Android Frida rooting bypass code
Java.perform(function() {
var androidSettings = ['adb_enabled'];
var sdkVersion = Java.use('android.os.Build$VERSION');
console.log("SDK Version : " + sdkVersion.SDK_INT.value);
if (sdkVersion.SDK_INT.value <= 16) {
var settingSecure = Java.use('android.provider.Settings$Secure');
settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingSecure.getInt(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Secure.getInt(cr, name) Bypassed');
return 0;
}
var ret = this.getInt(cr, name);
return ret;
}
settingSecure.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
//console.log("[*]settingSecure.getInt(cr,name,def) : " + name);
if (name == (androidSettings[0])) {
console.log('[+]Secure.getInt(cr, name, def) Bypassed');
return 0;
}
var ret = this.getInt(cr, name, def);
return ret;
}
settingSecure.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingSecure.getFloat(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Secure.getFloat(cr, name) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name)
return ret;
}
settingSecure.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
//console.log("[*]settingSecure.getFloat(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Secure.getFloat(cr, name, def) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name, def);
return ret;
}
settingSecure.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingSecure.getLong(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Secure.getLong(cr, name) Bypassed');
return 0;
}
var ret = this.getLong(cr, name)
return ret;
}
settingSecure.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
//console.log("[*]settingSecure.getLong(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Secure.getLong(cr, name, def) Bypassed');
return 0;
}
var ret = this.getLong(cr, name, def);
return ret;
}
settingSecure.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingSecure.getString(cr,name) : " + name);
if (name == androidSettings[0]) {
var stringClass = Java.use("java.lang.String");
var stringInstance = stringClass.$new("0");
console.log('[+]Secure.getString(cr, name) Bypassed');
return stringInstance;
}
var ret = this.getString(cr, name);
return ret;
}
}
if (sdkVersion.SDK_INT.value >= 17) {
var settingGlobal = Java.use('android.provider.Settings$Global');
settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getInt(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getInt(cr, name) Bypassed');
return 0;
}
var ret = this.getInt(cr, name);
return ret;
}
settingGlobal.getInt.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getInt(cr,name,def) : " + name);
if (name == (androidSettings[0])) {
console.log('[+]Global.getInt(cr, name, def) Bypassed');
return 0;
}
var ret = this.getInt(cr, name, def);
return ret;
}
settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getFloat(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getFloat(cr, name) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name);
return ret;
}
settingGlobal.getFloat.overload('android.content.ContentResolver', 'java.lang.String', 'float').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getFloat(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getFloat(cr, name, def) Bypassed');
return 0;
}
var ret = this.getFloat(cr, name, def);
return ret;
}
settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getLong(cr,name) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getLong(cr, name) Bypassed');
return 0;
}
var ret = this.getLong(cr, name);
return ret;
}
settingGlobal.getLong.overload('android.content.ContentResolver', 'java.lang.String', 'long').implementation = function(cr, name, def) {
//console.log("[*]settingGlobal.getLong(cr,name,def) : " + name);
if (name == androidSettings[0]) {
console.log('[+]Global.getLong(cr, name, def) Bypassed');
return 0;
}
var ret = this.getLong(cr, name, def);
return ret;
}
settingGlobal.getString.overload('android.content.ContentResolver', 'java.lang.String').implementation = function(cr, name) {
//console.log("[*]settingGlobal.getString(cr,name) : " + name);
if (name == androidSettings[0]) {
var stringClass = Java.use("java.lang.String");
var stringInstance = stringClass.$new("0");
console.log('[+]Global.getString(cr, name) Bypassed');
return stringInstance;
}
var ret = this.getString(cr, name);
return ret;
}
}
var sys = Java.use("java.lang.System")
sys.exit.implementation = function() {
console.log("[-] Rooting Bypass ...")
