GDA support for the frida
Recently, I spent some time thinking about how to support Frida so that we can directly hook or call methods or classes in decompiled code. At first thought, it's very simple, but there are also many pitfalls in the implementation process, such as 1) to automatically generate JS code, in addition to defining code templates, I have to consider static methods, constructors, inner classes, anonymous classes, and the obfuscated invisible classes or methods name, as well as the problem of parameter determination and instantiation when calling a method, users may also need to intervene in editing code, so code editing ability needs to be provided; 2) For independent of the command line window, I need to write a shell to interact with Frida.
Finally, it took some time to implement such a kind of support. Fortunately, these problems have been solved. Combined with the Frida framework, the new GDA decompiler can solve the following problems:
-
If the current decompiled APK is not installed in the android device, the APK will be automatically installed and started.
-
Automatically handle static methods, constructors, inner classes, anonymous classes, and classes or methods name with obfuscated invisible characters.
-
On the basis of decompiled code, you can hook anywhere that you want to hook, you can see the parameter value and return value of the method without writing any JS code.
-
On the basis of decompiled code, you can call any method that you get. GDA will automatically generate appropriate code to minimize code writing.
-
It can do "hook/call any method from packer or encryptor" based on Frida. with GDA, decompiling the DEX file from memory. and GDA will automatically associate it with the package name as long as the original app is installed on an Android device.
-
Fully customize JS script, automatically generate suggestion code to meet the similar needs of modifying parameters, modifying return values or the others.
After solving these problems, it can basically cover most of the work requirements, such as the hook point cannot be executed after setting hook; During vulnerability verification, the upper layer callers cannot be triggered. Of course, you can also write JS code in GDA, it will be much more convenient to operate in the decompiler.
Download GDA:
https://github.com/charles2gan/GDA-android-reversing-Tool/releases
Install python+Frida(many tutorials, no mention here), to ensure that Frida works well
pip3 install frida
pip3 install frida-tools
In GDA, you can achieve the dynamic analysis effect of "where to go where to hook" and "what you see is what you get". For the following decompiled code:
You only need to right-click to hook or execute the method you click, and you can see the dynamic execution results.
In the figure above, 1, 2, and 3 represent three types of points that can be interacted to operate to hook and execute the target. Right click 1 to hook or execute the current decompiled method; 2 is the method called by the current method; 3 is the class object. 1 and 2 can do method hook or class hook, 3 can only do the class hook. Any class and method called in the code can be hooked directly.
The above figure shows the menu items supported for Frida in the right-click menu, in which:
1) Hook Method: automatically install and start the APK file for the first hook, and later do not restart the app.
2) Hook Method(Reboot): every time you do hook, you will restart the app.
3) Execute method: instantiate the class and execute the selected method. GDA generates js code automatically to execute. If the parameters of the called method and the method’s class constructor are uncertain, you need to write the uncertain parameter value manually and execute them (F5). If they can be determined, GDA executes directly without popping up the code edit box.
4) Execute method(MEM): to execute the currently selected method by searching the existing class instance in the memory of the device.
**5) Hook Class: hook all the methods of the currently selected class. If what you select is a method, the class to which the method belongs will be hooked. **
6) Hook Class(Reboot): every time the app will be restarted
7) Custom JS code: GDA will provide a code template, you can completely use your own code to cover the recommended code.
The code editing window is mainly used to support JS code completion or customization. When we execute a method, if the value of the parameter is uncertain, GDA will pop up the code editing window and show you the automatically generated code. We fill in the parameter manually. Some parameters often need to be instantiated by ourselves, so I provide a code editing window. In addition, the class to which the method belongs also needs to be instantiated. Therefore, we need to fill in two types of parameters: instantiation parameters and method parameters. GDA will complete automatically when the previously selected method parameter is a constant. As shown in the figure below:
In figure, 1 is the instantiation parameter you need to fill in. If the method you choose is static, the code will not be generated here. 2 is the method parameter you need to fill in. If the parameter of the method in the decompiled code is determined, it will be added automatically. As shown in the figure below, at last, we press F5 or right-click run (3) to execute the code, and the execution result will be displayed in the right Log window.
This window is used to display the real-time running results of Frida. You can also enter Frida's command to execute. Other interactions can be realized by right-clicking, such as exit, clearing screen, reload, resume, etc.
Doing this requires you to dump the DEX file of the app from the device first, and then drag the DEX file into GDA for decompilation. When you first hook/execute the method, you need to enter the package name of the app, and then you can do anything.
For obtaining the package name, you can drag the original APK into GDA and find it in baseinfo.
But for some packers, the apk package name will change, so you can find the package name through the following command:
adb shell pm list packages -f
Then drag the dumped DEX into GDA. Select one of the methods, and right-click Frida support > hook method. The following input box will pop up, and then input the package name, you can hook and execute any method.
When analyzing apps in the work, some method or classes names are often obfuscated and become invisible. And this kind of obfuscated string is not allowed in JS code, so it needs to be encoded. The invisible characters in the GDA decompilation code are expressed in the form of \xXXX, so I do automatic encode conversion in GDA, which saves unnecessary work.
In addition, if we have chosen de-obfuscation, the method and class that we see are not the original ones. In this case, we don't have to worry about it. I have also done automatic processing.
The demonstration is as follows:
Now let's do these things. I will do more if time is enough. If there are any deficiencies, please feedback on GitHub.