Best Telegram Programming Groups For Coders &Developers   It Wasn’t Me - Secure Your Account   Mr.Robot All Seasons 1,2,3 Full | Free Torrent Download   Mr.Robot All Seasons 1,2,3,4 Full | Watch Online [FREE]   5 Tips Will Keep You Safe During Christmas Holiday’s Online Shopping   You Can Get All Adobe Apps For $30 a Month Right Now   How To Wipe An iPhone Clean (ERASE) Before Selling?   Programming Languages To Learn To Be An Expert Hacker!   Cybercriminals exchange tips on underground forums about avoiding arrests   A comprehensive look into emerging Signal encrypted messaging application   A Detailed Comparison of WhatsApp, Telegram & Signal   How Telegram End-to-end Encryption Works To Provide Security ?   Flubot Malware is Spreading Quickly Through Android Devices   WhatsApp End-to-End Encryption and its Privacy Importance - Alternatives,Signal & Telegram   What is Credit Card Skimming And How To Protect Yourself From it ?   Where to hire react programmer and 3 essential skills to look for   Top 8 Basic Google Search Dorks [Live Examples]   [Penetration Testing] Top 70 Most Interview Questions   Why VPN Is Necessary ? [Detailed Guide]   Top 10 Dangerous Viruses Of All Times   List Of Common HTTP Error Status Codes   “Hello World!” Program In Different Programming Languages   100 Basic Computer Related G.K. Questions   Email Security - Tips And Tricks   Fonts Hub Collection (Free Design Resources)   Top 8 Softwares Free Download - No Credit Card Needed [2022 Update]   Shortcomings That Leads An Entrepreneur Towards Failure   5 Basic Steps To Protect Your Personal Data Online   What is Intel SGX and What are the Benefits ?   15 Things You Need to Know About Maintaining The Logs   How to think like a programmer - lessons in problem solving   How To Get Voice Like Anonymous Voice   Life Story of Microsoft Founder Bill Gates - Documentary   Own Private Search Engine in Linux Will Save Our Privacy   Best Etcher alternatives to Create Bootable USB   Music For Programming - Coding Music / Hacking Music   School Management Software v3.1 Premium + Crack   JavaFX Chat Client/Server + Source Code   Top 25 Keyword Research Tools [Search Engine Optimization]   A Quick SEO Checklist - 2023 Update   Online Domain Authority (DA) Rank Checker Websites   33 Things In SEO For Which Google Will Give Your Student Blog High Positions   How to Close the Site from indexing using robots.txt   10 SEO Tools all Small Businesses Need in 2023   Earth Rise Application + Code   Animation along a path + Code   Zen Pong Game in Java Language + Code   Simple Flying Bird Game + Code Files   Game Snake Simple + Code Files   The Space 'Sun & Earth' | HTML,CSS,JavaScript   File System in Web (Explorer in Windows and Finder in OSX)   Admin Dashboard Template built using Bootstrap + Code   Website Template For Admin Dashboard + Code   Youtube Playlist Downloader Script   How To Create A Stopwatch In Python   Python TicTacToe with Tk and minimax AI   Deskreen turns any device with a web browser into a secondary screen for your computer   Download Algorithms Book | Dummies Store   OSI Model And TCP/IP Model   How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)   What Is Load Balancing? Definition and How It Works   How to Setup FTP Server on Your Raspberry Pi   Download Windows 10 Lite Edition x64 | Direct Link   How To Recover Permanently Deleted Files In Windows 10 ?   How to make Fake Error Message Script in Windows   20 Essential Windows keyboard Shortcuts that will make you forget your mouse   How To Fix The DLL Missing Error In Windows 7 ?   Create Hotspot on Windows 10 in 6 steps   Download Microsoft Office Professional Plus 2016   Download DriverPack Solution Offline | Full   How To Create Simple And Password Protected ZIP File in Linux   2 Ways To Save Terminal Output of a Command in Linux   6 Best Tools to Monitor Disk IO Performance in Linux   Top 15 Best Websites (Blogs) to Learn Linux Online   How to Delete files older than 30 Days in Linux   What is the difference between apt and apt-get command   Fail2Ban Installation & Setup: Ubuntu, CentOS, Fedora & Debian   How to List Running Processes in Linux   How to Use the who Command in Linux with Examples   FOREMOST - Recover Permanently Deleted Files Easily in Kali Linux   Funny Linux Commands to Try   Command line interface guidelines, to help you write better command-line programs ...   