I'm attempting to conduct a penetration test and hook into my Android application method using Frida. However, when I execute the command from the Windows command prompt, my application crashes, and the intended method is not executed from the APK.
I am trying to trigger my second activity by hooking and returning true from the Frida script. Can someone assist me in correcting my code or providing a valid solution?
My app code:
package com.g.fridaplay;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
if(check())
startActivity(new Intent(MainActivity.this,VaultActivity.class));
else Toast.makeText(MainActivity.this,"Failed access",Toast.LENGTH_LONG).show();
}
boolean check(){
String pass="asdf@123";
if(pass.equals("asdf"))
return true;
else return false;
}
}
Frida javascript: vault.js
Java.perform(function() {
var theClass = Java.use("com.g.fridaplay.MainActivity");
theClass.check.implementation = function(v) {
console.log("In function check()");
return true;
}
console.log("Exploit Completed.. finished");
})
Frida script command used
//adb
./frida-server-15.1.3-android-x86 &;
//python>script
frida -U --no-pause -l vault.js -f com.g.fridaplay
Command output
C:\Python39\Scripts>frida -U --no-pause -l vault.js -f com.g.fridaplay
____
/ _ | Frida 15.1.3 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
Spawned `com.g.fridaplay`. Resuming main thread!
[Android::com.g.fridaplay]-> Exploit Completed.. finished
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Android/vbox86p/vbox86p:7.1.1/NMF26Q/76:userdebug/test-keys'
Revision: '0'
ABI: 'x86'
pid: 1657, tid: 1657, name: re-initialized> >>> <pre-initialized> <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x80000000
eax 00000000 ebx 00000679 ecx 00000679 edx 0000000b
esi ffdea80c edi ffdea5a0
xcs 00000023 xds 0000002b xes 0000002b xfs 0000006b xss 0000002b
eip f49ecbb9 ebp ffdea620 esp ffdea538 flags 00000296
backtrace:
#00 pc 00000bb9 [vdso:f49ec000] (__kernel_vsyscall+9)
#01 pc 0007f9d8 /system/bin/linker (__dl_syscall+40)
#02 pc 000046a1 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1201)
#03 pc 0000b7fd /system/bin/app_process32_xposed (InvokeUserSignalHandler+317)
#04 pc 000ff441 /system/lib/libart.so (offset 0x10a000)
***
[Android::com.g.fridaplay]->
Thank you for using Frida!
My setup:
- Emulator: Genymotion Android 7.1 (x86)
- Frida version 15.1.3
- Platform: Windows 10
- APK generated: Arctic Fox 2021