return false;
}
Interceptor.attach(Module.findExportByName("libc.so", "fopen"), { // Try "libc.so" for fopen
onEnter: function(args) {
console.warn("[*] fopen() called !");
var path = Memory.readUtf8String(args[0]);
console.log("\t[+] fopen : " + path + ' pathname=' + args[0] + ', flags=' + args[1]);
// Check for debug binaries (replace with your desired detection logic)
if (path.endsWith("bin")) {
console.log(`[!] Debug Detection Pattern Found ! ${path}`);
const newPath = path.replace("/system/bin", "inmo");
console.log("Modified path:", newPath);
}
const fileClass = Java.use("java.io.File")
const File = fileClass.$init.overload("java.lang.String")
File.implementation = function(path) {
if(path == "/data/local/tmp/frida-server") {
path = "/data"
}
let AndroidLog = Java.use("android.util.Log");
let ExceptionClass = Java.use("java.lang.Exception");
console.warn(AndroidLog.getStackTraceString(ExceptionClass.$new()));
return File.call(this, path)
}
}}
)
/*
Made By @ApkUnpacker on 29-6-2022
Uploaded on 3-7-2022 ( so i can remember that i faced 4 days internet ban in my area and in free time made this. lol)
*/
var ProName = ProcessName();
function ProcessName() {
var openPtr = Module.getExportByName('libc.so', 'open');
var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
var readPtr = Module.getExportByName('libc.so', 'read');
var read = new NativeFunction(readPtr, 'int', ['int', 'pointer', 'int']);
var closePtr = Module.getExportByName('libc.so', 'close');
var close = new NativeFunction(closePtr, 'int', ['int']);
var path = Memory.allocUtf8String('/proc/self/cmdline');
var fd = open(path, 0);
if (fd != -1) {
var buffer = Memory.alloc(0x1000);
var result = read(fd, buffer, 0x1000);
close(fd);
result = ptr(buffer).readCString();
return result;
}
return -1;
}
var ourlib = "libxyz.so";
var p_pthread_create = Module.findExportByName("libc.so", "pthread_create");
var pthread_create = new NativeFunction(p_pthread_create, "int", ["pointer", "pointer", "pointer", "pointer"]);
Interceptor.replace(p_pthread_create, new NativeCallback(function(ptr0, ptr1, ptr2, ptr3) {
var ret = ptr(0);
if (gmn(ptr0) == ourlib) {
console.log("Thread Created ptr0 : ", gmn(ptr0), Mod, ptr0.sub(Mod));
}
if (gmn(ptr1) == ourlib) {
var Mod = Module.findBaseAddress(ourlib)
console.log("Thread Created ptr1 : ", gmn(ptr1), Mod, ptr1.sub(Mod));
Interceptor.attach(Mod.add(ptr1.sub(Mod)), {
onEnter: function(args) {
console.log("New Thread Func", ptr1.sub(Mod), "arg : ", args[0], args[1]);
},
onLeave: function(retval) {
console.log("New Thread Func Return : ", retval);
}
});
}
if (gmn(ptr2) == ourlib) {
var Mod = Module.findBaseAddress(ourlib)
console.log("Thread Created ptr2 : ", gmn(ptr2), Mod, ptr2.sub(Mod));
Interceptor.attach(Mod.add(ptr2.sub(Mod)), {
onEnter: function(args) {
console.log("New Thread Func", ptr2.sub(Mod), "arg : ", args[0], args[1]);
},
onLeave: function(retval) {
console.log("New Thread Func Return : ", retval);
}
});
}
if (gmn(ptr3) == ourlib) {
var Mod = Module.findBaseAddress(ourlib)
console.log("Thread Created ptr3 : ", gmn(ptr3), Mod, ptr3.sub(Mod));
Interceptor.attach(Mod.add(ptr3.sub(Mod)), {
onEnter: function(args) {
console.log("New Thread Func", ptr3.sub(Mod), "arg : ", args[0], args[1]);
},
onLeave: function(retval) {
console.log("New Thread Func Return : ", retval);
}
});
}
if (ptr1.isNull() && ptr3.isNull()) {
console.warn("loading fake pthread_create");
/* return -1 if you not want to create that thread */
return pthread_create(ptr0, ptr1, ptr2, ptr3);
// return -1;
} else {
return pthread_create(ptr0, ptr1, ptr2, ptr3);;
}
}, "int", ["pointer", "pointer", "pointer", "pointer"]));
function gmn(fnPtr) {
if (fnPtr != null) {
try {
return Process.getModuleByAddress(fnPtr).name;
} catch (e) {console.error(e);}
}
}
/* few method might check frida presence so added them */
var inet_atonPtr = Module.findExportByName("libc.so", "inet_aton");
var inet_aton = new NativeFunction(inet_atonPtr, 'int', ['pointer', 'pointer']);
Interceptor.replace(inet_atonPtr, new NativeCallback(function(addrs, structure) {
var retval = inet_aton(addrs, structure);
console.log("inet_aton : ", addrs.readCString())
return retval;
}, 'int', ['pointer', 'pointer']))
var popenPtr = Module.findExportByName("libc.so", "popen");
var popen = new NativeFunction(popenPtr, 'pointer', ['pointer', 'pointer']);
Interceptor.replace(popenPtr, new NativeCallback(function(path, type) {
var retval = popen(path, type);
console.log("popen : ", path.readCString());
return retval;
}, 'pointer', ['pointer', 'pointer']))
var symlinkPtr = Module.findExportByName("libc.so", "symlink");
var symlink = new NativeFunction(symlinkPtr, 'int', ['pointer', 'pointer']);
Interceptor.replace(symlinkPtr, new NativeCallback(function(target, path) {
var retval = symlink(target, path);
console.log("symlink: ", target.readCString(), path.readCString());
return retval;
}, 'int', ['pointer', 'pointer']))
var symlinkatPtr = Module.findExportByName("libc.so", "symlinkat");
var symlinkat = new NativeFunction(symlinkatPtr, 'int', ['pointer', 'int', 'pointer']);
Interceptor.replace(symlinkatPtr, new NativeCallback(function(target, fd, path) {
var retval = symlinkat(target, fd, path);
console.log("symlinkat : ", target.readCString(), path.readCString());
return retval;
}, 'int', ['pointer', 'int', 'pointer']))
var inet_addrPtr = Module.findExportByName("libc.so", "inet_addr");
var inet_addr = new NativeFunction(inet_addrPtr, 'int', ['int']);
Interceptor.replace(inet_addrPtr, new NativeCallback(function(path) {
var retval = inet_addr(path);
console.log("inet_addr : ", path.readCString())
return retval;
}, 'int', ['int']))
var socketPtr = Module.findExportByName("libc.so", "socket");
var socket = new NativeFunction(socketPtr, 'int', ['int', 'int', 'int']);
Interceptor.replace(socketPtr, new NativeCallback(function(domain, type, proto) {
var retval = socket(domain, type, proto);
console.warn("socket : ", domain, type, proto, "Return : ", retval)
return retval;
}, 'int', ['int', 'int', 'int']))
var connectPtr = Module.findExportByName("libc.so", "connect");
var connect = new NativeFunction(connectPtr, 'int', ['int', 'pointer', 'int']);
Interceptor.replace(connectPtr, new NativeCallback(function(fd, addr, len) {
var retval = connect(fd, addr, len);
var family = addr.readU16();
var port = addr.add(2).readU16();
//port = ((port & 0xff) << 8) | (port >> 8);
console.warn("Connect : ", family, "Port : ", port, "Return : ", retval);
return retval;
}, 'int', ['int', 'pointer', 'int']))
var sendPtr = Module.findExportByName("libc.so", "send");
var send2 = new NativeFunction(sendPtr, 'int', ['int', 'pointer', 'int', 'int']);
Interceptor.replace(sendPtr, new NativeCallback(function(socksfd, msg, slen, flag, daddr, dlen) {
var retval = send2(socksfd, msg, slen, flag);
console.log("send : ", socksfd, msg.readCString(), slen, flag);
return retval;
}, 'int', ['int', 'pointer', 'int', 'int']))
var sendtoPtr = Module.findExportByName("libc.so", "sendto");
var sendto = new NativeFunction(sendtoPtr, 'int', ['int', 'pointer', 'int', 'int', 'pointer', 'int']);
Interceptor.replace(sendtoPtr, new NativeCallback(function(socksfd, msg, slen, flag, daddr, dlen) {
var retval = sendto(socksfd, msg, slen, flag, daddr, dlen);
// console.log("sendto : ",socksfd,msg.readCString(),slen,flag,daddr,dlen);
return retval;
}, 'int', ['int', 'pointer', 'int', 'int', 'pointer', 'int']))
const openPtr = Module.getExportByName('libc.so', 'open');
const open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
var readPtr = Module.findExportByName("libc.so", "read");
var read = new NativeFunction(readPtr, 'int', ['int', 'pointer', "int"]);
//if process name not work correctly you can replace manually with your package name here
var FakeMaps = "/data/data/" + ProName + "/maps";
var FOpenMaps = "/data/data/" + ProName + "/fmaps";
var FakeTask = "/data/data/" + ProName + "/task";
var FakeExE = "/data/data/" + ProName + "/exe";
var FakeMounts = "/data/data/" + ProName + "/mounts";
var FakeStatus = "/data/data/" + ProName + "/status";
var MapsFile = new File(FakeMaps, "w");
var TaskFile = new File(FakeTask, "w");
var ExEFile = new File(FakeExE, "w");
var FMapsFile = new File(FOpenMaps, "w");
var FMountFile = new File(FakeMounts, "w");
var StatusFile = new File(FakeStatus, "w");
var MapsBuffer = Memory.alloc(512);
var TaskBuffer = Memory.alloc(512);
var ExEBuffer = Memory.alloc(512);
var FopenBuffer = Memory.alloc(512);
var MountBuffer = Memory.alloc(512);
var StatusBuffer = Memory.alloc(512);
var Open64MapsBuffer = Memory.alloc(512);
Interceptor.replace(openPtr, new NativeCallback(function(pathname, flag) {
var FD = open(pathname, flag);
var ch = pathname.readCString();
if (ch.indexOf("/proc/") >= 0 && ch.indexOf("maps") >= 0) {
console.log("open : ", pathname.readCString())
while (parseInt(read(FD, MapsBuffer, 512)) !== 0) {
var MBuffer = MapsBuffer.readCString();
MBuffer = MBuffer.replaceAll("/data/local/tmp/re.frida.server/frida-agent-64.so", "FakingMaps");
MBuffer = MBuffer.replaceAll("re.frida.server", "FakingMaps");
MBuffer = MBuffer.replaceAll("re.frida", "FakingMaps");
MBuffer = MBuffer.replaceAll("re.", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida.", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-agent-64.so", "FakingMaps");
MBuffer = MBuffer.replaceAll("rida-agent-64.so", "FakingMaps");
MBuffer = MBuffer.replaceAll("agent-64.so", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-agent-32.so", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-helper-32", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-helper", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-agent", "FakingMaps");
MBuffer = MBuffer.replaceAll("pool-frida", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-", "FakingMaps");
MBuffer = MBuffer.replaceAll("/data/local/tmp", "/data");
MBuffer = MBuffer.replaceAll("server", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida-server", "FakingMaps");
MBuffer = MBuffer.replaceAll("linjector", "FakingMaps");
MBuffer = MBuffer.replaceAll("gum-js-loop", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida_agent_main", "FakingMaps");
MBuffer = MBuffer.replaceAll("gmain", "FakingMaps");
MBuffer = MBuffer.replaceAll("frida", "FakingMaps");
MBuffer = MBuffer.replaceAll("magisk", "FakingMaps");
MBuffer = MBuffer.replaceAll(".magisk", "FakingMaps");
MBuffer = MBuffer.replaceAll("/sbin/.magisk", "FakingMaps");
MBuffer = MBuffer.replaceAll("libriru", "FakingMaps");
MBuffer = MBuffer.replaceAll("xposed", "FakingMaps");
MapsFile.write(MBuffer);
// console.log("MBuffer : ",MBuffer);
}
var filename = Memory.allocUtf8String(FakeMaps);
return open(filename, flag);
}
if (ch.indexOf("/proc") >= 0 && ch.indexOf("task") >= 0) {
// console.log("open : ", pathname.readCString())
while (parseInt(read(FD, TaskBuffer, 512)) !== 0) {
var buffer = TaskBuffer.readCString();
buffer = buffer.replaceAll("re.frida.server", "FakingTask");
buffer = buffer.replaceAll("frida-agent-64.so", "FakingTask");
buffer = buffer.replaceAll("rida-agent-64.so", "FakingTask");
buffer = buffer.replaceAll("agent-64.so", "FakingTask");
buffer = buffer.replaceAll("frida-agent-32.so", "FakingTask");
buffer = buffer.replaceAll("frida-helper-32", "FakingTask");
buffer = buffer.replaceAll("frida-helper", "FakingTask");
buffer = buffer.replaceAll("frida-agent", "FakingTask");
buffer = buffer.replaceAll("pool-frida", "FakingTask");
buffer = buffer.replaceAll("frida", "FakingTask");
buffer = buffer.replaceAll("/data/local/tmp", "/data");
buffer = buffer.replaceAll("server", "FakingTask");
buffer = buffer.replaceAll("frida-server", "FakingTask");
buffer = buffer.replaceAll("linjector", "FakingTask");
buffer = buffer.replaceAll("gum-js-loop", "FakingTask");
buffer = buffer.replaceAll("frida_agent_main", "FakingTask");
buffer = buffer.replaceAll("gmain", "FakingTask");
buffer = buffer.replaceAll("magisk", "FakingTask");
buffer = buffer.replaceAll(".magisk", "FakingTask");
buffer = buffer.replaceAll("/sbin/.magisk", "FakingTask");
buffer = buffer.replaceAll("libriru", "FakingTask");
buffer = buffer.replaceAll("xposed", "FakingTask");
buffer = buffer.replaceAll("pool-spawner", "FakingTask");
buffer = buffer.replaceAll("gdbus", "FakingTask");
TaskFile.write(buffer);
// console.log(buffer);
}
var filename2 = Memory.allocUtf8String(FakeTask);
return open(filename2, flag);
}
if (ch.indexOf("/proc/") >= 0 && ch.indexOf("mounts") >= 0) {
console.log("open : ", pathname.readCString())
while (parseInt(read(FD, MountBuffer, 512)) !== 0) {
var MNTBuffer = MountBuffer.readCString();
MNTBuffer = MNTBuffer.replaceAll("magisk", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("/sbin/.magisk", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("libriru", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("xposed", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("mirror", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("system_root", "StaySafeStayHappy");
MNTBuffer = MNTBuffer.replaceAll("xposed", "StaySafeStayHappy")
FMountFile.write(MNTBuffer);
// console.log("MNTBuffer : ",MNTBuffer);
}
var mountname = Memory.allocUtf8String(FakeMounts);
return open(mountname, flag);
}
if (ch.indexOf("/proc/") >=0 && ch.indexOf("status") >=0) {
console.log("open : ", pathname.readCString())
while (parseInt(read(FD, StatusBuffer, 512)) !== 0) {
var PStatus = StatusBuffer.readCString();
if (PStatus.indexOf("TracerPid:") > -1) {
StatusBuffer.writeUtf8String("TracerPid:\t0");
console.log("Bypassing TracerPID Check");
}
StatusFile.write(PStatus);
}
var statusname = Memory.allocUtf8String(FakeStatus);
return open(statusname, flag);
}
if (ch.indexOf("/proc") >= 0 && ch.indexOf("exe") >= 0) {
console.log("open : ", pathname.readCString())
while (parseInt(read(FD, ExEBuffer, 512)) !== 0) {
var buffer = ExEBuffer.readCString();
// console.warn(buffer)
buffer = buffer.replaceAll("frida-agent-64.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent-32.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("re.frida.server", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper-32", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper", "StaySafeStayHappy");
buffer = buffer.replaceAll("pool-frida", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida", "StaySafeStayHappy");
buffer = buffer.replaceAll("/data/local/tmp", "/data");
buffer = buffer.replaceAll("frida-server", "StaySafeStayHappy");
buffer = buffer.replaceAll("linjector", "StaySafeStayHappy");
buffer = buffer.replaceAll("gum-js-loop", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida_agent_main", "StaySafeStayHappy");
buffer = buffer.replaceAll("gmain", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent", "StaySafeStayHappy");
