Unable to retrieve value from interface using frida

Question

After almost going bald from attempting to find a solution, I have decided to ask my fellow programmers who are most likely better at Java than I.

I have a method that looks like this

i.l.a.i.m.a.e

public class e extends Object {
    public final a5.e0 a(java.net.URL url, i.l.a.i.b bVar, 
        java.util.Map<java.lang.String, java.lang.String> map, 
        java.util.HashMap<java.lang.String, java.lang.String> hashMap){
        i.l.a.i.m.a.b bVar2 = ((i.l.a.i.m.a) bVar).b;
    }
}

Different decompiler result:

public final e0 a(URL p0,b p1,Map p2,HashMap p3){   
    a$b bVar2 = p1.b;

I am trying to retrieve bVar2 from my frida script but had no luck. I believe it is casting, but I don't know how to carry this out from frida.

My frida script

setImmediate(function() {
Java.perform(function() {
    var targetClass='i.l.a.i.e';
    var methodName='a';
    var gclass = Java.use(targetClass);
    gclass[methodName].overload('java.net.URL','i.l.a.i.b','java.util.Map','java.util.HashMap').implementation = function(arg0,arg1,arg2,arg3) {

        var aa = Java.use('i.l.a.i.m.a.b');
        var a = Java.cast(arg1, aa);

        console.log(a);
        
        var i=this[methodName](arg0,arg1,arg2,arg3);
        console.log('\treturn '+i);
        return i;
    }
})
})

I have tried calling arg1.b from my Frida code and it returns undefined. I believe I'm only missing the casting.

i.l.a.i.b

public interface b {
    void onFailure(java.io.IOException iOException);
}

i.l.a.i.m.a.b

public class b {
    public org.json.JSONObject a;
    public java.lang.String b;

    public b(java.lang.String str, org.json.JSONObject jSONObject) {
        this.b = str;
        this.a = jSONObject;
    }
}

i.l.a.i.m.a

public abstract class a implements i.l.a.i.b {
    public final i.l.a.i.m.a.b b;
    public final android.os.Handler c;
    public final java.lang.String d;
    public final java.lang.String e;
    public final java.lang.String f;
    public final java.lang.String g;
    public final java.lang.String h;
    public final java.lang.String i;
    public final boolean l;
    public final java.lang.String m;
    public final java.lang.String n;
    public final int o;
    public final java.lang.String p;
    public final java.lang.String q;
    public final float r;
    public final float s;
    public final i.l.a.i.o.c a = new i.l.a.i.o.c();

    ... useless code

}

Why do you define `i.l.a.i.e` as the target class? That class name is never mentioned anywhere within your question. So there are two possibilities: The class name is correct but your question misses the relevant information or alternatively the class name is wrong. Your question also misses the information what happens if you execute your Frida code. — Robert, Oct 09 '21 at 11:41
@Robert That is the class my method is in. When I execute my Frida code it returns the i.l.a.i.b object and when I call arg1.b it returns undefined. I believe I'm only missing the casting. Any help is appreciated. — john4826, Oct 09 '21 at 14:29
Then please edit your question and change the first code block so that it is clear we are in class `i.l.a.i.e`. — Robert, Oct 09 '21 at 15:36
I think your main problem is that you are accessing the field in a wrong way: use `arg1._b.value` . You need to use `_b` because there is most likely a method of the same name and `.value` because otherwise you only get the JavaScript wrapper object of that field and not the actual field value. See also https://stackoverflow.com/a/58970860/150978 — Robert, Oct 09 '21 at 15:43
I have changed the first block of code. `arg0 = https://localhost arg1 = [object Object] arg2 = [object Object] arg3 = {} TypeError: cannot read property 'vaue' of undefined at (/gda.js:8) at apply (native) at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:613) at (frida/node_modules/frida-java-bridge/lib/class-factory.js:592)` This is the output of `arg1._b.value`. — john4826, Oct 09 '21 at 15:51

Robert · Accepted Answer · 2021-10-09T16:42:44.607

You simply need to follow the decompiled Java code you have posted: Cast the second argument to i.l.a.i.m.a (for an unknown reason you casted to a different class). And then access the field b.

Java.perform(function() {
    var targetClass='i.l.a.i.e';
    var methodName='a';
    var gclass = Java.use(targetClass);
    gclass[methodName].overload('java.net.URL','i.l.a.i.b','java.util.Map','java.util.HashMap').implementation = function(arg0,arg1,arg2,arg3) {

        var aa = Java.use('i.l.a.i.m.a'); // changed from 'i.l.a.i.m.a.b'
        var a = Java.cast(arg1, aa);

        console.log(a._b.value); // You need to use _b to make sure you are getting field b not method b and then get the actual Java value
        
        var i=this[methodName](arg0,arg1,arg2,arg3);
        console.log('\treturn '+i);
        return i;
    }
})

score 0 · Answer 2 · answered Oct 09 '21 at 08:28

Do you want to get his return value? She needs to get from his properties, not the return value.

setImmediate(function () {
    Java.perform(function () {
        var targetClass = 'i.l.a.i.e';
        var methodName = 'a';
        var gclass = Java.use(targetClass);
        gclass[methodName].overload('java.net.URL', 'i.l.a.i.b', 'java.util.Map', 'java.util.HashMap').implementation = function (arg0, arg1, arg2, arg3) {
            console.log(arg1.b.value)
        }
    })
})

I have tried this and it returns undefined. I apologize for not including the output of my frida code. I believe I'm only missing the casting. — john4826, Oct 09 '21 at 14:32

Unable to retrieve value from interface using frida

2 Answers2