Overwrite Function

For example, we have an android application that has this class.

public class my_activity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_my_activity);
        while (true){

            try {
                Thread.sleep(1000);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }

            fun(50,30);
        }
    }

    void fun(int x , int y ){
        Log.d("Sum" , String.valueOf(x+y));
    }


}

We will overwrite fun function that exist in onCreate event handler with this script below.

script.js

console.log("Script loaded successfully ");
Java.perform(function x() { // Silently fails without the sleep from the python code
    console.log("Inside java perform function");
    // Get a wrapper for our class
    var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
    // Replace the original implmenetation of the function `fun` with our custom function
    my_class.fun.implementation = function(x, y) {
        // Print the original arguments
        console.log("original call: fun(" + x + ", " + y + ")");
        // Call the original implementation of `fun` with args (2,5)
        var ret_value = this.fun(2, 5);
        return ret_value;
    }
});

script.py

import frida
import time

device = frida.get_usb_device(5)
pid = device.spawn(["com.example.a11x256.frida_test"])
print pid
device.resume(pid)
time.sleep(3) # without it Java.perform silently fail
session = device.attach(pid)
script = session.create_script(open('script.js').read())
script.load()
# prevent the python script from terminating
raw_input()

This does not work very well because the function does not return any value.

Reference

• https://11x256.github.io/Frida-hooking-android-part-1/