I'm completely beginner to frida.
I've this final method which belongs to class say X.
I want to extract the value of token variable -> result.getToken() when i hook frida to the android app which contains that class at runtime.
can anyone complete this code with javascript API of frida to get the value of token variable ?
Java.perform(function () {
Java.choose("com.xx.xx", {
onMatch: function (inst) {
//.................................
}
});
console.log("Done");
});
then i'll use --> frida -U -f "xxx.apk" -l test.js
thank you so much for help !!
Java.choose is in most cases the wrong approach because that only lists the existing instances of a class, so you can only hook a method if there is already an instance loaded into memory.
The common way is to hook the method itself so that all existing and newly created instances use your hook.
var classInstanceIdResult = Java.use('com.google.firebase.iid.InstanceIdResult');
var getTokenMethod = classInstanceIdResult.getToken.overload();
// replace the getToken() method with out own implementation
getTokenMethod.implementation = function () {
// call the orignal method
var ret = getTokenMethod.call(this);
// do something with ret
console.log("Token: " + ret);
return ret;
}
BTW: The code for hooking a Java method can simply be generated by using Jadx-Gui. Just decompile the APK, select the method and let Jadx generate the Frida code snipped necessary to hook the method (see context menu of the method).
Related
I have been trying to print out the contents of a list when hooking an android app with Frida but am not having any luck.
The object I want to hook in Java looks like this
import com.fasterxml.jackson.annotation.JsonIgnore;
import java.util.List;
public final class Hello extends HelloParent{
#JsonIgnore
public final List sampleList;
}
There aren't any getters for this public object so I have to resort to using another object (Let's call the object "Bye")'s method (byeMethodB) to monitor this value.
This is what my frida-script looks like:
setTimeout(function() {
Java.perform(function(){
Java.use("Bye").byeMethodA.implementation = function(){
try{
//Returns a Hello object
var helloObject = Java.cast(this.byeMethodB(),Java.use("Hello"))
printListContent(Java.cast(helloObject.sampleList,Java.use("java.util.List"))))
}catch(err){
console.log(err)
}
}
})
},1000)
function printListContent(list){
var listIter = list.iterator()
while(listIter.hasNext()){
console.log(listIter.next())
}
}
Without casting the "helloObject.sampleList" object to a list, the output looks like this:
[object Object]
So I am sure it is not null
If I cast using Java.cast(helloObject.sampleList,Java.use("java.util.List")),
I get the following error:
I have also tried:
Java.cast(helloObject.sampleList,Java.use("java.util.List<>"))
(I am pretty sure its a String)
Java.cast(helloObject.sampleList,Java.use("java.util.List<String>"))
Java.cast(helloObject.sampleList,Java.use("java.util.List<java.lang.String>"))
Java.cast(helloObject.sampleList,Java.use("[String"))
Java.cast(helloObject.sampleList,Java.use("[Ljava.lang.String"))
It is not going well at all. Would appreciate some help
In Frida accessing fields is not identical as in Java. If you execute helloObject.sampleList in Frida you are getting the JavaScript object that describes the field, not the field value itself.
If you want the field value you have to execute helloObject.sampleList.value.
Therefore the following code should work:
Java.cast(helloObject.sampleList.value, Java.use("java.util.List"));
Generics only exists at compile time but frida is working at run-time. Therefore java.util.List<> and the other class names with angle bracket will never work.
I am trying to verify that an object passed to a node addon is of the correct type before I unwrap it and start to use it. Here's the solution that I've cobbled together from looking at various sources on the web.
