frida-core
frida-core copied to clipboard
Published
20 hours ago •
frida
frida
Gadget Script rpc.exports.init is not able to override methods
I am using below config file (libanx.config.so)
{
"interaction": {
"type": "script",
"path": "/etc/ANXCamera/anx.js",
"on_change": "reload"
}
}
With following content in anx.js
const TAG = "[ANX]";
const NativeLog = new NativeFunction(Module.getExportByName(null, '__android_log_write'), 'int', ['int', 'pointer', 'pointer']);
const NativeTAG = Memory.allocUtf8String(TAG);
NativeLog(3, NativeTAG, Memory.allocUtf8String("Enter"));
rpc.exports = {
init: function (stage, parameters) {
NativeLog(3, NativeTAG, Memory.allocUtf8String("Init="+stage));
Java.perform(function () {
NativeLog(3, NativeTAG, Memory.allocUtf8String("Perform"));
var LogClass = Java.use("android.util.Log");
var TAG_L = "[ANX]";
Log.v(TAG_L, "Log Start");
Java.use('miui.external.Application').initializeSdk.implementation = function () {
Log.v(TAG_L, "Application.initializeSdk==>true");
return true;
}
Java.use('miui.external.Application').loadSdk.implementation = function () {
Log.v(TAG_L, "Application.loadSdk==>true");
return true;
}
console.log("Java perform..");
var Log = Java.use("android.util.Log");
Log.v(TAG_L, "is Online");
Java.use('miui.external.Application').initializeSdk.implementation = function () {
Log.v(TAG_L, "Application.initializeSdk==>true");
return true;
}
Java.use('miui.external.Application').loadSdk.implementation = function () {
Log.v(TAG_L, "Application.loadSdk==>true");
return true;
}
});
},
dispose: function () {
console.log('[dispose]');
}
};
I find the Java.perform block is not executed before the actual calls to miui.external.Application.initializeSdk
In the logcat I can see below
09-12 19:18:58.654 11718 11718 D [ANX] : Enter
09-12 19:18:58.654 11718 11718 D [ANX] : Init=early
09-12 19:18:58.701 11718 11718 I ANX : Loaded: 54.52595mS
Where the last line is called from the Java code ANXLoader.Load() which loads the Gadget i.e. System.loadLibrary
package miui.external;
...
public class Application extends android.app.Application implements SdkConstants {
...
public Application() {
ANXLoader.Load();
ANXLoader.Wait();
if (loadSdk() && initializeSdk()) {
this.mInitialized = true;
}
}
private boolean initializeSdk() {
return false;
}
private boolean loadSdk() {
return false;
}
...
}
ANXLoader Code is as below
package com.android.camera;
import android.util.Log;
public class ANXLoader {
public float endTime;
public boolean loaded;
public ANXLoader(float startTime){
System.loadLibrary("anx");
endTime = System.nanoTime();
Log.i("ANX", "Loaded: "+ ((endTime-startTime)/1000000)+ "mS\n");
loaded=true;
}
public static class InternalLoader {
static long startTime = System.nanoTime();
public static final ANXLoader ANXLoader = new ANXLoader(startTime);
public static boolean Load(){
return ANXLoader.loaded;
}
}
public static boolean Load(){
return InternalLoader.Load();
}
public static void Wait(){
try {
Thread.sleep(200);
} catch (InterruptedException e) {
e.printStackTrace();
}
}
}
frida-gadget-14.2.18-android-arm64.so is renamed to libanx.so
And it seems to load. and even execute the script file provided by the libanx.config.so
What do I need to do overload the methods? OS: Android 11 Frida: 14.2.18 since 15.0.18 server on android was not able to connect to frida-cli on Android 11.
