# Frida Tutorial {% hint style="success" %} Aprende y practica Hacking en AWS:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Aprende y practica Hacking en GCP:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Apoya a HackTricks

* Revisa los [**planes de suscripción**](https://github.com/sponsors/carlospolop)! * **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Comparte trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

{% endhint %}

**Consejo de bug bounty**: **regístrate** en **Intigriti**, una **plataforma de bug bounty premium creada por hackers, para hackers**! Únete a nosotros en [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) hoy, y comienza a ganar recompensas de hasta **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} ## Instalación Instala **frida tools**: ```bash pip install frida-tools pip install frida ``` **Descargar e instalar** en el android el **frida server** ([Descargar la última versión](https://github.com/frida/frida/releases)).\ Comando para reiniciar adb en modo root, conectarse a él, subir frida-server, dar permisos de ejecución y ejecutarlo en segundo plano: {% code overflow="wrap" %} ```bash adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" ``` {% endcode %} **Verifica** si está **funcionando**: ```bash frida-ps -U #List packages and processes frida-ps -U | grep -i #Get all the package name ``` ## Tutorials ### [Tutorial 1](frida-tutorial-1.md) **De**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\ **Código fuente**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) **Sigue el [enlace para leerlo](frida-tutorial-1.md).** ### [Tutorial 2](frida-tutorial-2.md) **De**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (Partes 2, 3 y 4)\ **APKs y código fuente**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) **Sigue el [enlace para leerlo.](frida-tutorial-2.md)** ### [Tutorial 3](owaspuncrackable-1.md) **De**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk) **Sigue el [enlace para leerlo](owaspuncrackable-1.md).** **Puedes encontrar más increíbles scripts de Frida aquí:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) ## Quick Examples ### Llamando a Frida desde la línea de comandos ```bash frida-ps -U #Basic frida hooking frida -l disableRoot.js -f owasp.mstg.uncrackable1 #Hooking before starting the app frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1 #The --no-pause and -f options allow the app to be spawned automatically, #frozen so that the instrumentation can occur, and the automatically #continue execution with our modified code. ``` ### Script básico de Python ```python import frida, sys jscode = open(sys.argv[0]).read() process = frida.get_usb_device().attach('infosecadventures.fridademo') script = process.create_script(jscode) print('[ * ] Running Frida Demo application') script.load() sys.stdin.read() ``` ### Hooking functions without parameters Hook la función `a()` de la clase `sg.vantagepoint.a.c` ```javascript Java.perform(function () { ; rootcheck1.a.overload().implementation = function() { rootcheck1.a.overload().implementation = function() { send("sg.vantagepoint.a.c.a()Z Root check 1 HIT! su.exists()"); return false; }; }); ``` Hook java `exit()` ```javascript var sysexit = Java.use("java.lang.System"); sysexit.exit.overload("int").implementation = function(var_0) { send("java.lang.System.exit(I)V // We avoid exiting the application :)"); }; ``` Hook MainActivity `.onStart()` & `.onCreate()` ```javascript var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity"); mainactivity.onStart.overload().implementation = function() { send("MainActivity.onStart() HIT!!!"); var ret = this.onStart.overload().call(this); }; mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { send("MainActivity.onCreate() HIT!!!"); var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); }; ``` Hook android `.onCreate()` ```javascript var activity = Java.use("android.app.Activity"); activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) { send("Activity HIT!!!"); var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0); }; ``` ### Hooking functions with parameters and retrieving the value Hooking una función de desencriptación. Imprimir la entrada, llamar a la función original para desencriptar la entrada y finalmente, imprimir los datos en texto plano: ```javascript function getString(data){ var ret = ""; for (var i=0; i < data.length; i++){ ret += data[i].toString(); } return ret } var aes_decrypt = Java.use("sg.vantagepoint.a.a"); aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) { send("sg.vantagepoint.a.a.a([B[B)[B doFinal(enc) // AES/ECB/PKCS7Padding"); send("Key : " + getString(var_0)); send("Encrypted : " + getString(var_1)); var ret = this.a.overload("[B","[B").call(this,var_0,var_1); send("Decrypted : " + ret); var flag = ""; for (var i=0; i < ret.length; i++){ flag += String.fromCharCode(ret[i]); } send("Decrypted flag: " + flag); return ret; //[B }; ``` ### Hooking functions and calling them with our input Hook una función que recibe una cadena y llámala con otra cadena (de [aquí](https://11x256.github.io/Frida-hooking-android-part-2/)) ```javascript var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator console.log("Original arg: " +x ); var ret = this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable console.log("Return value: "+ret); return ret; }; ``` ### Obtener un objeto ya creado de una clase Si deseas extraer algún atributo de un objeto creado, puedes usar esto. En este ejemplo, verás cómo obtener el objeto de la clase my\_activity y cómo llamar a la función .secret() que imprimirá un atributo privado del objeto: ```javascript Java.choose("com.example.a11x256.frida_test.my_activity" , { onMatch : function(instance){ //This function will be called for every instance found by frida console.log("Found instance: "+instance); console.log("Result of secret func: " + instance.secret()); }, onComplete:function(){} }); ``` ## Otros tutoriales de Frida * [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs) * [Parte 1 de la serie de blogs sobre el uso avanzado de Frida: Bibliotecas de cifrado de IOS](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)