Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/mobile-pentesting/android-app-pentesting/frida-tutorial
History
Translator 19cc2b7897 Translated ['macos-hardening/macos-security-and-privilege-escalation/mac
2024-07-19 11:40:15 +00:00
..
frida-tutorial-1.md Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:15 +00:00
frida-tutorial-2.md Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo 2024-07-18 22:16:31 +00:00
objection-tutorial.md Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:15 +00:00
owaspuncrackable-1.md Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 11:40:15 +00:00
README.md Translated ['macos-hardening/macos-security-and-privilege-escalation/mac 2024-07-19 05:23:49 +00:00

README.md

Frida Tutorial

{% hint style="success" %} Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks
{% endhint %}

Bug bounty wenk: meld aan vir Intigriti, 'n premium bug bounty platform geskep deur hackers, vir hackers! Sluit by ons aan by https://go.intigriti.com/hacktricks vandag, en begin verdien bounties tot $100,000!

{% embed url="https://go.intigriti.com/hacktricks" %}

Installasie

Installeer frida tools:

pip install frida-tools
pip install frida

Laai af en installeer in die android die frida server (Laai die nuutste weergawe af).
Een-liner om adb in wortelmodus te herbegin, daaraan te koppel, frida-server op te laai, uitvoeringsregte te gee en dit in die agtergrond te laat loop:

{% code overflow="wrap" %}

adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &"

{% endcode %}

Kontroleer of dit werk:

frida-ps -U #List packages and processes
frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name

Tutorials

Tutorial 1

From: https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1
APK: https://github.com/t0thkr1s/frida-demo/releases
Source Code: https://github.com/t0thkr1s/frida-demo

Volg die skakel om dit te lees.

Tutorial 2

From: https://11x256.github.io/Frida-hooking-android-part-2/ (Dele 2, 3 & 4)
APKs en Bron kode: https://github.com/11x256/frida-android-examples

Volg die skakel om dit te lees.

Tutorial 3

From: https://joshspicer.com/android-frida-1
APK: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

Volg die skakel om dit te lees.

Jy kan meer wonderlike Frida-skripte hier vind: https://codeshare.frida.re/

Quick Examples

Calling Frida from command line

frida-ps -U

#Basic frida hooking
frida -l disableRoot.js -f owasp.mstg.uncrackable1

#Hooking before starting the app
frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
#The --no-pause and -f options allow the app to be spawned automatically,
#frozen so that the instrumentation can occur, and the automatically
#continue execution with our modified code.

Basiese Python Skrip

import frida, sys

jscode = open(sys.argv[0]).read()
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()

Funksies sonder parameters aanhaak

Haal die funksie a() van die klas sg.vantagepoint.a.c aan

Java.perform(function () {
;  rootcheck1.a.overload().implementation = function() {
rootcheck1.a.overload().implementation = function() {
send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
return false;
};
});

Haal java exit() aan

var sysexit = Java.use("java.lang.System");
sysexit.exit.overload("int").implementation = function(var_0) {
send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
};

Hook MainActivity .onStart() & .onCreate()

var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
mainactivity.onStart.overload().implementation = function() {
send("MainActivity.onStart() HIT!!!");
var ret = this.onStart.overload().call(this);
};
mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("MainActivity.onCreate() HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

Hook android .onCreate()

var activity = Java.use("android.app.Activity");
activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
send("Activity HIT!!!");
var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
};

Funksies met parameters haak en die waarde terugkry

Haal 'n ontsleuteling funksie aan. Druk die invoer, roep die oorspronklike funksie aan om die invoer te ontsleutel en druk uiteindelik die gewone data:

function getString(data){
var ret = "";
for (var i=0; i < data.length; i++){
ret += data[i].toString();
}
return ret
}
var aes_decrypt = Java.use("sg.vantagepoint.a.a");
aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
send("Key       : " + getString(var_0));
send("Encrypted : " + getString(var_1));
var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
send("Decrypted : " + ret);

var flag = "";
for (var i=0; i < ret.length; i++){
flag += String.fromCharCode(ret[i]);
}
send("Decrypted flag: " + flag);
return ret; //[B
};

Funksies haak en roep hulle aan met ons invoer

Haak 'n funksie wat 'n string ontvang en roep dit aan met 'n ander string (van hier)

var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class

my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator
console.log("Original arg: " +x );
var ret =  this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
console.log("Return value: "+ret);
return ret;
};

Verkryging van 'n reeds geskepte objek van 'n klas

As jy 'n attribuut van 'n geskepte objek wil onttrek, kan jy dit gebruik.

In hierdie voorbeeld gaan jy sien hoe om die objek van die klas my_activity te verkry en hoe om die funksie .secret() aan te roep wat 'n private attribuut van die objek sal druk:

Java.choose("com.example.a11x256.frida_test.my_activity" , {
onMatch : function(instance){ //This function will be called for every instance found by frida
console.log("Found instance: "+instance);
console.log("Result of secret func: " + instance.secret());
},
onComplete:function(){}
});

Ander Frida tutoriaal

Bug bounty wenk: meld aan vir Intigriti, 'n premium bug bounty platform geskep deur hackers, vir hackers! Sluit vandag by ons aan by https://go.intigriti.com/hacktricks en begin om bounties tot $100,000 te verdien!

{% embed url="https://go.intigriti.com/hacktricks" %}

{% hint style="success" %} Leer & oefen AWS Hacking:HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks
{% endhint %}