Load Classes and Methods 🎯... and then HOOK everything ⚓️ Load Classes

then: Request URL: http://127.0.0.1:5000/dump?choice=1 Request Method: GET Status Code: 500 INTERNAL SERVER ERROR Remote Address: 127.0.0.1:5000

error 500

I am trying to bypass Frida Script running in Memory and Frida Server Detection by using AntiFrida App. Anti Frida App has two detections as CHECk FRIDA SERVER and CHECK FRIDA IN MEMORY.

I am able to bypass it using Frida CLI but not by Using RMS tool. Using RMS,When Frida Server and is Spawn to Device, its shows both in RED as shown below:

Using RMS,When Frida Server and Spawn by adding Script to it (Adding Script in Custom-Scripts Folder and Spawing),It shows only GREEN in check in memory as shown below:

It cannot bypass Frida Server, I am not able to find the issue because using same script in Frida CLI it bypass both Dection in Memory and server(shows GREEN).

Script is

setTimeout(function(){
	Java.perform(function (){
	console.log("[*] Script loaded")   var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

		MainActivity.checkMemory.overload().implementation = function() {
			console.log("[*] bypass frida mrmory function invoked")
			return false
		}

		var MainActivity = Java.use("org.owasp.mstg.antifrida.MainActivity")

		MainActivity.setFridaServerTextView.overload().implementation = function() {
			console.log("[*] bypass frida server function invoked")
			return false
		}

	

	});      });

Decrypted Java File of Anti Frida MainActivity is. here:https://pastebin.com/NdwfvzjK

Is there any issue in Applying this script or in script(using same script in FRIDA CLI it bypasses both DETECTIONs) Please help to resolve this issue

Describe the bug: Incorrect parameters generation for method overloading !

Steps to reproduce: Custom Logging Implementation: (See methods)

Go to "hook lab", select a Logging class: (highlighted) Generated:

hookclass.d.overload("java.lang.Class","java.lang.String","java.lang.Object[]").implementation = function (v0,v1,v2)

| Current | Must be | |:--:|:--:| | java.lang.Object[] | [Ljava.lang.Object; |

Desktop:

• Browser: Chrome v83
• Python - Frida Tools version: 12.9.4

Smartphone:

• Frida Server version: 12.9.4

Added new TAB to modify the config file. Also I added a try/except in device_management() to avoid Internal Error if the device is not connected. Maybe the connection to the device should be established after submit the main form on "/". What do you think?

1. Run a FRIDA script at startup - please using Ajax, or in the request pass the package name
   • After selecting a custom script, you must re-specify the package name
2. Console Output - using Ajax (.append()), currently page is always reload
   • The output always moves to the top, which is inconvenient (
   • Also not possible to normally copies output with turn on "Auto Refresh Page".
3. Console Output - There is no way to clear output (
   • Need restart the python process :(

Android device detection doe's not happence properly.

Devices using: Computer System OS: Windows 10 Home Android device: Realme X2 [Android 10]

Frida server is properly running in targeted device.

Issue Frida server is properly running in targeted android device (By self verified), and also device is connected computer with usb connection. The requirements are satisfied. but still the runtime mobile security RMS is failing to get the device port(or device detection ).

I am using another dynamic analysis tool called house Link: https://github.com/nccgroup/house. it works well and good. Please look out this tool source code for more details.

Note: Both Screenshots are taken at same time, both tools are running same time with different port [ RMS:Port=5000, House:Port=9000 ]

RMS Web API Screenshot: https://codex-scripts.xyz/RMS_web_api.png House Web API Screenshot: https://codex-scripts.xyz/House_web_api.png

Some times device connects properly, but the connecting chances are very less. I need to reboot the computer and mobile upto 4 to 6 times to get connected with RMS.

I am done some steps to avoid the issue. but still issue not resolved

1. Rebooting computer and also mobile
2. Restarting RMS
3. Restarting frida server in android

i am very happy with this tool. but the only thing is connection problem.