How to Install Google Chrome Web Browser on Ubuntu 20.04   Learn Adobe Photoshop | 33 Episode Course   Window Privilege Escalation: Automated Script   Linux Privilege Escalation: Automated Script   How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely   ACLight: An Advanced Privileged Account Discovery Tool   How to change Lock Screen Background on Kali Linux XFCE   Best 20 Kali Linux Tools For Hacking And Penetration Testing   How to Run Windows Application and Games on Kali Linux   How to run C and C++ programs in Kali Linux   Control Kali Linux PC From any Mobile or Tablet   How to Enable root User Account in Kali Linux   How to Configure Static IP address in Kali Linux   Bash vs ZSH in Kali Linux   [Solved] E: Unable to locate package in Kali Linux   Hosting a Local Website with Domain Name on Kali Linux over WiFi   Install Docker in Kali Linux and Run Other OS   How to Install Kali Linux | A Total Guide to Install Kali Linux   NetHunter Rootless - Official Kali NetHunter for non rooted phones   How to set up own VPN server in 10 minutes on Kali Linux using OpenVPN   Configuring The ProxyChains   Install Python3 in Kali Linux   TempoMail - Command Line Temporary Email in Linux   NIPE - Fully Anonymize Total Kali Linux System   How to Install Google Chrome & Chromium on Kali Linux [Official Method]   15 Best Laptops For Kali Linux & Cyber Security - Check This Before Buy   Volatolity - Digial Forensic Testing of RAM on Kali Linux   Limit the Internet Speed of LAN Users [Evil Limiter]   Find Virtual Machine IP Through Kali Linux - 3 Methods   Privilege Escalation with PowerShell Empire and SETOOLKIT [Kali Linux]   How to use kill, pkill and killall Commands to Kill any Linux Process   20 Useful Tar Commands For Extraction and Compression   Create a Fake AP with DNSMASQ and HOSTAPD [Kali Linux]   How to Fully Anonymize Your Linux System with Tor using Nipe   Hack Windows/Linux using ARCANUS Framework – 100% FUD   Simple and Target Mac Flooding - Kali Linux   Get Free Kali Linux on AWS with Public IP - Real Time Penetration Testing   What’s the difference Between Tails and Tor browser?   Does Tor Hide you From Your ISP? Should I surf internet using Tor ?   Wireshark for Pentester: Decrypting RDP Traffic   Exploit Wi-Fi Vulnerabilities with Routersploit on Termux and Linux   Man in The Middle Attack & How To Prevent it   Masscan - 1000 Times Faster Than NMAP   Wireshark - Shark in Wires | Network Protocol Analyzer in Kali Linux   Wifite - Easy Automated Wireless Attack   WiFi-Pumpkin 3 - Dangerous Access Point   Evil Twin Attack with DNSMASQ - Wireless WPA2-PSK Cracking   Sniffing with Rogue Access Point [DNSMASQ and TCPFLOW]   Hack Wi-Fi Settings of Windows Machine Remotely [After Meterpreter]   Wi-Fi deauthentication attack against 802.11 protocol   Bypass Hidden SSID in a Wireless Network [Full Proof Method]   Crack WPA/WPA2-PSK using Aircrack-ng and Hashcat   Crack WPA2-PSK Wi-Fi with automated python script - FLUXION PART 1   Set Default Version of Python : [SOLVED] update-alternatives: error: no alternatives for p   Python Scripting: Information Gathering and Automating Ethical Hacking   15 Essential Meterpreter Commands Everyone Should Know   Find Vulnerable Webcams with Shodan [Metasploit Framework]   TCP & SYN Scanning with Metasploit Framework without NMAP   Meterpreter Useful Top 60 Commands List   The Web Application Hacker's Handbook 2   Hacking GPS Book   MadCam - Termux Hack Front camera by Sending link   How to Download Files In Termux   IPdrone Termux - Find Location of Person it IP in Termux   ReconDog Termux - Best Reconnaissance Tool For Termux   Termux SSH: Use Termux in Windows Using SSH Server   How to Install and Use Fsociety-Tool In Termux   Termux-YTD : Download Youtube Videos with Termux   Use CMatrix Package Like a Pro   L3MON - Access Android Devices Remotely   Hack Android using Metasploit over LAN/WAN   Ghost Framework - Control Android Devices Remotely   Top 10 Vulnerable Android Applications [Penetration Testing]   Find Hidden Subdomains on Any Website with Subfinder   Blind Sql Injection with Regular Expressions Attack   Useful Google Dorks For Bug Bounty Hunters   HTML5 Security CheatSheet - What your browser does when you look away...   30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked   WPScan - Find Vulnerabilities in WordPress Websites on Kali Linux   Wapiti - Automated Vulnerability Scanner   Generate 100% FUD Backdoor with TheFatRat - Windows 10 Exploitation   TheFatRat hacking tool to create undetectable backdoors   How to Make a Keylogger in Python + Code   How to create a keylogger in PowerShell ?   Backdoor Program using Python (Remote Access Explain)   Man in the Middle Attack with Websploit Framework   Hack Windows 10 Remotely over WAN with Metasploit [No Port Forwarding]   15 Powerful Gadgets For Ethical Hackers | Hardware Tools for Hackers   Find Vulnerabilities using NMAP Scripts (NSE)   Free Vulnerability Database And Resources   Firefox Browser Vulnerable to (MITM) Man-in-the-Middle Attack   Find Vulnerabilities in Military Networks By Participating Hack The Army Bug Bounty Progr. 

x32x01

ADMINISTRATOR
Introduction
Frida is a dynamic instrumentation toolkit that is used by researchers to perform android hooking (intercepting IPC and modifying it to make a function perform the desired function). Frida uses javascript to perform hooking since Android’s native code and javascript both run on JIT compilation techniques, it can intercept its inter-process communication, add the code specified in a script and completely change the function’s implementation. Some of its use cases in real life are:
  • Spy on Crypto APIs
  • Modify function’s output
  • Bypass AES encryption
  • Bypass SSLPinning and Root detection
  • Trace private application code
  • Bypass various software sided locks (like applock)
In this article, we’ll explain the basics of Frida, how to create your own Frida script, hook it into processes and perform various functions. Needless to say, there is no end to what a program can do, therefore, there is no limit on frida’s applications, hence, this article is only restricted to basics. If you want an advanced look into Frida and reverse engineering, I’ll tag the resources at the bottom of the article.

Table of Content
  • Root detection bypass
  • Hooking different kinds of methods used in Java
    • Native methods – onCreate, onStart etc.
    • exit()
    • user defined methods
    • variable
  • SSLPinning bypass
  • Implementing hooking in python
  • Playing a game!
Let’s go then.

Root Detection Bypass
Application developers sometimes hard code a detection logic per which an application successfully detects the presence of various SU binaries and stops execution of the application. One such example is demonstrated below. As you can see the app gives a popup of restriction and exits as soon user hits ok.

0.png

Now, we’ll try and remove this restriction using Frida. First, it is recommended you install a Frida server in the device
we’ll launch the server onto the device.
Code:
adb connect 192.168.27.105
adb shell "/tmp/frida-server &"

1.png

Now, we’ll first install frida with the command:
Code:
pip install frida
pip install frida-tools

After a successful install, we can see all the running process in the device on which frida server is running by the command:
Code:
frida-ps -U

2.png

As you can see that our app is running here. We have to bypass root detection here. We can either try and reverse engineer the jar files, create our own javascript code and bypass root detection or we can rely on code already created by a large community of developers on codeshare frida repo.
Weblink to the site is:
2_0.png

Here, we can see an antiroot script by dzonerzy. We’ll run it with the following command:
Code:
frida -U --codeshare dzonerzy/fridantiroot -f in.<package company>.<package name>

Now, press y to trust the project.

3.png

Now, all that’s left to do is press “%resume” to resume the execution with our hooked code!

4.png

And just like that, we can see that root detection has been successfully bypassed!

5.png

Hooking different methods in java
Now, a class might have multiple methods and each of these methods have a specific purpose. For example, the onCreate() method defines the implementation of activity as soon as the activity is created (or launched). So, what is, we can hook this function and change the behaviour of the activity when it is created. For the demonstration purpose, I’ll just print some custom text in my console as soon as the activity is called but the possibilities are limitless. Typically you won’t have access to the source code, hence, what we’ll do is extract the apk first and then decompile it to view source code. To pull the apk we’ll first know it’s the path and then pull it.
Code:
adb shell pm path jakhar.aseem.diva
adb pull /data/app/jakhar.aseem.diva-dxAm4hRxYY4VgIq2X5zU6w==/base.apk

6.png

Now, as explained in part 1 of this series. we’ll decompile it using apktool and then use dex2jar to convert it in jar format, and finally use jd-gui to view the decompiled source code like below. Here is the MainActivity class decompiled.

7.png

Here we see the following things:
  • We can see that onCreate has a Bundle parameter
  • It’s creating a view of the main page
Now, below is an example of how to hook onCreate() method.
Code:
console.log("Script loaded!");
Java.perform(function(){
                var mainapp = Java.use("jakhar.aseem.diva.MainActivity");
                mainapp.onCreate.implementation = function(){
                                console.log("My script called!");
                                var ret = this.onCreate.overload("android.os.Bundle").call(this);
                };

                send("Hooks installed");
});

Explanation:
  1. Any implementation of the hook is put inside perform(function(){ //<code>
  2. The activity we want to hook (main activity) is put inside use(“jakhar.aseem.diva.MainActivity”), and assign a variable to it. Here, mainapp
  3. Now, onCreate.implementation sets a definition of the function.
  4. Here, we can insert any code we cant to run in the onCreate method. I just inserted log function to output “My script called!” every time onCreate is called.
  5. New variable ret calls this newly formed implementation function. overload method is used to add this code to the existing piece of code. Here, “os.Bundle” is input as a parameter since in the original function a bundle object is used.
  6. Finally, the call method is used to call the current method using “this” pointer.
  7. send() function outputs the text in double-quotes on the current frida command line.
8.png

To launch this script we type in the following command:
Code:
frida -U -l mainactivityhook.js -f jakhar.aseem.diva

As you can see now, the hook is successfully installed, activity launches and our custom output is now displayed and the hook is successfully installed

9.png

Hooking a defined method: Unlike the onCreate method that is present in the native libraries, some methods are custom created. For example, if you inspect the code of diva, you’ll see a function startChallenge() that is launching challenges in the application. I’m not putting the code in here but you can refer to the decompiled code in the above step. Now, we’ll observe that startChallenge is launching activities present in the project. And since it is launching an activity, it has an “android.view.VIEW” argument passed in its code. Now in the code below, every time a user hits a button to start any challenge, we’ll just force him to call our hook and our defined output would be displayed (that is MainActivity.startChallenge() is now started). Needless to say, we can change this by any implementation we want.
Code:
console.log("Hooked startChallenge() function");
Java.perform(function(){
var newstart = Java.use("jakhar.aseem.diva.MainActivity");
                newstart.startChallenge.overload("android.view.View").implementation = function(v){
                                //enter any implementation of startChallenge you want
                                //for demo I'm just sending an alert on frida console
                                send("MainActivity.startChallenge() is now started");
                                var ret = this.startChallenge.overload("android.view.View").call(this);
                };
});

