Invoking Uncalled Native Function on Android APK Using Frida

According to official Frida website

“It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.”

Frida is widely known for bypassing some security mechanism like PIN, SSL Pinning, Root Detection etc. Im not gonna explain how to install and setup frida here, its too easy and you can google it. In this article im just gonna show you a basic knowledge how to use frida to invoking the uncalled function in APK.

The APK

The apk that i have is come from Reversing Category at PicoCTF 2021 event called droids3. You can download it from here (i hope the link not die :p).

There are form to fill user input, a button to submit form and label placeholder for the flag. When we fill any input and press the button, this happen.

It mean the app only accept valid input in order to print the flag. That is simplest hypothesis for now. For better understanding, lets decomple and read the source code of app.

Reversing

Lets open up the jadx-gui decompiler and doing static analysis on source code. This picture below showing the directory structure of APK.

First of all, lets open AndroidManifest.xml. The manifest file describes essential information about the app so it can help us to reversing the code.

The apk only has 1 activity called MainActivity and lets open the decompiled source code of those activity.

What the app do its really simple, our input is passed to a method getFlag from class FlagstaffHill. And also, the app is loading external library from file called “hellojni”.

The code above is code of FlagstaffHill class. Its show that our application willl always end up with string “dont wanna” because all the input will passed into getFlag() method. But, there’s some mysterious method that never ever called in our application.

Function yep() return cilantro() ? What is this ? If you saw some unsual code like this, its probably from the external library. So, lets try invoke this code using frida.

Writing Frida Script

Java.perform(function(){ 
 console.log("\n[*] START...");
 var hook = Java.use("com.hellocmu.picoctf.FlagstaffHill");
 hook.getFlag.implementation = function(args){
       console.log(args.toString());
       console.log(this.yep(args));
       return "Hehe";
    }
    hook.yep.implementation = function(args){
     console.log("Inside Yep()");
     return this.yep(args);
    }
});

The script will use frida api to change implementation of getFlag() and invoke yep() method.

When script is executed, now we are able to change flow of program and call yep() function. 😉

Conclusion

Frida is a powerful tool that allows you to explore and modify processes at runtime. Frida give you direct access to process memory and important structures such as live objects instantiated by the app. They come with many utility functions that are useful for resolving loaded libraries, hooking methods and native functions, and more. Process memory tampering is more difficult to detect than file patching, so it is the preferred method in most cases.