Frida on non-rooted device

1. jdwp-lib-injector (Recommended)

Tool: Github

Find Arch of your android

$ adb shell getprop ro.product.cpu.abi
arm64-v8a

下载jdwp-lib-injector

$ git clone https://github.com/ikoz/jdwp-lib-injector.git

NIN: frida-gadget.so需要放置在jdwp-lib-injector 同一个目录下.

Download Gadget

因应 arch (arm/arm64/x86/x86_64) 下载相应 frida-server .

$ unxz *.xz

Inject Frida

  1. Go to developer options, “Select debug app” and select the debuggable application you want to inject the library into.
  2. In the same screen, enable the “Wait for debugger” option
  3. Start the application you want to inject the library into.
  4. On your shell, run ./jdwp-lib-injector.sh frida-gadget-10.1.5-android-arm64.so or similar.
➜  jdwp-lib-injector git:(master) ./jdwp-lib-injector.sh frida-gadget-10.6.52-android-arm64.so
[**] Android JDWP library injector by @ikoz
[**] Pushing frida-gadget-10.6.52-android-arm64.so to /data/local/tmp/
frida-gadget-10.6.52-android-arm64.so:.... 68.8 MB/s (15824408 bytes in 0.219s)
[**] Retrieving pid of running JDWP-enabled app
./jdwp-lib-injector.sh: line 16:   964 Killed: 9               adb jdwp > "$F"
[**] JDWP pid is /var/tmp/jdwpPidFile-1518231986. Will forward tcp:8700 to jdwp:12830
[**] Starting jdwp-shellifier.py to load library
[+] Targeting '127.0.0.1:8700'
[+] Reading settings for 'Dalvik - 1.6.0'
[+] Found Runtime class: id=c85
[+] Found Runtime.getRuntime(): id=712d7d30
[+] Created break event id=20000000
[+] Waiting for an event on 'android.app.Activity.onCreate'
[+] Received matching event from thread 0x110c
[+] getPackageMethod(): 'com.my.app'
[*] Copying library from /data/local/tmp/frida-gadget-10.6.52-android-arm64.so to /data/data/com.my.app/frida-gadget-10.6.52-android-arm64.so
[+] Selected payload 'cp /data/local/tmp/frida-gadget-10.6.52-android-arm64.so /data/data/com.my.app/frida-gadget-10.6.52-android-arm64.so'
[+] Command string object created id:110f
[+] Runtime.getRuntime() returned context id:0x1110
[+] found Runtime.exec(): id=712d7ef0
[+] Runtime.exec() successful, retId=1111
[*] Executing Runtime.load(/data/data/com.my.app/frida-gadget-10.6.52-android-arm64.so)
[+] Runtime.load(/data/data/com.my.app/frida-gadget-10.6.52-android-arm64.so) probably successful
[*] Library should now be loaded
[!] Command successfully executed
[**] Running frida-ps -U. If you see 'Gadget' then all worked fine!
  PID  Name
-----  ------
12830  Gadget

此时 App 会 hang 住,需要连上去才会继续运行

➜  ~ frida -U 12830
     ____
    / _  |   Frida 10.6.10 - A world-class dynamic instrumentation framework
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/

[ZUK ZUK Z2121::PID::12830]->

Ref: Library injection for debuggable Android apps

2. Repackage Apk

2.1 AppMon

frida - learn by example - Part 6.

2.2 APKTool

Using Frida on Android without root · John Kozyrakis ~ blog

Show Comments