Open in app

Sign in

Write

Sign in

Frida Hooking Journey Part 1

Ashlyn L
Numen Cyber Labs
Published in
3 min readApr 4, 2022

“If I have seen further, it is by standing on the shoulders of giants.”
-Sir Issac Newton

When my formal leader inspired me with this word of wisdom, I had little understanding of the full meaning. After 2 years in the cybersecurity field, I truly appreciate the importance of learning from the giants and also working hard to be a giant for somebody else.

In this column, I am going to share a simple authentication bypass using 2 methods. Instead of building a new apk, I have decided to use the MSTG playground that can already meet the current objective.

What you need:

1. Rooted Device

1.1 Download the frida-server-15.1.17-android-arm64.xz (https://github.com/frida/frida/releases)

1.2 Start the frida-server using the following command:

2. Linux VM (or any OS of your choice)

2.1 Objection 1.11.0

2.2 Frida 15.1.17

3. MSTG Hacking Playground

3.1 Download app-arm-debug.apk (https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App/app)

Before begin, decompile the apk using a Java decompiler. Alternatively, you can also refer to the source code that already provided in the github. Well, learning to decompile is also part of the learning process which I will share more in future column on Smali code decompiling/modifying/recompiling. 

Method 1: Using JS / JD-Gui

  1. Inspect the code and noted that the verify is a Boolean method call

2. Create the hooking script as following:

console.log(“Script loaded successfully “);
Java.perform(function () {var Auth_hook = Java.use(“sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption”);Auth_hook.verify.implementation = function(){console.log(‘Password Verify Hooked ! ‘);return true;}});

3. Run the following command to inject the script and bypass the authentication check.

Method 2: Built-in Commands via Objection

1. Open the app and start the connection

$objection -g sg.vp.owasp_mobile.omtg_android explore

2. List the class method

$android hooking list class_methods sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption

3. Forcing boolean return when hooked

$ android hooking set return_value sg.vp.owasp_mobile.OMTG_Android.OMTG_DATAST_001_BadEncryption.verify true

Conclusion:

Stay tune for more advanced hooking sharing in next column, eg method overriding and more…:)

Frida
Mobile

--

--

Ashlyn L
Numen Cyber Labs

Written by Ashlyn L

131 Followers
Writer for

Penetration Tester | Security Consultant | Wine Lover

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams