📲
Android Reversing with Frida for Examiners
Authors:M. WilliamsonC. Atha
  • Android Reversing for Examiners
  • Setting Up
    • Prerequisites
    • Our Target: Private Photo Vault
  • Lab
    • [1] Lab setup and initial app exploration
      • [1.1] Upload frida-server to the emulator or device and run using nohup
      • [1.2] Review files in the app data directory
    • [2] Perform static analysis to locate some functions of interest
    • [3] Deploy method hooks using frida REPL
    • [4a] Moar Static Analysis
    • [4b] Cast a wide net with DBI
    • [4c] PIN bruteforce
      • [4c.1] PIN bruteforce (in depth)
  • Bonus Labs
  • Ready for more?
  • Frida-tools Reference
    • Installation & Common Flags
    • frida
    • frida-ps
    • frida-trace
  • Other Processes Reference
    • Extracting an APK specimen from the device
    • Troubleshooting frida connectivity
  • What's Next
    • Recommended Toolkits and Scripts
    • Additional Resources / Questions
  • Contact Us
Powered by GitBook
On this page

Was this helpful?

  1. What's Next

Recommended Toolkits and Scripts

PreviousTroubleshooting frida connectivityNextAdditional Resources / Questions

Last updated 5 years ago

Was this helpful?

Raptor Scripts

The by 0xdea () are an excellent starting point for a base script. The 'trace' line of scripts provide prebuilt method hooking functions which greatly simplify the hooking process. There are both Android and iOS variants available. If you browse to the bottom of any of these scripts, you will see some commented out examples of how to use these scripts, included here for quick reference:

// usage examples
setTimeout(function() { // avoid java.lang.ClassNotFoundException

	Java.perform(function() {

		// trace("com.target.utils.CryptoUtils.decrypt");
		// trace("com.target.utils.CryptoUtils");
		// trace("CryptoUtils");
		// trace(/crypto/i);
		// trace("exports:*!open*");

	});   
}, 0);
// usage examples
setTimeout(function() { // avoid java.lang.ClassNotFoundException

	Java.perform(function() {

		// enumerate all classes
		/*
		var a = enumAllClasses();
		a.forEach(function(s) { 
			console.log(s); 
		});
		*/

		// find classes that match a pattern
		/*
		var a = findClasses(/password/i);
		a.forEach(function(s) { 
			console.log(s); 
		});
		*/

		// enumerate all methods in a class
		/*
		var a = enumMethods("com.target.app.PasswordManager")
		a.forEach(function(s) { 
			console.log(s); 
		});
		*/

	});
}, 0);
// usage examples
if (ObjC.available) {

	// trace("-[CredManager setPassword:]");
	// trace("*[CredManager *]");
	// trace("*[* *Password:*]");
	// trace("exports:libSystem.B.dylib!CCCrypt");
	// trace("exports:libSystem.B.dylib!open");
	// trace("exports:*!open*");
	
} else {
 	send("error: Objective-C Runtime is not available!");
}
// usage examples
if (ObjC.available) {

	// enumerate all classes
	/*
	var a = enumAllClasses();
	a.forEach(function(s) { 
		console.log(s); 
	});
	*/

	// find classes that match a pattern
	/*
	var a = findClasses(/password/i);
	a.forEach(function(s) { 
		console.log(s); 
	});
	*/

	// enumerate all methods in a class
	/*
	var a = enumMethods("PasswordManager")
	a.forEach(function(s) { 
		console.log(s); 
	});
	*/

	// enumerate all methods
	/*
	var d = enumAllMethods();
	for (k in d) {
		console.log(k);
		d[k].forEach(function(s) {
			console.log("\t" + s);
		});
	}
	*/

	// find methods that match a pattern
	/*
	var d = findMethods(/password/i);
	for (k in d) {
		console.log(k);
		d[k].forEach(function(s) {
			console.log("\t" + s);
		});
	}
	*/

} else {
 	send("error: Objective-C Runtime is not available!");
}

frida-awesome

Once one of these scripts is , you can access thetrace methods directly from the REPL. Alternatively, you may add them directly to the raptor script. Remember, making changes to a script while it is loaded will cause Frida to reload that script.

Another great resource for scripts is "", a repo maintained by at NowSecure containing a large number of links that include: talks, papers, videos, blog posts,

frida-awesome
David Weinstein
Raptor scripts
Marco Ivaldi
loaded into a REPL session