Please look out this issue

docker-compose up Creating network "rms-runtime-mobile-security_default" with the default driver Building rms Step 1/16 : FROM python:3.7.7-slim ---> 4cbd5021babc Step 2/16 : RUN mkdir -p /app/ ---> Running in 1a038aecaf6e Removing intermediate container 1a038aecaf6e ---> d9fab1209897 Step 3/16 : WORKDIR /app/ ---> Running in 171c4b9d38ee Removing intermediate container 171c4b9d38ee ---> cef4a4726c4b Step 4/16 : COPY static/ ./static/ ---> 58979a040242 Step 5/16 : COPY custom_scripts/ ./custom_scripts/ ---> 899c2b4e7df1 Step 6/16 : COPY templates/ ./templates/ ---> b65b84635cd4 Step 7/16 : COPY config.json default.js mobilesecurity.py requirements.txt ./ ERROR: Service 'rms' failed to build: COPY failed: stat /var/lib/docker/tmp/docker-builder243707710/default.js: no such file or directory

Console:[Error: Unable to communicate with remote frida-server; please ensure that major versions match and that the remote Frida has the feature you are trying to use] Both Desktop and Smartphone are using Frida 16.0.2 Frida-ps -U also works from console Only 1 device is connected to my PC

Desktop:

• OS: Windows 10
• Browser: Brave Browser

Smartphone:

• Device: iPhone 7
• OS: 14.2
• Frida Server version: 16.0.2

Describe the bug [Required] Installed RMS and can access via localhost:5000. iOS device is detected, but when trying to attach or spawn an app I am getting the following error.

To Reproduce [Required] Steps to reproduce the behavior:

1. Open RMS, select iOS and any package name, spawn|attach and Start RMS.
2. See error

Package Name: com.apple.podcasts
Mode: Spawn
Device: Device(id="00008020-000118563411802E", name="iPad 4", type='usb')
BETA: False
Frida Startup Script: None
APIs Monitors: None


incompatible Mach-O image
SpringBoard is NOT available on your device or a wrong OS has been selected. For a better RE experience, change it via the Config TAB!
[2020-08-23 13:48:25,614] ERROR in app: Exception on / [POST]
Traceback (most recent call last):
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "mobilesecurity.py", line 424, in device_management
    pid = device.spawn([target_package])
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Users/sven/opt/anaconda3/lib/python3.7/site-packages/frida/core.py", line 140, in spawn
    return self._impl.spawn(program, argv, envp, env, cwd, stdio, aux_options)
frida.NotSupportedError: incompatible Mach-O image

Desktop (please complete the following information): [Required]

• OS: macOS 10.15.5
• Browser Chrome (latest)

Smartphone (please complete the following information): [Required]

• Device: [e.g. Genymotion, AVD, Google Pixel 3]
• OS: [e.g. iOS8.1]
• Frida Server version: [e.g. 12.8.20]
• Package Name: [e.g. com.example.app]
• Class name: [e.g. sg.vantagepoint.a.c] (optional)
• Method name: [e.g. public static boolean c()] (optional)

I tried with a jailbroken iPad 4 (iOS 13.5) and an iPhone 6S (12.4). Both have latest version of Frida installed via Cydia (12.11.10) and are jailbroken with unc0ver.

Console Logs [Required] See above

Problem Hook all classes that start with: f0.

127.0.0.1 - - [16/May/2020 00:31:29] "GET /dump?filter=f0.&choice=1 HTTP/1.1" 200 -
[2020-05-16 00:31:31,069] ERROR in app: Exception on /dump [GET]
Traceback (most recent call last):
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/user/.virtualenvs/RMS-Runtime-Mobile-Security/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "mobilesecurity.py", line 288, in home
    return printwebpage()
  File "mobilesecurity.py", line 619, in printwebpage
    loaded_classes_str=printClassesMethods(),
  File "mobilesecurity.py", line 634, in printClassesMethods
    for index, method_name in enumerate(loaded_methods[class_name]):
KeyError: 'f0.p0.k.d$b'

Solution you'd like Ability to specify the methods to ignore eg: f0.,okhttp3.,--f0.p0.k.

