Hacking With Frida — FridaLab #1

I’m sure most people that are interested in hacking, pentesting and bug bounties have heard or used Frida. Most of this series of posts won’t cover anything special but I thought I’d explain how I’ve learned the basics of Frida and the great project I’ve learned with.

Disclaimer: I have only played with Frida for 2 days so I am by no means an expert so there is a high chance that what I say may be incorrect. I am always happy to change things based on new evidence so let me know if I say anything that is incorrect, against best practice or can be done in a better way and I will change my write-up.

FirdaLab running in Android-x86 Emulator

Getting the code from the APK

The download link for the FridaLab can be found here: http://rossmarks.uk/blog/fridalab/

This bit is really going over the basics but I’ll explain the process of getting the source code from the APK. For this process I used MobSF for this but you can quite as easily use apktool or any other method.

Java.chooseMobSF upload/home screen

Once the apk is uploaded to MobSF it will offer the option to view the Java code within the MobSF app. From there it’s possible to see which classes, methods and variables are in the code so we can see what we need to do.

Files found in the app

Setting up Frida

There are plenty of tutorials of getting setup with Frida so I will just link some of those here:

Challenge 01

As seen in the screenshot above, it’s probably worth looking at the files which contain “rossmarks” as he was the author of the application. We can guess that the “MainActivity” and “challenge_01” files are a good place to start looking at the code.

uk.rossmarks.frchallenge_01.java

As seen by the FridaLab app running in the emulator, the first challenge is to change the “chall01” variable to 1. So firstly, let’s set up a JavaScript file template to work with — it can be found on GitHub here.

From there all that’s needed is that we grab the Android package name (uk.rossmarks.fridalab) and append the class-name that we want to hook and load — challenge_01 in this case.

There are two ways of doing this, the first is using Java.use and the second is Java.choose. Java.use will assign the class to a variable which can be initialised and methods be called from it. Java.choose is similar but it will search the memory for any loaded instances in the memory and hook into them and if not then it will create a new instance. For the sake of this challenge we only need to use Java.use as the application will call the method.

Once we’ve loaded the class, all we need to do is set the class-property to 1 to complete the challenge.

This can be done, as seen on line 10 of the screenshot below, by changing the property through the previously created variable:

var challenge_01 = Java.use(“uk.rossmarks.fridalab.challenge_01”);
challenge_01.chall01.value = 1;
Challenge01 Solution

To test the script, the easiest way is to run Frida with the following command-line: frida -U -f uk.rossmarks.fridalab -l ./Challenge01.js — no-pause

Challenge01 Completed
Challenge01 Completed — In App

Conclusion

Challenge 01 was pretty simple but it was a good start! I will write up the rest of the challenges within the next few days. I have learned tons from playing with Frida and I will be using it regularly within my day job as well as within my bug bounties.

Let me know what you think! :)