Persistent data:
Nan::Persistent<v8::Function> Event::constructor;
Nan::Persistent<v8::FunctionTemplate> Event::tpl;
The Init function:
void Event::Init(v8::Local<v8::Object> exports) {
Nan::HandleScope scope;
// Prepare constructor template
v8::Local<v8::FunctionTemplate> ctor = Nan::New<v8::FunctionTemplate>(Event::New);
ctor->InstanceTemplate()->SetInternalFieldCount(1);
ctor->SetClassName(Nan::New("Event").ToLocalChecked());
// create a template for checking instances
Local<FunctionTemplate> localTemplate = Nan::New<FunctionTemplate>(Event::New);
localTemplate->SetClassName(Nan::New("Event").ToLocalChecked());
tpl.Reset(localTemplate);
// Statics
Nan::SetMethod(ctor, "x", Event::X);
// Prototype
Nan::SetPrototypeMethod(ctor, "addInfo", Event::addInfo);
Nan::SetPrototypeMethod(ctor, "toString", Event::toString);
constructor.Reset(ctor->GetFunction());
Nan::Set(exports, Nan::New("Event").ToLocalChecked(), ctor->GetFunction());
}
And where I attempt to use it:
if (Nan::New(tpl)->HasInstance(info[0])) {
message = "it is an Event instance";
}
The problem is that the HasInstance() never returns true.
The JavaScript code is basically
let e = new Event()
fn(e) // where fn performs the HasInstance() test.
There is no need to make a second FunctionTemplate. The one you've set on the exports (ctor) is the one that gets used when you call new Event() in JS, while the second one (localTemplate) gets saved to Event::tpl and is the one from which the HasInstance() call gets made. They're different FunctionTemplates, so the HasInstance() call returns false.
Instead of this:
...
Local<FunctionTemplate> localTemplate = Nan::New<FunctionTemplate>(Event::New);
localTemplate->SetClassName(Nan::New("Event").ToLocalChecked());
tpl.Reset(localTemplate);
...
just try this:
...
tpl.Reset(ctor);
...
I need to include JavaScript code in Swift code to be able to call a signalR chat, is that possible? If not, can I convert it?
sendmessage is a button.
$(function () {
// Declare a proxy to reference the hub.
var chat = $.connection.chatHub;
// Create a function that the hub can call to broadcast messages.
chat.client.broadcastMessage = function (name, message) {
// some code
};
// Start the connection.
$.connection.hub.start().done(function () {
$('#sendmessage').click(function () {
// Call the Send method on the hub.
chat.server.send('name', 'message');
});
});
});
and the signalr code is:
public void Send(string name, string message)
{
// Call the broadcastMessage method to update clients.
Clients.All.broadcastMessage(name, message);
}
Update #1:
changed question a little bit so it is not confusing per #MartinR
Last tested with Swift 5.1
Here is an example you can run in Playground to get you started:
import JavaScriptCore
let jsSource = "var testFunct = function(message) { return \"Test Message: \" + message;}"
var context = JSContext()
context?.evaluateScript(jsSource)
let testFunction = context?.objectForKeyedSubscript("testFunct")
let result = testFunction?.call(withArguments: ["the message"])
result would be Test Message: the message.
You also can run JavaScript code within a WKWebView calling evaluateJavaScript(_:completionHandler:).
You can also run JavaScript within a UIWebView by calling stringByEvaluatingJavaScript(from:), but note that that method has been deprecated and is marked as iOS 2.0–12.0.
Using JavaScriptCore framework include JavaScript code in Swift code.
The class that you’ll be dealing the most with, is JSContext. This class is the actual environment (context) that executes your JavaScript code.
All values in JSContext, are JSValue objects, as the JSValue class represents the datatype of any JavaScript value. That means that if you access a JavaScript variable and a JavaScript function from Swift, both are considered to be JSValue objects.
I strongly advise you to read the official documentation regarding the JavaScriptCore framework.
import JavaScriptCore
var jsContext = JSContext()
// Specify the path to the jssource.js file.
if let jsSourcePath = Bundle.main.path(forResource: "jssource", ofType: "js") {
do {
// Load its contents to a String variable.
let jsSourceContents = try String(contentsOfFile: jsSourcePath)
// Add the Javascript code that currently exists in the jsSourceContents to the Javascript Runtime through the jsContext object.
self.jsContext.evaluateScript(jsSourceContents)
}
catch {
print(error.localizedDescription)
}
}
more details refer this tutorial
I am running Node.JS Sandbox module to create a Child Process and I need to be able to have my String Based Javascript access certain functions and Modules of Node. Right now, the Sandbox module is blocking all access to Node API's and functions outside of the Sandbox.
Example
function GetAccessTo() {
return "I want to call this function"
}
var str = "GetAccessTo();"
var s = new Sandbox();
s.run(str, function (output) {
output.result;
});
To add methods to the context , go to Shovel.js and add methods to var contextand you will be able to call from your Javascript String
Like this:
s.run("hi('something',function(result){return result})", function (output) {
logic = output.result;
});
var context = Script.createContext();
context.hi = function(a,b) {
c="hi"
return b(c)};
I'm having a problem with the following Javascript code (Phonegap in Eclipse):
function FileStore(onsuccess, onfail){
//chain of Phonegap File API handlers to get certain directories
function onGetSupportDirectorySuccess(dir){
//stuff
onsuccess();
}
function getDirectory(dir){
return "something" + dir;
}
}
var onFileStoreOpened = function(){
if (window.file_store instanceof FileStore){
console.log('window.file_store is a FileStore');
console.log(window.file_store.getDirectory('something'));
}
}
var onDeviceReady = function(){
window.file_store = new FileStore(onFileStoreOpened, onFileStoreFailure);
}
Here, I want to do some things to initialize file services for the app, and then use them in my initialization from the callback. I get the following error messages in LogCat:
07-03 06:26:54.942: D/CordovaLog(223): file:///android_asset/www/index.html: Line 40 : window.file_store is a FileStore
07-03 06:26:55.053: D/CordovaLog(223): file:///android_asset/www/cordova-1.8.1.js: Line 254 : Error in success callback: File7 = TypeError: Result of expression 'window.file_store.getDirectory' [undefined] is not a function.
After moving the code around and stripping out everything in getDirectory() to make sure it was valid, I'm not even sure I understand the error message, which suggested to me that getDirectory() is not seen as a member function of window.file_store, even though window.file_store is recognized as a FileStore object. That makes no sense to me, so I guess that interpretation is incorrect. Any enlightenment will be greatly appreciated.
I've since tried the following:
window.file_store = {
app_data_dir : null,
Init: function(onsuccess, onfail){
//chain of Phonegap File API handlers to get directories
function onGetSupportDirectorySuccess(dir){
window.file_store.app_data_dir = dir;
console.log("opened dir " + dir.name);
onsuccess();
}
},
GetDirectory : function(){
return window.file_store.app_data_dir; //simplified
}
}
var onFileStoreOpened = function(){
var docs = window.file_store.getDirectory();
console.log('APPDATA: ' + docs.fullPath);
}
var onDeviceReady = function() {
window.file_store.Init(onFileStoreOpened, onFileStoreFailure);
}
and I get
D/CordovaLog(224): file:///android_asset/www/base/device.js: Line 81 : opened dir AppData
D/CordovaLog(224): file:///android_asset/www/cordova-1.8.1.js: Line 254 : Error in success callback: File7 = TypeError: Result of expression 'docs' [null] is not an object.
All I want to do here is make sure certain directories exist (I've removed all but one) when I start, save the directory object for future use, and then retrieve and use it after all initialization is done, and I don't want everything in the global namespace. Of course I would like to be able to use specific instances when necessary, and I'm disturbed that I can't make it work that way since it demonstrates there is a problem with my understanding, but I can't even get this to work with a single, global one. Is this a Javascript problem or a Phonegap problem?
As it stands, your getDirectory function is a private function within FileStore. If you wanted to make it a 'member' or 'property' of FileStore, you would need to alter it a little within FileStore to make it like this:
this.getDirectory = function(dir){ };
or leave it how it is and then set a property....
this.getDirectory = getDirectory();
this way when new FileStore is called it will have getDirectory as a property because the 'this' keyword is always returned when calling a function with 'new'
Hope this quick answer helps. There's lots of stuff on the goog about constructor functions.
You understand it correctly. The getDirectory as it stands is a private function and cannot be called using the file_store instance.
Try this in the browser.
function FileStore(onsuccess, onfail){
function onGetSupportDirectorySuccess(dir){
//stuff
onsuccess();
}
this.getDirectory = function (dir){
return "something" + dir;
}
}
window.file_store = new FileStore('', ''); //the empty strings are just placeholders.
if (window.file_store instanceof FileStore){
console.log('window.file_store is a FileStore');
console.log(window.file_store.getDirectory('something'));
}
This will prove that the basic js code is working fine. If there still is a problem while using it in PhoneGap, comment.