init#

Frida is a reverse engineering framework which can be used to

installed apps#

The below command will let you view applications which are on the virtual mobile device.

$ frida-ps -Uai
 PID  Name           Identifier                
----  -------------  --------------------------
3054  Calendar       com.android.calendar      
2463  Clock          com.android.deskclock     
3141  Email          com.android.email         
3175  Gallery        com.android.gallery3d     
3554  Hello App      com.example.helloapp      
3198  Messaging      com.android.messaging     
2547  Phone          com.android.dialer        
2299  Settings       com.android.settings      
3372  WebView Shell  org.chromium.webview_shell
   -  Calculator     com.android.calculator2   
   -  Camera         com.android.camera2       
   -  Contacts       com.android.contacts      
   -  Files          com.android.documentsui   
   -  Music          com.android.music         
   -  Search         com.android.quicksearchbox

run script#

The below command will run the script on the application.

$ frida -U -f com.example.helloapp  -l  01-hello.js
     ____
    / _  |   Frida 16.5.5 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Spawned `com.example.helloapp`. Resuming main thread!                   
[Android Emulator 5554::com.example.helloapp ]-> hellow world
[Android Emulator 5554::com.example.helloapp ]->

The source code for the 01-hello.js file is:

Java.perform(function() {
	console.log("hellow world");
});

# 

Java.perform(function() {
    const clsroot = Java.use("com.geekyadmins.a.c");

    clsroot.a.implementation = function() {
        console.log("touched implimentation a");
        return false;
    }
});

double script#

In many cases, you might need to inject multiple scripts at the same time. To do that, you could use the following: In terminal 1

$  frida  -U -f owasp.mstg.uncrackable1 -l crackme1-rootbypass.js
     ____
    / _  |   Frida 16.5.5 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android SDK built for x86 64 (id=localhost:5555)
Spawned `owasp.mstg.uncrackable1`. Resuming main thread!                
[Android SDK built for x86 64::owasp.mstg.uncrackable1 ]-> touched implimentation a
touched implimentation b
touched implimentation c

Keep the old terminal open and spawn another terminal window and in that execute the following commands:

$ frida -U -n "Uncrackable1" -l 03-rootbypass/dump-funcation-parameters.js
     ____
    / _  |   Frida 16.5.5 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android SDK built for x86 64 (id=localhost:5555)
                                                                                
[Android SDK built for x86 64::Uncrackable1 ]-> Ð[Ð[

In the above command, we can see the function parameters dumped in the console.