11.png

To call this script, without having to input %resume this time, we can type in the command with –no-pause filter:
Code:
frida -U -l main_startchallenge.js -f jakhar.aseem.diva

And sure enough, every time a button is pressed, our custom input is displayed.

12.png

Hooking exit() method: We can also tamper the exit method in android just like we tampered onCreate method. Here, I’m using a demonstration application that I custom coded (link here). It has a button that is performing an exit function. You can see a sample screenshot below:

13.png

Now, here we see the exit button. As the name states, on pressing it, application exits.

14.png

We create a hook down below that will stop the exit. Here, “java.lang.System” is the package that has exit function and so we’ll overload it using “sysexit.exit.overload().implementation.” Now, whenever a user clicks on exit, our send method will be called and exit will be stopped.
Code:
console.log("Hooking on exit function");
Java.perform(function(){
var sysexit = Java.use("java.lang.System");
           sysexit.exit.overload("int").implementation = function(var_0) {
                        send("I've stopped java.lang.System.exit() now!");
            };
});

15.png

Let’s fire this script up and sure enough, we can see that the process is not terminated when the exit button is clicked. If it had been terminated frida must have thrown a process terminated error and closed the console.
Code:
frida -U -l avoidexit.js -f com.example.harshitrajpal --no-pause

16.png

Hooking return value: We have hooked methods till now, but a return variable can also be hooked and its output be tampered with. In article 3 of this series, I had already demonstrated this using Objection tool but today we’ll do this using Frida and our manual code. In the application that I custom coded which is mentioned above, there is a simple program to display output of 10 and 50. We’ll hook this return value and output 100. The code to do this is pretty straightforward:
Code:
console.log(“Hook for implementation of method”);
Java.perform(function myFunc() {
            var myClass = Java.use(“com.example.harshitrajpal.MainActivity”);
            myClass.returnValue.implementation = function(){
                        //we will manipulate the return value here
                        var ret = 100;
                        return ret;
            }
});

17.png

Let’s first run the program without loading our hook. We can see that the program outputs 60 which is the correct answer.

18.png

Now, we’ll fire up our script and see what changes happen in the application now.
Code:
frida -U -l retValueHook.js -f com.example.harshitrajpal --no-pause

19.png

And sure enough, the output gets tampered and 100 is returned now!

20.png

SSLPinning Bypass
Frida is most commonly used to bypass SSLPinning in android so that researchers and pen testers can intercept its network calls and conduct a traffic analysis. For the demo of this attack, I downloaded an application named “Certificate Pinning Demo”. For the demonstration of this attack, you must have your burp suite configured with your device. Now, when I pin the client and send an HTTPS request, it throws an SSL error.

21.png

And sure enough, no communication is intercepted in burp suite as well.

22.png

Now, on the codeshare repository here, akabe1 has put a great script to perform SSLPinning bypass. We’ll use this script to perform the attack. Note that applications might have different code of pinning, so these codes need to be modified as and when required.
Code:
frida -U --codeshare akabe1/frida-multiple-unpinning -f com.osfg.certificatepinning

Type %resume once the script gets loaded.

23.png

And finally, when we now send a request to sslabs.com in pinned mode, we are able to get an HTTP 200 response code!

24.png

Surely, we are now able to intercept communication in burp suite as well.

25.png

Hooking in Python
Python coders can customize a whole fridascript to run in python environment using the python’s frida package and API. This would make performing multiple processes in hooks easier. Here, I’ll create a hook on startChallenge function as above.
Code:
jscode = """
console.log("Hooked startChallenge() function");
Java.perform(function(){
var newstart = Java.use("jakhar.aseem.diva.MainActivity");
            newstart.startChallenge.overload("android.view.View").implementation = function(v){
                        //enter any implementation of startChallenge you want
                        //for demo I'm just sending an alert on console
                        send("MainActivity.startChallenge() is now started");
                        console.log("You clicked...but in vain!");
                        var ret = this.startChallenge.overload("android.view.View").call(this);
            };
});
"""
import frida,sys
process = frida.get_usb_device().attach("jakhar.aseem.diva")
script = process.create_script(jscode)
print("*** Running Hook on startChallenge() now!")
script.load()
sys.stdin.read()

Now, every time user clicks on any button to start the challenge, the execution stops and our custom output is printed instead.

26.png

We, run this script using the command below:
Code:
python3 startChallenge.py

27.png

Let’s Play a Game!
All the examples demonstrated till now are very basic. There are advanced hooking techniques to perform various different functions whose references I’ll mention at the end. One such challenge I found was on 11×256’s blog. In example #1, we have to intercept the APK, see what’s happening behind the white screen, change its implementation and modify its behaviour. finally, we’ll check logcat to see if our hook worked and the sum of our custom defined integers is thrown or not.

Follow the link here and download the sample apk.

28.png

First, after running the application in the emulator we saw just a plain white screen. That means something must probably be happening in the background.

28_0.png

We’ll use drozer to see activities here:
Code:
run app.activity.info -a com.example.a11x256.frida_test

As you can see, my_activity is present. This means this is the activity responsible for the full white front screen.

29.png

Now, we’ll use objection to watch what this class is actually doing.
Code:
objection --gadget com.example.a11x256.frida_test explore
android hooking watch class com.example.a11x256.frida_test --dump-args --dump-return --dump-backtrace

Here, observe that fun() is being called. This has two int parameters, so, presumably, these two integers are getting performed a mathematical operation on.

Now, we write a code in javascript:

30.png

Code:
console.log("Script loaded successfully ");
Java.perform(function x() { //Silently fails without the sleep from the python code
    console.log("Inside java perform function");
    //get a wrapper for our class
    var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
    //replace the original implmenetation of the function `fun` with our custom function
    my_class.fun.implementation = function (x, y) {
        //print the original arguments
        console.log("original call: fun(" + x + ", " + y + ")");
        //call the original implementation of `fun` with args (2,5)
        var ret_value = this.fun(2, 5);
        return ret_value;
    }
});

This code does nothing but defines fun() function and specifies 2 and 5 as our own integers on which some mathematical function will be performed. but before that, the script also intercepts and displays the original call and obviously the original integers!

31.png

Let’s fire it up using frida:
Code:
frida -U -l 11x256.js -f com.example.a11x256.frida_test

As we can see, the original call had two integers namely, 50 and 30.

32.png

Let’s quickly check logcat and see what is happening in the background.
Code:
adb logcat | grep frida_test

As we can see in the screenshot down below, a mathematical Sum of type Double is being repeatedly called. This is similar to the behaviour of the app we just installed that was calling a method called fun after every second. Hence, it is safe to conclude that fun() is adding two integers. Original numbers to be added were 50 and 30, which we not only intercepted and dumped but also changed to 2 and 5 and the sum of 2 and 5 is now being called as evident in logcat.

33.png

References
Hooking is a pentester’s best buddy and reverse engineer’s most handy tool. It has numerous applications and to write custom scripts to perform various functions like sniffing crypto APIs, decrypting AES etc, a tester needs to have complete knowledge of javascript, reverse engineering APKs and java. To get good at frida and hooking (dynamic instrumentation), I’ll mention the following references:
  • 11×256’s blog here
  • Frida docs here
  • Apps to perform frida demo here along with DIVA and our custom APK here
  • Josh Spicer’s blog here
 
Top