ImLevys

alt text

by Or Levy

alt text

Download Frida-Server

Hooking Methods Examples

Frida Tutorial by hacktricks

SSL Unpinning Js File

Js Methods Templates

Examples

Frida Installation

alt text

1. adb shell push <frida-server> /data/local/tmp/ (upload frida-server to device)
2. adb shell chmod 755 /data/local/tmp/<frida-server>
3. pip install frida-tools frida=<version>
4. Find location of frida-ps.py file, add the path to Enviorment Variables.

Run Frida

1. ./data/local/tmp/<frida-server> (on device run frida-server)
2. frida-ps -U (On windows find app fullname)
3. frida -U -f <package_name> -l <fridascript.js> --no-pause (Inject with Frida)

Syntax

Activity Usage

var activity = Java.use('com.example.package.activity')

Class Inside Class 

var outsideClass = Java.use('com.example.package.activity');
var insideClass = outsideClass['inside_class_name']; 
var oneLiner = Java.use('com.example.package.activity$inside_class_name');

Invoke a Constructor 

var javaString = Java.use('java.lang.String');
var myString = javaString.$new('New String Here');

Overload

If there are more than one function named func: we should use overload!

activity.func.overload("int" , "int").implementation = function(x,y){

activity.func.overload("java.lang.String").implementation = function(x){

this. Reference

this. : call the original implementation of the method, instead of reimplementing it

activity.addTwoInts.implementation = function (var1,var2) {
    console.log("the method is being called");
    return this.addTwoInts(var1,var2);
}

Accesing String attributes

var activity = Java.use("com.example.package.activity");  
activity.function.implementation = function(){
	this.variable.value = 10000;
};

.call function with arguments

call() function: can use a method belong to another object

const person = {  
	fullName: function(city, country) {  
	return this.firstName + " " + this.lastName + "," + city + "," + country;  
 }  
}  
  
const person1 = {  
	firstName:"John",  
	lastName: "Doe"  
}  
//This will return "John Doe,Oslo,Norway":
person.fullName.call(person1, "Oslo", "Norway");

Modify a Method - implementation

Java.perform(function () {
	var activity = Java.use('com.example.package.activity');
	activity.function.overload().implementation = function()
	{
		var i = this.function(); //calling the original function

PoC of decryption function:

alt text

alt text alt text

After decrypted the string -k3FElEG9lnoWbOateGhj5pX6QsXRNJKh///8Jxi8KXW7iDpk2xRxhQ==

we get the flag **{This_Isn’t_Where_I_Parked_My_Car} **