My notes on injecting a frida gadget into an apk

fridanotes.md

Android RE using Frida

I figured that I would write down my findings somewhere since this is my first time using Frida. This won't cover installing frida, adb, apktool because these are well covered in other sources.

Tools

• https://github.com/frida/frida/
• https://github.com/sensepost/objection
• https://github.com/dweinstein/awesome-frida

Injecting Frida gadget into APKs

This is what has worked for me. Obviously this won't apply to all use cases but I have found that this is generally the process that I take.

Decompile the app using apktool.

apktool d appname.apk

Add the Frida gadget to the decompiled apk. You can find a gadget for your architecture here.

Put the gadget in lib/[arch]/libfrida-gadget.so

Open the AndroidManifest.xml and find the main activity path. It should look something like this:

<activity android:label="@string/app_name" android:name="com.packagename.path.to.MainActivity">

In MainActivity.smali, we need to inject libfrida-gadget.so. Ideally, we need to do it before anything else loads. We can load it using the following smali:

const-string v0, "frida-gadget"

invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Which can be read as System.loadLibrary("frida-gadget"). It's important that this is done early in the app's lifecycle, so we can do it in the MainActivity static constructor. In the app that I am using, it looks like this:

.method static constructor <clinit>()V
    .locals 1 # this is the number of non-param registers
    ...

Insert the smali above in the beginning of the static constructor (after the .locals line if present).

Now we need to rebuild the app.

apktool b -o appname_patched.apk decompiledfolder

Sign the app

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore appname_patched.apk keyname
jarsigner -verify appname_patched.apk

And zipalign.

zipalign 4 appname_patched.apk appname_patched_aligned.apk

Now we can install this on our target device and use your frida library of choice to poke around. :)

07-08 18:42:20.898 4267 4267 E Report : Exiting:
07-08 18:42:20.898 4267 4267 E Report : l.N: 01
07-08 18:42:20.898 4267 4267 E Report : at l.ao.a(Unknown Source:147)
07-08 18:42:20.898 4267 4267 E Report : at l.ao.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Runtime.nativeLoad(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Runtime.loadLibrary0(Runtime.java:1048)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.System.loadLibrary(System.java:1704)
07-08 18:42:20.898 4267 4267 E Report : at l.t.a(Unknown Source:283)
07-08 18:42:20.898 4267 4267 E Report : at l.t.c(Unknown Source:3)
07-08 18:42:20.898 4267 4267 E Report : at l.t.d(Unknown Source:24)
07-08 18:42:20.898 4267 4267 E Report : at l.t.b(Unknown Source:6)
07-08 18:42:20.898 4267 4267 E Report : at l.t.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at l.t.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at androidx.core.app.CoreComponentFactory.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.Class.newInstance(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.createAppFactory(LoadedApk.java:227)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.createOrUpdateClassLoaderLocked(LoadedApk.java:731)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)
07-08 18:42:20.898 4267 4267 E Report : at android.app.LoadedApk.getResources(LoadedApk.java:1032)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5901)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.access$1100(ActivityThread.java:207)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)
07-08 18:42:20.898 4267 4267 E Report : at android.os.Handler.dispatchMessage(Handler.java:106)
07-08 18:42:20.898 4267 4267 E Report : at android.os.Looper.loop(Looper.java:193)
07-08 18:42:20.898 4267 4267 E Report : at android.app.ActivityThread.main(ActivityThread.java:6834)
07-08 18:42:20.898 4267 4267 E Report : at java.lang.reflect.Method.invoke(Native Method)
07-08 18:42:20.898 4267 4267 E Report : at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
07-08 18:42:20.898 4267 4267 E Report : at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: FATAL EXCEPTION: main
07-08 18:42:20.898 4267 4267 E AndroidRuntime: Process: com.supercell.clashroyale, PID: 4267
07-08 18:42:20.898 4267 4267 E AndroidRuntime: l.N: 01
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.ao.a(Unknown Source:147)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.ao.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Runtime.nativeLoad(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Runtime.loadLibrary0(Runtime.java:1048)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.System.loadLibrary(System.java:1704)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.a(Unknown Source:283)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.c(Unknown Source:3)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.d(Unknown Source:24)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.b(Unknown Source:6)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at l.t.b(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at androidx.core.app.CoreComponentFactory.(Unknown Source:0)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.Class.newInstance(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.createAppFactory(LoadedApk.java:227)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.createOrUpdateClassLoaderLocked(LoadedApk.java:731)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.getClassLoader(LoadedApk.java:810)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.LoadedApk.getResources(LoadedApk.java:1032)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ContextImpl.createAppContext(ContextImpl.java:2345)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5901)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.access$1100(ActivityThread.java:207)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1663)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:106)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.os.Looper.loop(Looper.java:193)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:6834)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
07-08 18:42:20.898 4267 4267 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
07-08 18:42:20.985 1565 4047 E eglCodecCommon: glUtilsParamSize: unknow param 0x00008c29
07-08 18:42:20.985 1565 4047 E eglCodecCommon: glUtilsParamSize: unknow param 0x000087fe
07-08 18:42:20.987 1565 4047 E EGL_emulation: tid 4047: eglSurfaceAttrib(1493): error 0x3009 (EGL_BAD_MATCH)
07-08 18:42:21.051 1711 2028 E ndroid.systemu: No package ID ff found for ID 0xffffffff.
07-08 18:42:21.051 1711 2028 E IconLoader: Could not find icon drawable from resource
07-08 18:42:21.051 1711 2028 E IconLoader: android.content.res.Resources$NotFoundException: Resource ID #0xffffffff
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.ResourcesImpl.getValueForDensity(ResourcesImpl.java:236)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.Resources.getDrawableForDensity(Resources.java:887)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.content.res.Resources.getDrawable(Resources.java:827)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.IconLoader.createNewIconForTask(IconLoader.java:118)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.IconLoader.getAndInvalidateIfModified(IconLoader.java:94)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoader.getAndUpdateActivityIcon(RecentsTaskLoader.java:325)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoadPlan.executePlan(RecentsTaskLoadPlan.java:188)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.recents.model.RecentsTaskLoader.loadTasks(RecentsTaskLoader.java:173)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.recents.RecentsImpl$TaskStackListenerImpl.onTaskStackChangedBackground(RecentsImpl.java:184)
07-08 18:42:21.051 1711 2028 E IconLoader: at com.android.systemui.shared.system.TaskStackChangeListeners.onTaskStackChanged(TaskStackChangeListeners.java:80)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.app.ITaskStackListener$Stub.onTransact(ITaskStackListener.java:50)
07-08 18:42:21.051 1711 2028 E IconLoader: at android.os.Binder.execTransact(Binder.java:731)
07-08 18:42:21.431 2356 2493 E EGL_emulation: tid 2493: eglSurfaceAttrib(1493): error 0x3009 (EGL_BAD_MATCH)

Any idea on how to fix that error? It impedes me from opening the app as it crashes instantly when i try to do so