Frida Tutorial 2

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Bug bounty tip: prijavite se za Intigriti, premium bug bounty platformu koju su kreirali hakeri, za hakere! Pridružite nam se na danas, i počnite da zarađujete nagrade do $100,000!

This is a summary of the post: (Parts 2, 3 & 4) APKs and Source code:

Prvi deo je veoma lak.

Neki delovi originalnog koda ne rade i ovde su modifikovani.

Part 2

Ovde možete videti primer kako da hook-ujete 2 funkcije sa istim imenom ali različitim parametrima. Takođe, naučićete kako da pozovete funkciju sa svojim parametrima. I na kraju, postoji primer kako da pronađete instancu klase i naterate je da pozove funkciju.

console.log("Script loaded successfully ");
Java.perform(function x() {
console.log("Inside java perform function");
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
//Hook "fun" with parameters (int, int)"int", "int").implementation = function (x, y) { //hooking the old function
console.log("original call: fun(" + x + ", " + y + ")");
var ret_value =, 5);
return ret_value;
//Hook "fun" with paramater(String)
var string_class = Java.use("java.lang.String");"java.lang.String").implementation = function (x) { //hooking the new function
//Create a new String and call the function with your input.
var my_string = string_class.$new("My TeSt String#####");
console.log("Original arg: " + x);
var ret =;
console.log("Return value: " + ret);
return ret;
//Find an instance of the class and call "secret" function.
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
console.log(tring, and the it has"Found instance: " + instance);
console.log("Result of secret func: " + instance.secret());
onComplete: function () { }

Možete videti da je za kreiranje String-a prvo referencirana klasa java.lang.String, a zatim je kreiran $new objekat te klase sa String-om kao sadržajem. Ovo je ispravan način za kreiranje novog objekta klase. Ali, u ovom slučaju, mogli biste jednostavno proslediti bilo koji String kao:"hey there!")


import frida
import time

device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
time.sleep(1) #Without it Java.perform silently fails
session = device.attach(pid)
script = session.create_script(open("s2.js").read())

#prevent the python script from terminating

Deo 3


Sada ćete videti kako da šaljete komande aplikaciji koja je uhvaćena putem Pythona da pozovete funkciju:

import time
import frida

def my_message_handler(message, payload):
print message
print payload

device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
time.sleep(1)  # Without it Java.perform silently fails
session = device.attach(pid)
with open("s3.js") as f:
script = session.create_script(
script.on("message", my_message_handler)

command = ""
while 1 == 1:
command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:")
if command == "1":
elif command == "2":
elif command == "3":

Komanda "1" će izaći, komanda "2" će pronaći i instancirati klasu i pozvati privatnu funkciju secret(), a komanda "3" će hook-ovati funkciju secret() tako da vrati drugi string.

Dakle, ako pozovete "2" dobićete pravi tajni podatak, ali ako pozovete "3" a zatim "2" dobićete lažni tajni podatak.


console.log("Script loaded successfully ");
var instances_array = [];
function callSecretFun() {
Java.perform(function () {
if (instances_array.length == 0) { // if array is empty
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
console.log("Found instance: " + instance);
console.log("Result of secret func: " + instance.secret());
onComplete: function () { }

else {//else if the array has some values
console.log("Result of secret func: " + instances_array[0].secret());


function hookSecret() {
Java.perform(function () {
var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
var string_class = Java.use("java.lang.String");
my_class.secret.overload().implementation = function(){
var my_string = string_class.$new("TE ENGANNNNEEE");
return my_string;
rpc.exports = {
callsecretfunction: callSecretFun,
hooksecretfunction: hookSecret

Deo 4

Ovde ćete videti kako da Python i JS interaguju koristeći JSON objekte. JS koristi send() funkciju da pošalje podatke Python klijentu, a Python koristi post() funkcije da pošalje podatke JS skripti. JS će blokirati izvršenje dok ne primi odgovor od Pythona.


import time
import frida

def my_message_handler(message, payload):
print message
print payload
if message["type"] == "send":
print message["payload"]
data = message["payload"].split(":")[1].strip()
print 'message:', message
data = data.decode("base64")
user, pw = data.split(":")
data = ("admin" + ":" + pw).encode("base64")
print "encoded data:", data{"my_data": data})  # send JSON object
print "Modified data sent"

device = frida.get_usb_device()
pid = device.spawn(["com.example.a11x256.frida_test"])
session = device.attach(pid)
with open("s4.js") as f:
script = session.create_script(
script.on("message", my_message_handler)  # register the message handler


console.log("Script loaded successfully ");
Java.perform(function () {
var tv_class = Java.use("android.widget.TextView");
tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) {
var string_to_send = x.toString();
var string_to_recv = "";
send(string_to_send); // send data to python code
recv(function (received_json_object) {
string_to_recv = received_json_object.my_data;
}).wait(); //block execution till the message is received
console.log("Final string_to_recv: "+ string_to_recv)
return this.setText(string_to_recv);

Ima deo 5 koji neću objašnjavati jer nema ništa novo. Ali ako želite da pročitate, ovde je:

Saveta za bug bounty: prijavite se za Intigriti, premium bug bounty platformu koju su kreirali hakeri, za hakere! Pridružite nam se na danas, i počnite da zarađujete nagrade do $100,000!

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Podržite HackTricks

Last updated