Prototyping And Reverse Engineering With Frida by Jay Harris

Watch on YouTube

Demo 1

// Run within REPL
Process.getCurrentThreadId()

Process.enumerateModulesSync()
Interceptor.attach(ptr(Module.findExportByName(null, "rand")), {onLeave: function(retval){retval.replace(0x00)}})

Demo 2 - frida-trace

frida-trace -i "*" my_process

frida-trace -i "*rand*" -i "read" exercise

Demo 3

frida-trace -i "*irc*" pidgin

// it will generate a list of js files

// Let us find anything starts with "irc_send"
find -iname irc_send*

Demo 4

// Get address of the function
objdump -d exercise | grep -i encryptstring

frida-trace exercise -a exercise\![address_goes_here]
onLeave - Help:

@this {object} - object allowing you to access state stored in onEnter
@param {function} log - call this function with a string to be presented to the user.
@param {NativePointer} retval - Return value represented as a NativePointer obj.
@param {object} state - Object allowing you to keep state across function calls

Demo 5

Template

// for rooted device
process= frida.get_device_manager().enumerate_devices()[-1].attach("com.my.app");
// for non-rooted device, repackaged apps
process= frida.get_device_manager().enumerate_devices()[-1].attach("Gadget");
Show Comments