admin管理员组

文章数量:1389762

I am hooking a certain function in Frida which uses the code:

this.carrier.getId()

However, at this point in time this.carrier has not been set yet, which causes the app to crash.
So I am thinking of manually setting this member in the current function in the class. So that carrier will exist by the time the code takes place.
The problem is that I encounter a problem by doing that.

So far this is what I got:

Java.perform(function () {
    var SignUpActivity = Java.use('.app.features.authentication.SignUpActivity');
    SignUpActivity.validatePhoneNumber.implementation = function() {
        
        var Carrier = Java.use(".app.Carrier");
        this.carrier = Carrier.$new();
        console.log(this.carrier) // This prints "[object Object]"
        console.log(this.carrier.setId) // This prints "undefined"
        this.carrier.setId(123); // crashes

    };
});

Code of carrier:

package .app;

import android.os.Parcel;
import android.os.Parcelable;

public class Carrier implements Parcelable {

    private int id;
    private String name;
    private String officeTerminalAddress;

    public Carrier() {
    }

    protected Carrier(Parcel parcel) {
        this.id = parcel.readInt();
        this.name = parcel.readString();
        this.officeTerminalAddress = parcel.readString();
    }

    public int getId() {
        return this.id;
    }

    public void setId(int i) {
        this.id = i;
    }

}

I am hooking a certain function in Frida which uses the code:

this.carrier.getId()

However, at this point in time this.carrier has not been set yet, which causes the app to crash.
So I am thinking of manually setting this member in the current function in the class. So that carrier will exist by the time the code takes place.
The problem is that I encounter a problem by doing that.

So far this is what I got:

Java.perform(function () {
    var SignUpActivity = Java.use('.app.features.authentication.SignUpActivity');
    SignUpActivity.validatePhoneNumber.implementation = function() {
        
        var Carrier = Java.use(".app.Carrier");
        this.carrier = Carrier.$new();
        console.log(this.carrier) // This prints "[object Object]"
        console.log(this.carrier.setId) // This prints "undefined"
        this.carrier.setId(123); // crashes

    };
});

Code of carrier:

package .app;

import android.os.Parcel;
import android.os.Parcelable;

public class Carrier implements Parcelable {

    private int id;
    private String name;
    private String officeTerminalAddress;

    public Carrier() {
    }

    protected Carrier(Parcel parcel) {
        this.id = parcel.readInt();
        this.name = parcel.readString();
        this.officeTerminalAddress = parcel.readString();
    }

    public int getId() {
        return this.id;
    }

    public void setId(int i) {
        this.id = i;
    }

}

• javascript
• java
• android
• reverse-engineering
• frida

Share Improve this question Follow asked Oct 21, 2021 at 21:00 toothpicktoothpick 14333 silver badges1919 bronze badges

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 7

Looks like the mon problem in Frida that the way to access fields is different in Frida.

Frida uses JavaScript code so it can't handle non-JavaScript objects directly. Therefore it wraps "native" objects (Android Java objects in this case) in JavaScript objects.

If you now call in Frida this.carrier you are getting the Frida JavaScript wrapper, not the Java Carrier instance you are aiming.

Of course the Frida JavaScript wrapper does not has the methods you try to call, therefore this.carrier.setId(123); will always fail.

Accessing a Java field with Frida

To access a field you always have to call .value on it to get the actual value:

So if you want this.carrier you have to use this.carrier.value.

In case there is a name collision with a method of the same name Frida by default assigns the name to the method. If you want to access the field instead add an underscore an the beginning of the field name. If there would exist a method named carrier you could access the field this way: this._carrier.value

Reference to Frida help pages

This is also described on the Frida pages, e.g. here:

Note we use this.m.value = 0 instead of this.m = 0 to set the field’s value. If there is also a method in this class called m, we need to use this._m.value = 0 to set the value of field m. In general, when looking at the properties of objects it will be necessary to use .value to access the values those fields refer to.

Complete simplified code

But in your case you can simplify everything by just using a local variable:

Java.perform(function () {
    var SignUpActivity = Java.use('.app.features.authentication.SignUpActivity');
    SignUpActivity.validatePhoneNumber.implementation = function() {
        
        const Carrier = Java.use(".app.Carrier");
        const c = Carrier.$new();
        c.setId(123);
        this._carrier.value = c;
    };
});

本文标签： javascriptSetting a member in current class using FridaStack Overflow