Frida Tutorial
{{#include ../../../banners/hacktricks-training.md}}
Installasie
Installeer frida tools:
pip install frida-tools
pip install frida
Laai af en installeer in die android die frida server (Download the latest release).
Een-liner om adb in wortelmodus te herbegin, daaraan te koppel, frida-server op te laai, uitvoeringsregte te gee en dit in die agtergrond te laat loop:
adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"
Kontroleer of dit werk:
frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
Tutorials
Tutorial 1
From: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1
APK: https://github.com/t0thkr1s/frida-demo/releases
Source Code: https://github.com/t0thkr1s/frida-demo
Volg die skakel om dit te lees.
Tutorial 2
From: https://11x256.github.io/Frida-hooking-android-part-2/ (Dele 2, 3 & 4)
APKs en Bron kode: https://github.com/11x256/frida-android-examples
Volg die skakel om dit te lees.
Tutorial 3
From: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk
Volg die skakel om dit te lees.
Jy kan meer wonderlike Frida-skripte hier vind: https://codeshare.frida.re/
Quick Examples
Calling Frida from command line
frida-ps -U
#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1
#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.
Basiese Python Skrip
import frida, sys
jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
Funksies sonder parameters aanhaak
Haak die funksie a() van die klas sg.vantagepoint.a.c aan
Java.perform(function () {
; rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()");
return false;
};
});
Haal java exit() aan
var sysexit = Java.use("java.lang.System")
sysexit.exit.overload("int").implementation = function (var_0) {
send("java.lang.System.exit(I)V // We avoid exiting the application :)")
}
Haal MainActivity .onStart() & .onCreate() aan
var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity")
mainactivity.onStart.overload().implementation = function () {
send("MainActivity.onStart() HIT!!!")
var ret = this.onStart.overload().call(this)
}
mainactivity.onCreate.overload("android.os.Bundle").implementation = function (
var_0
) {
send("MainActivity.onCreate() HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}
Haal android .onCreate() aan
var activity = Java.use("android.app.Activity")
activity.onCreate.overload("android.os.Bundle").implementation = function (
var_0
) {
send("Activity HIT!!!")
var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0)
}
Funksies met parameters haak en die waarde terugkry
Haak 'n ontsleuteling funksie. Druk die invoer, roep die oorspronklike funksie aan om die invoer te ontsleutel en druk uiteindelik die gewone data:
function getString(data) {
var ret = ""
for (var i = 0; i < data.length; i++) {
ret += data[i].toString()
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a")
aes_decrypt.a.overload("[B", "[B").implementation = function (var_0, var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding")
send("Key : " + getString(var_0))
send("Encrypted : " + getString(var_1))
var ret = this.a.overload("[B", "[B").call(this, var_0, var_1)
send("Decrypted : " + ret)
var flag = ""
for (var i = 0; i < ret.length; i++) {
flag += String.fromCharCode(ret[i])
}
send("Decrypted flag: " + flag)
return ret //[B
}
Haak funksies en bel hulle met ons invoer
Haak 'n funksie wat 'n string ontvang en bel dit met 'n ander string (van hier)
var string_class = Java.use("java.lang.String") // get a JS wrapper for java's String class
my_class.fun.overload("java.lang.String").implementation = function (x) {
//hooking the new function
var my_string = string_class.$new("My TeSt String#####") //creating a new String by using `new` operator
console.log("Original arg: " + x)
var ret = this.fun(my_string) // calling the original function with the new String, and putting its return value in ret variable
console.log("Return value: " + ret)
return ret
}
Verkryging van 'n reeds geskepte objek van 'n klas
As jy 'n attribuut van 'n geskepte objek wil onttrek, kan jy dit gebruik.
In hierdie voorbeeld gaan jy sien hoe om die objek van die klas my_activity te verkry en hoe om die funksie .secret() aan te roep wat 'n private attribuut van die objek sal druk:
Java.choose("com.example.a11x256.frida_test.my_activity", {
onMatch: function (instance) {
//This function will be called for every instance found by frida
console.log("Found instance: " + instance)
console.log("Result of secret func: " + instance.secret())
},
onComplete: function () {},
})
Ander Frida tutorials
- https://github.com/DERE-ad2001/Frida-Labs
- Deel 1 van die Gevorderde Frida Gebruik blog reeks: IOS Enkripsie Biblioteke
{{#include ../../../banners/hacktricks-training.md}}