Hi guys! I run the following js code every time I go to "step 4" of dumpdex function and I don't continue. Why? ///////////////////////////////////////////////////////////////////////////////////////////////////

// js code begin

function LogPrint(log) { var theDate = new Date(); var hour = theDate.getHours(); var minute = theDate.getMinutes(); var second = theDate.getSeconds(); var mSecond = theDate.getMilliseconds()

hour < 10 ? hour = "0" + hour : hour;
minute < 10 ? minute = "0" + minute : minute;
second < 10 ? second = "0" + second : second;
mSecond < 10 ? mSecond = "00" + mSecond : mSecond < 100 ? mSecond = "0" + mSecond : mSecond;

var time = hour + ":" + minute + ":" + second + ":" + mSecond;
send("[" + time + "] " + log);

}

function getAndroidVersion(){ var version = 0;

if(Java.available){
    var versionStr = Java.androidVersion;
    version = versionStr.slice(0,1);
}else{
    LogPrint("Error: cannot get android version");
}
LogPrint("Android Version: " + version);
return version;

}

function getFunctionName(){ var i = 0; var functionName = "";

// Android 4: hook dvmDexFileOpenPartial
// Android 5: hook OpenMemory
// after Android 5: hook OpenCommon
if(getAndroidVersion() > 4){ // android 5 and later version
    var artExports =  Module.enumerateExportsSync("libart.so");
    for(i = 0; i< artExports.length; i++){
        if(artExports[i].name.indexOf("OpenMemory") !== -1){
            functionName = artExports[i].name;
            LogPrint("index " + i + " function name: "+ functionName);
            break;
        }else if(artExports[i].name.indexOf("OpenCommon") !== -1){
            functionName = artExports[i].name;
            LogPrint("index " + i + " function name: "+ functionName);
            break;
        }
    }
}else{ //android 4
    var dvmExports =  Module.enumerateExportsSync("libdvm.so");
    if(dvmExports.length !== 0){  // check libdvm.so first
        for(i = 0; i< dvmExports.length; i++){
            if(dvmExports[i].name.indexOf("dexFileParse") !== -1){
                functionName = dvmExports[i].name;
                LogPrint("index " + i + " function name: "+ functionName);
                break;
            }
        }
    }else{ // if not load libdvm.so, check libart.so
        dvmExports = Module.enumerateExportsSync("libart.so");
        for(i = 0; i< dvmExports.length; i++){
            if(dvmExports[i].name.indexOf("OpenMemory") !== -1){
                functionName = dvmExports[i].name;
                LogPrint("index " + i + " function name: "+ functionName);
                break;
            }
        }
    }
}
return functionName;

}

function getProcessName(){ var processName = "";

var fopenPtr = Module.findExportByName("libc.so", "fopen");
var fopenFunc = new NativeFunction(fopenPtr, 'pointer', ['pointer', 'pointer']);
var fgetsPtr = Module.findExportByName("libc.so", "fgets");
var fgetsFunc = new NativeFunction(fgetsPtr, 'int', ['pointer', 'int', 'pointer']);
var fclosePtr = Module.findExportByName("libc.so", "fclose");
var fcloseFunc = new NativeFunction(fclosePtr, 'int', ['pointer']);

var pathPtr = Memory.allocUtf8String("/proc/self/cmdline");
var openFlagsPtr = Memory.allocUtf8String("r");

var fp = fopenFunc(pathPtr, openFlagsPtr);
if(fp.isNull() === false){
    var buffData = Memory.alloc(128);
    var ret = fgetsFunc(buffData, 128, fp);
    if(ret !== 0){
        processName = Memory.readCString(buffData);
        LogPrint("processName " + processName);
    }
    fcloseFunc(fp);
}
return processName;

}

function arraybuffer2hexstr(buffer) { var hexArr = Array.prototype.map.call( new Uint8Array(buffer), function (bit) { return ('00' + bit.toString(16)).slice(-2) } ); return hexArr.join(' '); }

function checkDexMagic(dataAddr){ var magicMatch = true; var magicFlagHex = [0x64, 0x65, 0x78, 0x0a, 0x30, 0x33, 0x35, 0x00];

for(var i = 0; i < 8; i++){
    if(Memory.readU8(ptr(dataAddr).add(i)) !== magicFlagHex[i]){
        magicMatch = false;
        break;
    }
}

return magicMatch;

}

function checkOdexMagic(dataAddr){ var magicMatch = true; var magicFlagHex = [0x64, 0x65, 0x79, 0x0a, 0x30, 0x33, 0x36, 0x00];

for(var i = 0; i < 8; i++){
    if(Memory.readU8(ptr(dataAddr).add(i)) !== magicFlagHex[i]){
        magicMatch = false;
        break;
    }
}

return magicMatch;

}

function dumpDex(moduleFuncName, processName){ if(moduleFuncName !== ""){ var hookFunction; if(getAndroidVersion() > 4){ // android 5 and later version hookFunction = Module.findExportByName("libart.so", moduleFuncName); LogPrint("step 1" + hookFunction); }else{ // android 4 hookFunction = Module.findExportByName("libdvm.so", moduleFuncName); // check libdvm.so first LogPrint("step 2" + hookFunction); if(hookFunction == null) { hookFunction = Module.findExportByName("libart.so", moduleFuncName); //// if not load libdvm.so, check libart.so LogPrint("step 3" + hookFunction); } } Interceptor.attach(hookFunction,{ onEnter: function(args){ LogPrint("step 4");

            var begin = 0;
            var dexMagicMatch = false;
            var odexMagicMatch = false;
			
			
            dexMagicMatch = checkDexMagic(args[0]);
            if(dexMagicMatch === true){
                begin = args[0];
            }else{
                odexMagicMatch = checkOdexMagic(args[0]);
                if(odexMagicMatch === true){
                    begin = args[0];
                }
            }

            if(begin === 0){
                dexMagicMatch = checkDexMagic(args[1]);
                if(dexMagicMatch === true){
                    begin = args[1];
                }else{
                  odexMagicMatch = checkOdexMagic(args[1]);
                  if(odexMagicMatch === true){
                      begin = args[1];
                  }
                }
            }

            if(dexMagicMatch === true){
                LogPrint("magic : " + Memory.readUtf8String(begin));
                //console.log(hexdump(begin, { offset: 0, header: false, length: 64, ansi: false }));
                var address = parseInt(begin,16) + 0x20;
                var dex_size = Memory.readInt(ptr(address));
                LogPrint("dex_size :" + dex_size);
                var dex_path = "/data/data/" + processName + "/" + dex_size + ".dex";
                var dex_file = new File(dex_path, "wb");
                dex_file.write(Memory.readByteArray(begin, dex_size));
                dex_file.flush();
                dex_file.close();
                LogPrint("dump dex success, saved path: " + dex_path + "\n");
            }else if(odexMagicMatch === true){
                LogPrint("magic : " + Memory.readUtf8String(begin));
                //console.log(hexdump(begin, { offset: 0, header: false, length: 64, ansi: false }));
                var address = parseInt(begin,16) + 0x0C;
                var odex_size = Memory.readInt(ptr(address));
                LogPrint("odex_size :" + odex_size);
                var odex_path = "/data/data/" + processName + "/" + odex_size + ".odex";
                var odex_file = new File(odex_path, "wb");
                odex_file.write(Memory.readByteArray(begin, odex_size));
                odex_file.flush();
                odex_file.close();
                LogPrint("dump odex success, saved path: " + odex_path + "\n");
            }
        },
        onLeave: function(retval){
        }
    });
}else{
    LogPrint("Error: cannot find correct module function.");
}

}

//start dump dex file var moduleFucntionName = getFunctionName(); var processName = getProcessName(); if(moduleFucntionName !== "" && processName !== ""){ dumpDex(moduleFucntionName, processName); }

// js code end

Shouldn't the args be printed in the args fields instead of only their types?

[API_Monitor]
{
  "category": "String Comparison",
  "class": "java.lang.String",
  "method": "equals",
  "args": "[\"<instance: java.lang.Object, $className: java.lang.String>\"]",
  "returnValue": "true",
  "calledFrom": "\u0007"
}