Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature] Menu Action to copy as frida code snippets #1355

Closed
eybisi opened this issue Jan 24, 2022 · 11 comments
Closed

[feature] Menu Action to copy as frida code snippets #1355

eybisi opened this issue Jan 24, 2022 · 11 comments

Comments

@eybisi
Copy link
Contributor

eybisi commented Jan 24, 2022

In action menu bar when user right clicks to methods/classes there will be option to copy as frida code snippet. It will get class name from methodnode, get argument names and create frida code snippet.

package wocwvy.czyxoxmbauu.slsa;

/* loaded from: classes.dex */
public class clgqtzqdh extends Service {


    public int onStartCommand(Intent intent, int i, int i2) {
        String i3 = this.a.i(this);
        this.b.getClass();
        if (!"Android Security".equals("")) {
            this.b.getClass();
            i3 = "Android Security";
        }
        Toast makeText = Toast.makeText(this, this.a.e(this, "StringAccessibility") + " '" + i3 + "'", 1);
        makeText.setGravity(16, 0, 0);
        makeText.show();
        return i;
    }
}

Example scenario will be : right clicking on onStartCommand creates and saves created text to clipboard :

let clgqtzqdh = Java.use("wocwvy.czyxoxmbauu.slsa.clgqtzqdh")
clgqtzqdh.onStartCommand.implementation = function(intent, i, i2){
	console.log('onStartCommand is called')
	let ret = this.onStartCommand(intent, i, i2);
	console.log('onStartCommand return value : ' + ret)
	return ret
}

PR is ready to be fired when we agree on this feature : https://github.com/eybisi/jadx/tree/frida

@eybisi
Copy link
Contributor Author

eybisi commented Jan 24, 2022

Also adding overloads automatically will be very helpful since it is the most annoying thing while writing frida snipppets.

@skylot
Copy link
Owner

skylot commented Jan 24, 2022

@eybisi sure, submit a PR!

skylot pushed a commit that referenced this issue Jan 24, 2022
…#1355)(PR #1356)

* add frida action to copy methods/classes as frida snippets
* bug: call toString before comparing
@skylot
Copy link
Owner

skylot commented Jan 24, 2022

Implemented in PR #1356 by @eybisi

@only52607
Copy link

@eybisi The copied code snippet has a problem if the class member name is a unprintable character.

For example, the following code will have parsing problems when "onStartCommand" is a unprintable character.

let clgqtzqdh = Java.use("wocwvy.czyxoxmbauu.slsa.clgqtzqdh")
clgqtzqdh.onStartCommand.implementation = function(intent, i, i2){
	console.log('onStartCommand is called')
	let ret = this.onStartCommand(intent, i, i2);
	console.log('onStartCommand return value : ' + ret)
	return ret
}

A better way would be something like the following

let clgqtzqdh = Java.use("wocwvy.czyxoxmbauu.slsa.clgqtzqdh")
clgqtzqdh["onStartCommand"].implementation = function(intent, i, i2){
	console.log('onStartCommand is called')
	let ret = this.onStartCommand(intent, i, i2);
	console.log('onStartCommand return value : ' + ret)
	return ret
}

Or we can encode the characters, like this

let clgqtzqdh = Java.use(encodeBase64("xxxx"))
clgqtzqdh[encodeBase64("xxxx")].implementation = function(intent, i, i2){
	console.log('onStartCommand is called')
	let ret = this.onStartCommand(intent, i, i2);
	console.log('onStartCommand return value : ' + ret)
	return ret
}

@jpstotz
Copy link
Collaborator

jpstotz commented May 10, 2022

@only52607 Sounds like a reasonable approach, even if I would prefer to use the JavaScript unicode escaping instead of encoding everything Base64 as this would leave the readable parts of the function name.
Do you have an example APK that has such problematic class- an/or method-names you can share so we could test your approach?

@only52607
Copy link

classes.zip

Some classes or methods in this dex file above contain some strange characters, which you can find here or elsewhere.

image

@only52607 Sounds like a reasonable approach, even if I would prefer to use the JavaScript unicode escaping instead of encoding everything Base64 as this would leave the readable parts of the function name. Do you have an example APK that has such problematic class- an/or method-names you can share so we could test your approach?

@only52607
Copy link

What I would prefer is to just copy the class name in some type of encoding, rather than including it in the code snippet. But jadx doesn't seem to offer the option to just copy the class name, so if I want to copy the class name or method name I have to select and copy it in the source code, and this approach causes problems when strange characters appear.

@eybisi
Copy link
Contributor Author

eybisi commented May 10, 2022

This is common obfuscator technique. Even though jadx says those are not valid java name, they are valid actually. Those are Arabic letters. Look for db a5 , Arabic letters written right to left so that's why you see weird interactions. So its okay to use [ ]

@only52607
Copy link

only52607 commented May 10, 2022

Yes, so we need a better way to display these characters in jadx-gui instead of printing them directly, such as by hex or unicode escaping. This makes it easier for us to locate these classes or methods in frida.

@jpstotz
Copy link
Collaborator

jpstotz commented May 10, 2022

@only52607
What do you think of this frida code snippet:

let C0082 = Java.use("com.rl.gg.\u06DF\u06E5\u06E5\u06E1\u06E4");
C0082["\u06DF\u06DF\u06E0\u06E6\u06E0"].implementation = function(){
    console.log('\u06DF\u06DF\u06E0\u06E6\u06E0 is called');
    let ret = this.\u06DF\u06DF\u06E0\u06E6\u06E0();
    console.log('\u06DF\u06DF\u06E0\u06E6\u06E0 ret value is ' + ret);
    return ret;
};

I think it should work for the classes.dex you had posted. It bases the latest changes I have implemented for escaping classnames, methodnames and fieldnames (for fiedlnames I don't know if it would work as there is the simple . notation like for the methods).

@only52607
Copy link

@only52607 What do you think of this frida code snippet:

let C0082 = Java.use("com.rl.gg.\u06DF\u06E5\u06E5\u06E1\u06E4");
C0082["\u06DF\u06DF\u06E0\u06E6\u06E0"].implementation = function(){
    console.log('\u06DF\u06DF\u06E0\u06E6\u06E0 is called');
    let ret = this.\u06DF\u06DF\u06E0\u06E6\u06E0();
    console.log('\u06DF\u06DF\u06E0\u06E6\u06E0 ret value is ' + ret);
    return ret;
};

I think it should work for the classes.dex you had posted. It bases the latest changes I have implemented for escaping classnames, methodnames and fieldnames (for fiedlnames I don't know if it would work as there is the simple . notation like for the methods).

I just tested this code snippet on my frida and it works fine. I think it's better than Base64 or other encodings. Nice work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants