Install Android Studio and create an emulator running Android 7.1.1 x86, without Google APIs. This last point is important as it ensures the emulator is rooted.
Create a venv.
python3 -m venv venv
cd venv
source ./venv/bin/activateInstall Frida through pip.
pip3 install frida frida-toolsAt the time of writing, Frida was broken on Python 3.10, Python 3.9.9 and below worked.
Download jadx-gui from here.
Download the Frida server from here
Decompress the server and push it to the emulator
unxz ./frida-server-*-android-x86.xz
adb push ./frida-server-*-android-x86 /data/local/tmpStart the server as root on the emulator
adb shell # We are now in a shell on the emulator
su
cd /data/local/tmp
chmod +x frida-server*
./frida-server*Or alternatively to start the server afterward
adb root # adb commands will now be executed as root
adb shell "/data/local/tmp/frida-server*" # You may add ' &' at the end to run it in the backgroundadb shell pm list packages -ffrida-ps -U -a -iJava.perform(function() {
console.log("[ * ] Overriding functions");
const System = Java.use("java.lang.System");
const sysMyFunction = System.myFunction;
sysMyFunction.implementation = function() {
console.log("Hooking myFunction");
const ret = sysMyFunction.call();
console.log("Return value: " + ret);
return ret;
}
});Java.perform(function() {
console.log("[ * ] Overriding functions");
const MyClass = Java.use("com.appsomething.MyClass");
const targetFunction = MyClass.target.overload("int", "java.lang.String");
targetFunction.implementation = function(val_i, val_s) {
console.log("Hooking target");
console.log("Called with: " + val_i + ", " + val_s);
const ret = targetFunction.call(this, val_i, val_s);
console.log("Return value: " + ret);
return ret;
}
});Here are some Frida base types: "int", "float", "[B" (byte array).
frida -U --no-pause -l hook.js -f "package.name"