Professional Documents
Culture Documents
Introduction To Frida. Frida Is A Dynamic Instrumentation - by Mr. Robot - InfoSec Adventures - Medium
Introduction To Frida. Frida Is A Dynamic Instrumentation - by Mr. Robot - InfoSec Adventures - Medium
Save
Introduction to Frida
Project requirements
Required tools to follow along:
Python-frida
https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 1/8
11/26/22, 8:17 AM Introduction to Frida. Frida is a dynamic instrumentation… | by Mr. Robot | InfoSec Adventures | Medium
Python-frida-tools
Open in app Get started
Frida-server-android
Depending on your distribution, you can easily install the first two and their
dependencies. As for the frida-server-android, I’m going to walk you through the
installation and emulator setup.
t0thkr1s/frida
This repository contains various Frida scripts and an intentionally
vulnerable Android application. I created this…
github.com
t0thkr1s@btksoftware:/opt/genymobile/genymotion/tools$ ls
aapt adb glewinfo lib64
Reverse engineering
In order to understand the inner workings of an application, we need to reverse
engineer it. Fortunately, we can restore the java source files easily.
I’m not going to write about reverse engineering Android apps here, because I already
did it in my previous post. Check it out!
I have to admit that the reverse engineering of the demo application reveals all the
secrets hidden in it. So, in order to make it more realistic let’s suppose the encryption
key is generated from the user-provided PIN code which is used to encrypt private data
in the app.
In this case, brute-forcing the PIN code might be a good solution for compromising the
security of the whole app. That’s why you need to choose
3
long and strong PINs.
306
PIN Bypass
https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 3/8
11/26/22, 8:17 AM Introduction to Frida. Frida is a dynamic instrumentation… | by Mr. Robot | InfoSec Adventures | Medium
Okay, you looked through the reversed source code and you found a method, which
Open in app Get started
checks if the provided PIN is correct or not.
Most of the time, it’s not that easy… Let’s suppose, we don’t know the PIN. You found
the PinUtil class and the boolean checkPin(String pin) method. This checks the pin and
returns true if the pin is correct, otherwise, it returns false.
The idea here is that we don’t need to know the pin just return true and we’re in. The
following python script does just like that. I wrote a little Javascript code using the
Javascript API and hardcoded it in the python script. Basically, it uses the PinUtil’s
checkPin() method and overrides the return value. It’s that easy. Next, you need to
specify the package name of the application to attach Frida, then load the script and
wait for the log messages.
jscode = """
Java.perform(function() {
console.log("[ * ] Starting implementation override...")
var MainActivity =
Java.use("infosecadventures.fridademo.utils.PinUtil");
MainActivity.checkPin.implementation = function(pin){
console.log("[ + ] PIN check successfully bypassed!")
return true;
}
});
"""
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
PIN Brute-force
Previously, I mentioned that knowing the PIN could be really beneficial. In this
example, I going to show you how to brute-force with Frida.
https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 4/8
11/26/22, 8:17 AM Introduction to Frida. Frida is a dynamic instrumentation… | by Mr. Robot | InfoSec Adventures | Medium
First, let’s suppose that the PinUtil’s checkPin(String pin) method is not static. By using
Open in app Get started
Java.choose, we can search the memory for a PinUtil instance and the onMatch is called
when the instance is found. Then, we can use that instance’s method in a loop to test
all numbers with a length of 4. This is actually not a time-consuming process. You can
even try brute-forcing numbers with a length of 5 and finish in a day depending on the
number.
The PinUtil’s class checkPin(String pin) function is static. This means that we don’t need
to search for the PinUtil object in the memory just call the method using the class
name. However, I implemented both (static and non-static solution) in the script
below. I hope it’s not confusing. The jscode variable will be overridden by the second
assignment and that will be used.
}
}); Open in app Get started
"""
process = frida.get_usb_device().attach('infosecadventures.fridademo')
script = process.create_script(jscode)
print('[ * ] Running Frida Demo application')
script.load()
sys.stdin.read()
I encourage you to write the script yourself and check back, when you finished!
script.load()
sys.stdin.read() Open in app Get started
Before you go
Thank you for taking the time to read my walkthrough. If you found it helpful, please
hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it!
+ Feedback is always welcome! 🙏
Your email
Subscribe
By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy
practices.
https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 7/8
11/26/22, 8:17 AM Introduction to Frida. Frida is a dynamic instrumentation… | by Mr. Robot | InfoSec Adventures | Medium
https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1 8/8