0xdea / frida-scripts Goto Github PK

View Code? Open in Web Editor NEW

1.2K 41.0 216.0 37 KB

A collection of my Frida.re instrumentation scripts to facilitate reverse engineering of mobile apps.

Home Page: https://www.frida.re

License: MIT License

JavaScript 100.00%

frida reverse-engineering mobile ios android

frida-scripts's Introduction

frida-scripts

"Just because you're paranoid doesn't mean they aren't after you."

-- Joseph Heller, Catch-22

A collection of my Frida.re instrumentation scripts to facilitate reverse engineering of mobile apps.

Blog post:
https://web.archive.org/web/20200623001844/https://techblog.mediaservice.net/2017/09/tracing-arbitrary-methods-and-function-calls-on-android-and-ios/

For a well-maintained project that includes some of my Frida scripts, refer to:
https://github.com/federicodotta/Brida

iOS

raptor_frida_ios_trace.js. Full-featured ObjC and Module tracer for iOS.
raptor_frida_ios_enum.js. Collection of functions to enumerate ObjC classes and methods.
ios-snippets/raptor_frida_ios_*.js. Miscellaneous script snippets for iOS.

Android

raptor_frida_android_trace.js. Full-featured Java and Module tracer for Android.
raptor_frida_android_enum.js. Collection of functions to enumerate Java classes and methods.
android-snippets/raptor_frida_android_*.js. Miscellaneous script snippets for Android.

frida-scripts's People

Contributors

Stargazers

Watchers

Forkers

drk1wi filipesam ksmaheshkumar uvbs crackercat studiogangster tardummy01 methos2016 cankuxiaomu xuanze123qaz heartbee sireof shuixi2013 parker1014 siowcy warlock0007 bjzz abhi-r3v0 opt9 mikalv yawsuu pharazone sakuraroots huliang2016 bestnathan trietptm-on-coding-algorithms mickeystone letsunlockiphone go3rri goodwin techlord-rce yuknight mirfansulaiman 26597925 tocheskey secice dr0pd34d dcmjid davidlindner modulexcite machiry eagle518 xversusx widy28 johndoex1 primekun bigfacecat2017 f-barth zxhubo cashtony linsion david3107 haidragon fengjixuchui wuyufeng0051 guoqiang1993 luoyanbei kexuebiao st-rnd jiaodalpp breathleas musktime sshyran ldbfpiaoran w0lfier xwangkai kongxu633 keyman9848 svengong szllzs zengkefu aetkrad icew4y colincowie huaerxiela sanchahua ichux zhenshub ameg-yag csyjyy librazhu rockzeng lgq2015 soone 1sland99 kingking888 frank13810055034 m-i-r-a-c-l-e radcet halilari jooneyp ababook hanbinglengyue ravillarreal hohjgdhsj ootorichan q1f3 imatary 5l1v3r1 stantoxt

frida-scripts's Issues

Several Connection Support

Hi,

Sometimes there is a need to instrument 2 device at the same time. As far as I know , there is no option to choose which device is instrumented. So, it goes random and indtruments one of them only. Could you add support for more device ?

how to use frida to reflect a method

For example, a java function

public byte[] aesEncrypt(String plaintext)

I want to reflect this method,

 var class_name1 = "com.example.cryptutils.util.CryptoUtils";
  var Platform1  = Java.use(class_name1);
var method = Platform1.getDeclaredMethod("aesEncrypt",XXXXX);

how to input the XXXX ?

Lots of undefined printed out in enum

I think that catch needs a return; statement. When I try to enumerate all classes , it prints lots of undefined because you push null values to the allclasses eventhough it catches an error

classes.forEach(function(aClass) {
	try {
		var className = aClass.match(/[L](.*);/)[1].replace(/\//g, ".");
	}
	catch(err) {} // avoid TypeError: cannot read property 1 of null
	allClasses.push(className);
});

I think needs to be

classes.forEach(function(aClass) {
	try {
		var className = aClass.match(/[L](.*);/)[1].replace(/\//g, ".");
	}
	catch(err) {return;} // avoid TypeError: cannot read property 1 of null
	allClasses.push(className);
});

TypeError: cannot read property 1 of null

Title says it all.

$ frida -U -f com.target.app -l frida-scripts/raptor_frida_android_trace.js --no-pause
     ____
    / _  |   Frida 12.6.10 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
Spawned `com.target.app`. Resuming main thread!                
[OnePlus ONEPLUS A3003::com.target.app]-> TypeError: cannot read property 1 of null
    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:56648)
    at /repl1.js:46
    at frida/node_modules/frida-java/index.js:182
    at forEach (native)
    at /_java.js:2682
    at frida/node_modules/frida-java/index.js:110
    at trace (/repl1.js:51)                                                                                                                                                          
    at /repl1.js:175
    at frida/node_modules/frida-java/lib/vm.js:42
    at E (frida/node_modules/frida-java/index.js:348)
    at frida/node_modules/frida-java/index.js:300
    [...]

System info:

$ ./adb shell
OnePlus3:/ $ su
OnePlus3:/ # uname -a
Linux localhost 3.18.66-perf+ #1 SMP PREEMPT Thu Dec 6 00:54:59 CST 2018 aarch64
OnePlus3:/ # exit
OnePlus3:/ $ exit
$ uname -a
Linux FJIEW 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux

Cannot trace any function - java.lang.ClassNotFoundException

I'm trying to trace functions of a specific class of an old old game with broken in-apps.

Having decompiled the game through apktool, I found a class I'm interested.
But no matter how I run the trace function, the game launches, then frida throws an error: Error: java.lang.ClassNotFoundException: Didn't find class "com.game.tka" on path: DexPathList[[zip file "/data/app/~~tnL0853xrVQX1h4toIMrDA==/com.game.tka-aq3_iPPP9AhvI_iyOxSG6g==/base.apk"],nativeLibraryDirectories=[/data/app/~~tnL0853xrVQX1h4toIMrDA==/com.game.tka-aq3_iPPP9AhvI_iyOxSG6g==/lib/arm64, /system/lib64, /system_ext/lib64]]
The main app class is com.game.tka, and I'd like to trace methods of com.game.tka.Dungeons, trace("com.game.tka.Dungeons") doesn't work however.

Am I doing something wrong, or is this script no longer maintained and possibly broken?

How to create a Integer.TYPE(int.class) array?

https://github.com/frida/frida-java/issues/78，this issue,do you know how to got it ?

Potential bug in frida-scripts

See this issue in Frida:
frida/frida#1399

ReferenceError: identifier 'i' undefined

error:

code at /raptor_frida_ios_autoIntercept.js:66

your code:

				// print args
				for (i = 0; i < argCount; i++) {
					printType("\narg " + (i + 1) + " type:\t", args[i + 2]);
					printValue("arg " + (i + 1) + " value:\t", args[i + 2]);
				}

changed code:

				// print args
				for (var i = 0; i < argCount; i++) {
					printType("\narg " + (i + 1) + " type:\t", args[i + 2]);
					printValue("arg " + (i + 1) + " value:\t", args[i + 2]);
				}

frida version:
12.7.5

iOS version:
11.1

end:
Sorry, my English is not very good, hope you can understand this issue, welcome to email me: [email protected]
Look forward to hearing from you~

Android Trace Issue

Hello, I am using raptor_frida_android_trace.js and I am getting an error upon the app being spawned.

Spawned APP. Resuming main thread! [DEVICE::APP]-> TypeError: cannot read property 1 of null at [anon] (duk_hobject_props.c:2385) at [anon] (repl1.js:46) at frida/node_modules/frida-java/index.js:190 at forEach (native) at d (java.js:2216) at frida/node_modules/frida-java/index.js:120 at trace (repl1.js:51) at [anon] (repl1.js:174) at frida/node_modules/frida-java/lib/vm.js:39 at v (frida/node_modules/frida-java/index.js:338) at frida/node_modules/frida-java/index.js:309 [...]

It looks like the issue is on line 46:
var className = aClass.match(/[L](.*);/)[1].replace(/\//g, ".");

Is there an easy fix like a null check? Could this issue be caused by obfuscation?