ExEFile.write(buffer);
}
var filename3 = Memory.allocUtf8String(FakeExE);
return open(filename3, flag);
}
return FD;
}, 'int', ['pointer', 'int']))
var fgetsPtr = Module.findExportByName("libc.so", "fgets");
var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
Interceptor.replace(fgetsPtr, new NativeCallback(function(buf, size, fp) {
//var retval = fgets(buf, size, fp);
var buffer = buf.readCString();
buffer = buffer.replaceAll("re.frida.server", "FakingGets");
buffer = buffer.replaceAll("frida-agent-64.so", "FakingGets");
buffer = buffer.replaceAll("rida-agent-64.so", "FakingGets");
buffer = buffer.replaceAll("agent-64.so", "FakingGets");
buffer = buffer.replaceAll("frida-agent-32.so", "FakingGets");
buffer = buffer.replaceAll("frida-helper-32", "FakingGets");
buffer = buffer.replaceAll("frida-helper", "FakingGets");
buffer = buffer.replaceAll("frida-agent", "FakingGets");
buffer = buffer.replaceAll("pool-frida", "FakingGets");
buffer = buffer.replaceAll("frida", "FakingGets");
buffer = buffer.replaceAll("/data/local/tmp", "/data");
buffer = buffer.replaceAll("server", "FakingGets");
buffer = buffer.replaceAll("frida-server", "FakingGets");
buffer = buffer.replaceAll("linjector", "FakingGets");
buffer = buffer.replaceAll("gum-js-loop", "FakingGets");
buffer = buffer.replaceAll("frida_agent_main", "FakingGets");
buffer = buffer.replaceAll("gmain", "FakingGets");
buffer = buffer.replaceAll("magisk", "FakingGets");
buffer = buffer.replaceAll(".magisk", "FakingGets");
buffer = buffer.replaceAll("/sbin/.magisk", "FakingGets");
buffer = buffer.replaceAll("libriru", "FakingGets");
buffer = buffer.replaceAll("xposed", "FakingGets");
buf.writeUtf8String(buffer);
// console.log(buf.readCString());
return fgets(buf, size, fp);
}, 'pointer', ['pointer', 'int', 'pointer']))
var readlinkPtr = Module.findExportByName("libc.so", "readlink");
var readlink = new NativeFunction(readlinkPtr, 'int', ['pointer', 'pointer', 'int']);
Interceptor.replace(readlinkPtr, new NativeCallback(function(pathname, buffer, bufsize) {
var retval = readlink(pathname, buffer, bufsize);
if(buffer.readCString().indexOf("frida")!==-1 ||
buffer.readCString().indexOf("gum-js-loop")!==-1||
buffer.readCString().indexOf("gmain")!==-1 ||
buffer.readCString().indexOf("linjector")!==-1 ||
buffer.readCString().indexOf("/data/local/tmp")!==-1 ||
buffer.readCString().indexOf("pool-frida")!==-1 ||
buffer.readCString().indexOf("frida_agent_main")!==-1 ||
buffer.readCString().indexOf("re.frida.server")!==-1 ||
buffer.readCString().indexOf("frida-agent")!==-1 ||
buffer.readCString().indexOf("frida-agent-64.so")!==-1 ||
buffer.readCString().indexOf("frida-agent-32.so")!==-1 ||
buffer.readCString().indexOf("frida-helper-32.so")!==-1 ||
buffer.readCString().indexOf("frida-helper-64.so")!==-1
){
console.log(buffer.readCString(), "Check in readlink");
buffer.writeUtf8String("/system/framework/services.jar");
return readlink(pathname, buffer, bufsize);
}
// console.log("readlink : ", pathname.readCString(), buffer.readCString());
return retval;
}, 'int', ['pointer', 'pointer', 'int']))
var readlinkatPtr = Module.findExportByName("libc.so", "readlinkat");
var readlinkat = new NativeFunction(readlinkatPtr, 'int', ['int', 'pointer', 'pointer', 'int']);
Interceptor.replace(readlinkatPtr, new NativeCallback(function(dirfd, pathname, buffer, bufsize) {
var retval = readlinkat(dirfd, pathname, buffer, bufsize);
if(buffer.readCString().indexOf("frida")!==-1 ||
buffer.readCString().indexOf("gum-js-loop")!==-1||
buffer.readCString().indexOf("gmain")!==-1 ||
buffer.readCString().indexOf("linjector")!==-1 ||
buffer.readCString().indexOf("/data/local/tmp")!==-1 ||
buffer.readCString().indexOf("pool-frida")!==-1 ||
buffer.readCString().indexOf("frida_agent_main")!==-1 ||
buffer.readCString().indexOf("re.frida.server")!==-1 ||
buffer.readCString().indexOf("frida-agent")!==-1 ||
buffer.readCString().indexOf("frida-agent-64.so")!==-1 ||
buffer.readCString().indexOf("frida-agent-32.so")!==-1 ||
buffer.readCString().indexOf("frida-helper-32.so")!==-1 ||
buffer.readCString().indexOf("frida-helper-64.so")!==-1
){
console.log(buffer.readCString(), "Check in readlinkat");
buffer.writeUtf8String("/system/framework/services.jar");
return readlinkat(dirfd, pathname, buffer, bufsize);
}
// console.log("readlinkat : ", pathname.readCString(), buffer.readCString());
return retval;
}, 'int', ['int', 'pointer', 'pointer', 'int']))
Interceptor.attach(Module.findExportByName(null, "strstr"),{
onEnter: function(args){
this.frida = false;
var str1 = args[0].readCString();
var str2 = args[1].readCString();
if(str1.indexOf("frida")!==-1 || str2.indexOf("frida")!==-1 ||
str1.indexOf("gum-js-loop")!==-1 || str2.indexOf("gum-js-loop")!==-1 ||
str1.indexOf("gmain")!==-1 || str2.indexOf("gmain")!==-1 ||
str1.indexOf("linjector")!==-1 || str2.indexOf("linjector")!==-1 ||
str1.indexOf("/data/local/tmp")!==-1 || str2.indexOf("/data/local/tmp")!==-1 ||
str1.indexOf("pool-frida")!==-1 || str2.indexOf("pool-frida")!==-1 ||
str1.indexOf("frida_agent_main")!==-1 || str2.indexOf("frida_agent_main")!==-1 ||
str1.indexOf("re.frida.server")!==-1 || str2.indexOf("re.frida.server")!==-1 ||
str1.indexOf("frida-agent")!==-1 || str2.indexOf("frida-agent")!==-1 ||
str1.indexOf("pool-spawner")!==-1 || str2.indexOf("pool-spawner")!==-1 ||
str1.indexOf("frida-agent-64.so")!==-1 || str2.indexOf("frida-agent-64.so")!==-1 ||
str1.indexOf("frida-agent-32.so")!==-1 || str2.indexOf("frida-agent-32.so")!==-1 ||
str1.indexOf("frida-helper-32.so")!==-1 || str2.indexOf("frida-helper-32.so")!==-1 ||
str1.indexOf("frida-helper-64.so")!==-1 || str2.indexOf("frida-helper-64.so")!==-1 ||
str1.indexOf("/sbin/.magisk")!==-1 || str2.indexOf("/sbin/.magisk")!==-1 ||
str1.indexOf("libriru")!==-1 || str2.indexOf("libriru")!==-1 ||
str1.indexOf("magisk")!==-1 || str2.indexOf("magisk")!==-1
){
this.frida = true;
console.log("strstr : ",str1,str2);
}
},
onLeave: function(retval){
if (this.frida) {
retval.replace(ptr("0x0"));
}
}
});
//Enabling it might give crash on some apps
Interceptor.attach(Module.findExportByName("libc.so", "read"), {
onEnter: function(args) {
try {
var buffer = args[1].readCString();
if (buffer.indexOf("frida") >= 0) {
buffer = buffer.replaceAll("re.frida.server", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent-64.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("rida-agent-64.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("agent-64.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent-32.so", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper-32", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent", "StaySafeStayHappy");
buffer = buffer.replaceAll("pool-frida", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida", "StaySafeStayHappy");
buffer = buffer.replaceAll("/data/local/tmp", "/data");
buffer = buffer.replaceAll("server", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida-server", "StaySafeStayHappy");
buffer = buffer.replaceAll("linjector", "StaySafeStayHappy");
buffer = buffer.replaceAll("gum-js-loop", "StaySafeStayHappy");
buffer = buffer.replaceAll("frida_agent_main", "StaySafeStayHappy");
buffer = buffer.replaceAll("gmain", "StaySafeStayHappy");
buffer = buffer.replaceAll("magisk", "StaySafeStayHappy");
buffer = buffer.replaceAll(".magisk", "StaySafeStayHappy");
