Frida Tutorial

pip install frida-tools
pip install frida

adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"

frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name

frida-ps -U

#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1

#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.

import frida, sys

jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Java.perform(function () {
;  rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
return false;
};
});

var sysexit = Java.use("java.lang.System");
sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
};

1. Open the `hook_main_activity.js` file.
2. Add the following code to hook the `onStart()` and `onCreate()` methods of the MainActivity class:

```javascript
Java.perform(function() {
    var MainActivity = Java.use('com.example.app.MainActivity');
    
    MainActivity.onStart.implementation = function() {
        console.log('onStart() is called');
        this.onStart();
    };
    
    MainActivity.onCreate.implementation = function() {
        console.log('onCreate() is called');
        this.onCreate();
    };
});

#### Chinese
```markdown
1. 打开`hook_main_activity.js`文件。
2. 添加以下代码以钩住MainActivity类的`onStart()`和`onCreate()`方法：

```javascript
Java.perform(function() {
    var MainActivity = Java.use('com.example.app.MainActivity');
    
    MainActivity.onStart.implementation = function() {
        console.log('onStart()被调用');
        this.onStart();
    };
    
    MainActivity.onCreate.implementation = function() {
        console.log('onCreate()被调用');
        this.onCreate();
    };
});

```javascript
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onStart.overload().implementation = function() {
send("MainActivity.onStart() HIT!!!");
var ret = this.onStart.overload().call(this);
};
mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("MainActivity.onCreate() HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

To hook the `.onCreate()` method of an Android application, you can use Frida to intercept the method call and execute your custom code. This can be useful for various purposes such as dynamic analysis, debugging, or modifying the behavior of the application.

Here is an example of how you can hook the `.onCreate()` method using Frida:

1. Write a Frida script to intercept the `.onCreate()` method.
2. Load the script into the target Android application using Frida.
3. Run the application and observe the custom code execution when `.onCreate()` is called.

By hooking the `.onCreate()` method, you can gain insights into the application's initialization process and potentially modify its behavior in real-time.

要钩住Android应用程序的`.onCreate()`方法，您可以使用Frida拦截方法调用并执行自定义代码。这对于动态分析、调试或修改应用程序行为等各种目的都很有用。

以下是使用Frida钩住`.onCreate()`方法的示例：

1. 编写一个Frida脚本来拦截`.onCreate()`方法。
2. 使用Frida将脚本加载到目标Android应用程序中。
3. 运行应用程序，并观察在调用`.onCreate()`时自定义代码的执行情况。

通过钩住`.onCreate()`方法，您可以深入了解应用程序的初始化过程，并在实时中潜在地修改其行为。
```javascript
var activity = Java.use("android.app.Activity");
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("Activity HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

function getString(data){
var ret = "";
for (var i=0; i < data.length; i++){
ret += data[i].toString();
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a");
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
send("Key       : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + ret);

var flag = "";
for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class

my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator
console.log("Original arg: " +x );
var ret =  this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
console.log("Return value: "+ret);
return ret;
};

Java.choose("com.example.a11x256.frida_test.my_activity" , {
onMatch : function(instance){ //This function will be called for every instance found by frida
console.log("Found instance: "+instance);
console.log("Result of secret func: " + instance.secret());
},
onComplete:function(){}
});