Skip to content

Instantly share code, notes, and snippets.

@elevenchars

elevenchars/fridanotes.md

Last active July 8, 2025 15:48
Show Gist options
  • Save elevenchars/380a210bf3c91534e7ef4c346543c743 to your computer and use it in GitHub Desktop.
Save elevenchars/380a210bf3c91534e7ef4c346543c743 to your computer and use it in GitHub Desktop.
Download ZIP
My notes on injecting a frida gadget into an apk
Raw
fridanotes.md

Android RE using Frida

I figured that I would write down my findings somewhere since this is my first time using Frida. This won't cover installing frida, adb, apktool because these are well covered in other sources.

Tools

Injecting Frida gadget into APKs

This is what has worked for me. Obviously this won't apply to all use cases but I have found that this is generally the process that I take.

Decompile the app using apktool.

apktool d appname.apk

Add the Frida gadget to the decompiled apk. You can find a gadget for your architecture here.

Put the gadget in lib/[arch]/libfrida-gadget.so

Open the AndroidManifest.xml and find the main activity path. It should look something like this:

<activity android:label="@string/app_name" android:name="com.packagename.path.to.MainActivity">

In MainActivity.smali, we need to inject libfrida-gadget.so. Ideally, we need to do it before anything else loads. We can load it using the following smali:

const-string v0, "frida-gadget"

invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Which can be read as System.loadLibrary("frida-gadget"). It's important that this is done early in the app's lifecycle, so we can do it in the MainActivity static constructor. In the app that I am using, it looks like this:

.method static constructor <clinit>()V
    .locals 1 # this is the number of non-param registers
    ...

Insert the smali above in the beginning of the static constructor (after the .locals line if present).

Now we need to rebuild the app.

apktool b -o appname_patched.apk decompiledfolder

Sign the app

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore appname_patched.apk keyname
jarsigner -verify appname_patched.apk

And zipalign.

zipalign 4 appname_patched.apk appname_patched_aligned.apk

Now we can install this on our target device and use your frida library of choice to poke around. :)

@dkbarn
Copy link

dkbarn commented Apr 28, 2021

When I follow these instructions I end up with an app that crashes (exits to home screen) immediately on launch. Any tips on how to debug?

@qumusabel
Copy link

qumusabel commented Jun 8, 2021
edited
Loading

When I follow these instructions I end up with an app that crashes (exits to home screen) immediately on launch. Any tips on how to debug?

@dkbarn Have you tried logcat? Runtime errors should be there

@nzalik
Copy link

nzalik commented Aug 12, 2022

Please i need help. My AndroidManifest.xml looks like this.
How can I find the MainActivity using this ?
manifest

@K4tsuki
Copy link

K4tsuki commented Jan 27, 2023

@nzalik if you had using apktool to decode your apk, try using Jadx to decompile it.

@Trakeur
Copy link

Trakeur commented May 23, 2024
edited
Loading

If you encounter the [INSTALL_FAILED_INTERNAL_ERROR: Failed to extract native libraries, res=-2] try to modify the apktool.yml and add your library path to doNotCompress section before rebuilding app with apktool b folder. Or set the android:extractNativeLibs to true in your AndroidManifest.xml.

@rdbyte
Copy link

rdbyte commented Dec 8, 2024
edited
Loading

I have one question.. if the app are splitted ? how to get the APK ( fat apk ) with all folders and files to do that ?

@Rastislonge
Copy link

I have one question.. if the app are splitted ? how to get the APK ( fat apk ) with all folders and files to do that ?

You need to resign the split apks with the same key as the main apk and upload all the apks at once with "adb install-multiple".

@Kostas1super
Copy link

07-08 18:42:20.898 4267 4267 E Report : Exiting:
07-08 18:42:20.898 4267 4267 E Report : l.N: 01
07-08 18:42:20.898 4267 4267 E Report : at l.ao.a(Unknown Source:147)
07-08 18:42:20.898 4267 4267 E Report : at l.ao.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Runtime.nativeLoad(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Runtime.loadLibrary0(Runtime.java:1048)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.System.loadLibrary(System.java:1704)
07-08 18:42:20.898 4267 4267 E Report : at l.t.a(Unknown Source:283)
07-08 18:42:20.898 4267 4267 E Report : at l.t.c(Unknown Source:3)
07-08 18:42:20.898 4267 4267 E Report : at l.t.d(Unknown Source:24)
07-08 18:42:20.898 4267 4267 E Report : at l.t.b(Unknown Source:6)
07-08 18:42:20.898 4267 4267 E Report : at l.t.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at l.t.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at androidx.core.app.CoreComponentFactory.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Class.newInstance(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.createAppFactory(LoadedApk.java:227)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.createOrUpdateClassLoaderLocked(LoadedApk.java:731)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.getResources(LoadedApk.java:1032)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5901)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.access$1100(ActivityThread.java:207)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)
07-08 18:42:20.898 4267 4267 E Report : at android.os.Handler.dispatchMessage(Handler.java:106)
07-08 18:42:20.898 4267 4267 E Report : at android.os.Looper.loop(Looper.java:193)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.main(ActivityThread.java:6834)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.reflect.Method.invoke(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
07-08 18:42:20.898 4267 4267 E Report : at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: FATAL EXCEPTION: main
07-08 18:42:20.898 4267 4267 E AndroidRuntime: Process: com.supercell.clashroyale, PID: 4267
07-08 18:42:20.898 4267 4267 E AndroidRuntime: l.N: 01
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.ao.a(Unknown Source:147)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.ao.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Runtime.nativeLoad(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Runtime.loadLibrary0(Runtime.java:1048)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.System.loadLibrary(System.java:1704)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.a(Unknown Source:283)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.c(Unknown Source:3)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.d(Unknown Source:24)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.b(Unknown Source:6)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at androidx.core.app.CoreComponentFactory.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Class.newInstance(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.createAppFactory(LoadedApk.java:227)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.createOrUpdateClassLoaderLocked(LoadedApk.java:731)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.getResources(LoadedApk.java:1032)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5901)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.access$1100(ActivityThread.java:207)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.os.Looper.loop(Looper.java:193)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:6834)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
07-08 18:42:20.985 1565 4047 E eglCodecCommon: glUtilsParamSize: unknow param 0x00008c29
07-08 18:42:20.985 1565 4047 E eglCodecCommon: glUtilsParamSize: unknow param 0x000087fe
07-08 18:42:20.987 1565 4047 E EGL_emulation: tid 4047: eglSurfaceAttrib(1493): error 0x3009 (EGL_BAD_MATCH)
07-08 18:42:21.051 1711 2028 E ndroid.systemu: No package ID ff found for ID 0xffffffff.
07-08 18:42:21.051 1711 2028 E IconLoader: Could not find icon drawable from resource
07-08 18:42:21.051 1711 2028 E IconLoader: android.content.res.Resources$NotFoundException: Resource ID #0xffffffff
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.ResourcesImpl.getValueForDensity(ResourcesImpl.java:236)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.Resources.getDrawableForDensity(Resources.java:887)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.Resources.getDrawable(Resources.java:827)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.IconLoader.createNewIconForTask(IconLoader.java:118)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.IconLoader.getAndInvalidateIfModified(IconLoader.java:94)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoader.getAndUpdateActivityIcon(RecentsTaskLoader.java:325)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoadPlan.executePlan(RecentsTaskLoadPlan.java:188)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoader.loadTasks(RecentsTaskLoader.java:173)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.recents.RecentsImpl$TaskStackListenerImpl.onTaskStackChangedBackground(RecentsImpl.java:184)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.system.TaskStackChangeListeners.onTaskStackChanged(TaskStackChangeListeners.java:80)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.app.ITaskStackListener$Stub.onTransact(ITaskStackListener.java:50)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.os.Binder.execTransact(Binder.java:731)
07-08 18:42:21.431 2356 2493 E EGL_emulation: tid 2493: eglSurfaceAttrib(1493): error 0x3009 (EGL_BAD_MATCH)

Any idea on how to fix that error? It impedes me from opening the app as it crashes instantly when i try to do so

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment