Frida === free win

Introduction

In this blog article I will present an overview of how to use frida, at least how I use it, through an app testing I did recently. The app tested is a game, as it implements some security, and I wanted to cheat on it (:

Installation of frida

If you have followed my setup of an android phone for pentesting, you only need to do a few things:

• First download frida-server for your android version here, extract it, chmod +x it, and push it to your android device adb push ${frida-server} /data/local/frida-server.

• Run adb root to get a root access, and execute adb shell /data/local/frida-server. The prompt should hang, and it’s a good thing! You’re device is ready.

• Install frida for your OS, check how to, I am too lazy to explain it for every OS in existence, specially if you use some obscure shit like !

SSL bypass

Once you have everything setup up, and your device connected via USB, you can try running

frida-ps -U

You should see a list of process running on your phone, if not, you can start again. Start the app you want to test, and look for it in the frida-ps, using grep or something.

Once you have your process name, we can go to the cool stuff!

Setup a system wide proxy on your android device routing you’re traffic to your local burp instance.

Start the app using

frida -U -f ${your_process} --no-pause --codeshare sowdust/universal-android-ssl-pinning-bypass-2

• -U is to use the USB device.

• -f is to start the a process.

• --no-pause is to start imediately after starting frida.

• --codeshare load code from the frida community.

• sowdust/universal-android-ssl-pinning-bypass-2 is this SSL bypasser, which works really good.

And voila your http traffic is routed through your burp!

Your first hook

Now it’s time to get real! Before doing this step, you should reverse engineer a bit the APK. You should identify some classes that seems to be interesting for your case. In my case requests were encrypted, I found the decrypting class greping through the exctracted APK the api’s URL. The class is ‘io.dgames.oversea.security.DgamesCodecUtil’.

Now Create a JS file, we will write some aweful JS code, but who cares !

setTimeout(function () {
  Java.perform(function() {
    var DgamesCodecUtil = Java.use("io.dgames.oversea.security.DgamesCodecUtil");
}, 0);

This is the basis, It will allow you to execute anything inside the Java VM of the app. We are creating a variable (DgamesCodecUtil), which contains the class io.dgames.oversea.security.DgamesCodecUtil and allows us to have a bit of fun!

setTimeout(function () {
  Java.perform(function() {
    var DgamesCodecUtil = Java.use("io.dgames.oversea.security.DgamesCodecUtil");

    // Overload the implementation of the encrypting function.
    DgamesCodecUtil.encryptByte.overload('int', '[B').implementation = function (a, b) {
      // I got a little fancy with colors in the output (:
      console.log("\x1b[32mSending   => \x1b[0m", b);
      // Call the original function.
      var tmp = this.encryptByte(a, b);
      console.log("\x1b[33mEncrypted => \x1b[0m", tmp);
      return tmp;
    }
  });
}, 0);

Now run your process using:

frida -U -f ${your_process} --no-pause --codeshare sowdust/universal-android-ssl-pinning-bypass-2 -l ${your_js_file}

And now you have everything decrypted!

Usefull links

• https://github.com/iddoeldor/frida-snippets

• https://awakened1712.github.io/hacking/hacking-frida/

• https://frida.re/docs/javascript-api/