Frida & Objection cheatsheet
Frida Over ssh
Setup frida over ssh
ssh -L 27042:127.0.0.1:27042 [email protected] -i C:\temp\op6
Use -R flag on commands
frida-ps -R
Frida with mobile plugged via USB
- List all currently installed apps
frida-ps -Uai
- Get objection shell
objection -g com.spotify.music explore
- Objection application enviroment (inside objection shell)
env
- List internal data directory
ls
- Objection disable non-custom SSL pinning (inside objection shell)
android sslpinning disable
- Patch apk for unrooted devices using objection
Trace Native Calls
- Trace a specific function
- Trace all android JNI functions
- Trace function by address
- Use JNI trace to identify usage of Android's JNI API by native libraries
Frida Scripts
- run frida script on application package
- run script on pid
- Enumerate modules
- Hook method and override it
setImmediate(function() { //prevent timeout console.log("[*] Starting script"); Java.perform(function() { var mainActivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity"); mainActivity.a.implementation = function(v) { console.log("[*] MainActivity.a called"); }; console.log("[*] MainActivity.a modified"); }); });
- Hook method and override it
setImmediate(function() { //prevent timeout console.log("[*] Starting script"); Java.perform(function() { var mainActivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity"); mainActivity.a.implementation = function(v) { console.log("[*] MainActivity.a called"); }; console.log("[*] MainActivity.a modified"); var aaClass = Java.use("sg.vantagepoint.a.a"); aaClass.a.implementation = function(arg1, arg2) { var retval = this.a(arg1, arg2); var password = ''; for(var i = 0; i < retval.length; i++) { password += String.fromCharCode(retval[i]); } console.log("[*] Decrypted: " + password); return retval; }; console.log("[*] sg.vantagepoint.a.a.a modified"); }); });
Explore binaries
- Explore binary information with objection
- Explore modules in memory with objection
memory list modules