buffer = buffer.replaceAll("/sbin/.magisk", "StaySafeStayHappy");
buffer = buffer.replaceAll("libriru", "StaySafeStayHappy");
buffer = buffer.replaceAll("xposed", "StaySafeStayHappy");
args[1].writeUtf8String(buffer);
}
} catch (e) {
//console.error(e);
}
}
});
var memcpyPtr = Module.findExportByName("libc.so", "memcpy");
var memcpy = new NativeFunction(memcpyPtr, 'pointer', ['pointer', 'pointer', 'int']);
Interceptor.replace(memcpyPtr, new NativeCallback(function(dest, src, len) {
var retval = memcpy(dest, src, len);
if(dest.readCString() != null && src.readCString() != null && (dest.readCString().indexOf("frida")>=0 || src.readCString().indexOf("frida")>=0) )
{
//console.warn("memcpy : ",dest.readCString(),src.readCString());
var buffer = dest.readCString();
var buffer2 = src.readCString();
buffer = buffer.replaceAll("re.frida.server","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent-64.so","StaySafeStayHappy");
buffer = buffer.replaceAll("rida-agent-64.so","StaySafeStayHappy");
buffer = buffer.replaceAll("agent-64.so","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent-32.so","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper-32","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-helper","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-agent","StaySafeStayHappy");
buffer = buffer.replaceAll("pool-frida","StaySafeStayHappy");
buffer = buffer.replaceAll("frida","StaySafeStayHappy");
buffer = buffer.replaceAll("/data/local/tmp","/data");
buffer = buffer.replaceAll("server","StaySafeStayHappy");
buffer = buffer.replaceAll("frida-server","StaySafeStayHappy");
buffer = buffer.replaceAll("linjector","StaySafeStayHappy");
buffer = buffer.replaceAll("gum-js-loop","StaySafeStayHappy");
buffer = buffer.replaceAll("frida_agent_main","StaySafeStayHappy");
buffer = buffer.replaceAll("gmain","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("re.frida.server","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-agent-64.so","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("rida-agent-64.so","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("agent-64.so","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-agent-32.so","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-helper-32","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-helper","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-agent","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("pool-frida","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("/data/local/tmp","/data");
buffer2 = buffer2.replaceAll("server","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida-server","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("linjector","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("gum-js-loop","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("frida_agent_main","StaySafeStayHappy");
buffer2 = buffer2.replaceAll("gmain","StaySafeStayHappy");
dest.writeUtf8String(buffer);
src.writeUtf8String(buffer2);
// console.log(buffer,buffer2);
return memcpy(dest, src, len);
}
Java.performNow(function() {
try {
let AlertDialog = Java.use("android.app.AlertDialog");
AlertDialog.show.implementation = function() {
console.warn("Hooked AlertDialog.show()");
//stacktrace()
this.show();
this.setCancelable(true);
this.setCanceledOnTouchOutside(true);
}
} catch (error) {
console.error("Error :", error);
}
})
function stacktrace() {
Java.perform(function() {
let AndroidLog = Java.use("android.util.Log");
let ExceptionClass = Java.use("java.lang.Exception");
console.warn(AndroidLog.getStackTraceString(ExceptionClass.$new()));
});
}
return retval;
}, 'pointer', ['pointer', 'pointer', 'int']))
});
reference
하루하루 성실하게, 인생 전체는 되는대로.