a11x256.frida_test.my_activity", {onMatch:function (instance) {console.log("Found instance: "+ instance);instances_array.push(instance)console.log("Result of secret func: "+instance.secret()); },onComplete:function () { } }); }else {//else if the array has some valuesconsole.log("Result of secret func: "+ instances_array[0].secret()); } });}functionhookSecret() {Java.perform(function () {var my_class =Java.use("com.example.a11x256.frida_test.my_activity");var string_class =Java.use("java.lang.String");my_class.secret.overload().implementation=function(){var my_string =string_class.$new("TE ENGANNNNEEE");return my_string; } });}rpc.exports = { callsecretfunction: callSecretFun, hooksecretfunction: hookSecret};
Part 4
Here you will see how to make Python and JS interact using JSONs objects. JS use the send() function to send data to the python cliente, and Python uses post() functions to send data to ths JS script. The JS will block the execution until is receives s response from Python.
Python
//loader.pyimport timeimport fridadefmy_message_handler(message,payload):print messageprint payloadif message["type"]=="send":print message["payload"] data = message["payload"].split(":")[1].strip()print'message:', message data = data.decode("base64") user, pw = data.split(":") data = ("admin"+":"+ pw).encode("base64")print"encoded data:", data script.post({"my_data": data})# send JSON objectprint"Modified data sent"device = frida.get_usb_device()pid = device.spawn(["com.example.a11x256.frida_test"])device.resume(pid)time.sleep(1)session = device.attach(pid)withopen("s4.js")as f: script = session.create_script(f.read())script.on("message", my_message_handler)# register the message handlerscript.load()raw_input()
JS
console.log("Script loaded successfully ");Java.perform(function () {var tv_class =Java.use("android.widget.TextView");tv_class.setText.overload('java.lang.CharSequence').implementation=function (x) {var string_to_send =x.toString();var string_to_recv ="";send(string_to_send); // send data to python coderecv(function (received_json_object) { string_to_recv =received_json_object.my_data; }).wait(); //block execution till the message is receivedconsole.log("Final string_to_recv: "+ string_to_recv)returnthis.setText(string_to_recv); }});
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!