preface

That’s if you have Frida installed and running on your computer and phone. If you haven’t already installed Frida, see the article Android Reverse _ Install frida environment with Frida.

Here we use a javascript script written by a foreign master to trace the method calls of the app. First, look at the effect:

*** entered com.test.flyer.MainActivity.test

arg[0]: Jack

*** entered com.test.flyer.MainActivity.gainAge

arg[0]: 16

retval: 26

*** exiting com.test.flyer.MainActivity.gainAge

retval: OK

*** exiting com.test.flyer.MainActivity.test
[LGE Nexus 5::com.example.king.testappsflyer]->
Copy the code

As you can see, the test method takes an argument “Jack” and returns the value “OK”. Test internally calls the gainAge method, which takes an argument “16” and returns “26”. These printouts are very important for a reverse app.

Create an Android test project

I’ve created a simple Android test project. The main code in mainActif. Java is as follows:

    public String test(String name) {
        Log.d("test"."do--test");
        int age = gainAge( 16 );

        Toast toast=Toast.makeText(MainActivity.this, "do--test--success--"+name+"--age="+age, Toast.LENGTH_LONG); // Display toast.show();return "OK";
    }


    private int gainAge(int age) {

        Log.d("test"."do--gainAge--age= "+age);

        return age+10;

    }
Copy the code

We’ll use Frida to track the calls to test and gainAge.

Run the Android project on a real machine so you can install the app on your phone.

Modify the script

The js script we are going to use is raptor_frida_android_trace.js. The script is long and only shows the parts that need to be modified manually:

setTimeout(function() { 

	Java.perform(function() {

		trace("com.test.flyer.MainActivity.test");
		trace("com.test.flyer.MainActivity.gainAge");

	});   
}, 0);
Copy the code

We added two lines of code to the setTimeout of the JS script:

trace("com.test.flyer.MainActivity.test");
trace("com.test.flyer.MainActivity.gainAge");
Copy the code

Track test and gainAge.

Tracking debugging

Open the terminal, enter the following command to start the app and load the modified JS script:

frida -U -f com.example.king.testappsflyer --no-pause -l raptor_frida_android_trace.js
Copy the code

“Com. Example. King. Testappsflyer” is our app package name, “raptor_frida_android_trace. Js” is a script file.

See the terminal print information:

$ frida -U -f com.example.king.testappsflyer --no-pause -lRaptor_frida_android_trace. Js ____ / _ | Frida 12.1.2 - A world - class dynamic instrumentation toolkit | (_ | | > _ | Commands: /_/ |_|help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'.exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
Spawned `com.example.king.testappsflyer`. Resuming main thread!         
[LGE Nexus 5::com.example.king.testappsflyer]-> Tracing com.test.flyer.MainActivity.test [1 overload(s)]
Tracing com.test.flyer.MainActivity.gainAge [1 overload(s)]
Copy the code

The interface of app is as follows:

When the “Test” button is clicked and the test method is executed, the terminal prints as follows:

You can clearly see the parameters and return values of a method and the nested relationships between methods.

The end of the

Frida-scripts is the github address of foreign biggie. There are other useful scripts in the project that are useful for debugging with iOS and Android. Waiting for you to explore together.

To obtain the Android project and JS files involved in this article, please follow the public account “Reverse APP”, reply” Frida Tracking method 01″ to obtain the download address.

Follow the public account: reverse APP