2

Say app use a button to trigger function call.

    Button btn = new Button(this);
    btn.setText("Test");
    btn.setOnClickListener(new View.OnClickListener() {
        @Override
        public void onClick(View v) {
            hello();
        }
    });

The function define:

public int hello() {
    Log.v(TAG,"hello frida!");
    return 0;
}

The script to hook hello API:

Java.perform(function () {
  var clzname = "com.sample.MainActivity";
  var instance = Java.use(clzname);
  instance.hello.overload().implementation = function () {
    console.log("[*] onEnter hello...");
    var retval = this.hello();
    return retval;
  };
});

If launch app, then attach script:

frida -U -l hook.js com.sample

it works fine, below log will output:

-> [*] onEnter hello...

But if launch app, then click button to trigger the API call firstly, then attach script, it does not work, no output from console.

Does that means if API already being called, then we can not hook it? How to fix my script?

lucky1928
  • 8,708
  • 10
  • 43
  • 92
  • Are we talking about a self-developed sample app without any anti-reversing techniques involved or does your question base on a specific app form the PlayStore/Internet you want to hook? – Robert May 15 '20 at 07:37
  • My test app! Just for study Frida! – lucky1928 May 15 '20 at 11:09
  • 1
    If you start the app directly from AndroidStudio make sure that you [disable the Instant-Run feature](https://stackoverflow.com/q/46999669/150978). Otherwise the actual classes that are executed may be look totally different as what you have programmed in Java (because Android Studio then may push delta-code-updates into the running app). – Robert May 15 '20 at 11:16
  • To verify that, I just build apk, close android studio,then run adb install apk and repeat the test. behavior is the same. BTW, I can not find the instant run settings in latest android studio, maybe renamed:-). – lucky1928 May 15 '20 at 12:11
  • @lucky1928 Your script seems good. What's about "hello frida!" in logcat - don't you see that as well? Have you solved your issue already? – Alexander Fadeev May 18 '20 at 11:29
  • Still no progress! yes, I can see "hello frida!" in adb logs. but do not see "[*] onEnter hello..." on PC. that means injection actually not happen. – lucky1928 May 18 '20 at 13:33
  • Have you looked at the decompiled source code (via apktool/Jadx/ ...)? As the hello method is only used once the compiler my have just inlined it into the anonymous OnClickListener implementation. Or may be this happens at run-time? – Robert May 18 '20 at 14:52
  • I checked the decompiled code with jadx-gui, it's not inlined. but since if I do not click the button before launch script,it works fine. you mean if I clicked the button, then code get inlined? – lucky1928 May 18 '20 at 20:30
  • 1
    @lucky1928 High chance that we have some runtime optimization behaviour here because `hello` is a constant function in fact. I have only one idea: in a sake of experiment you could try to add some argument and return something derived from that argument (e.g. add current time inside of `hello`). Write here if it works, just mention me, so I could see notification. – Alexander Fadeev May 19 '20 at 00:36
  • @AlexanderFadeev Thanks, add some code to try but still the same. I add factorial function with recursive call also, it still the same. – lucky1928 May 19 '20 at 01:31
  • @lucky1928 As the used APK is a test app could you provide it? Also please edit your question and add the details on the used Android phone(s) you have tried with Frida and the app. – Robert May 19 '20 at 07:14
  • @lucky1928 Oh. And what if to remove the call of the original function `this.hello()`: will you still see "hello frida!" log? If no then attached successfully just the problem with console log. Another thing: if `Log.v` always prints - try to catch `Log.v`! – Alexander Fadeev May 19 '20 at 07:25
  • @AlexanderFadeev You are absolutely correct. if I remove original call, I can not see the logs in Log.v, and if I just hook it with a fix input parameter, I saw it take effect. sounds like hook is success but the print from script side has missed some prints (about 50~60 calls). after that, then it will works like a charming. many thanks! – lucky1928 May 19 '20 at 13:12
  • @lucky1928 Nice!! Let me prepare an official answer here as a result of our investigation: I would appreciate if you vote up one then – Alexander Fadeev May 19 '20 at 19:21
  • @lucky1928 Though I don't really care, it's good you've done it – Alexander Fadeev May 19 '20 at 20:33
  • @lucky1928 I think I may have stumbled upon a similar problem. Did you figure out how to get the console logs working again from the script side? In my case the function that I am trying to hook does not have a line like `Log.v(TAG,"hello frida!");` so I can't even see if the hooking is actually working like in your case. Hooking other functions is fine. Just this one, yesterday was working, but today, I restarted frida server and it is behaving like this. Other console logs from the frida script and for other hooked functions are fine, just not from this hooked function. – auspicious99 Dec 20 '20 at 10:49
  • @auspicious99 Not fully understand what's your problem, it's better to submit a question and paste your code to get help! my question still not resolved now! – lucky1928 Dec 23 '20 at 15:56

0 Answers0