ksg97031 / frida-gadget Goto Github PK

Automated tool for patching APKs to enable the use of Frida gadget by downloading the library and injecting code into the main activity.

License: MIT License

Python 96.73% Dockerfile 2.83% Shell 0.43%

frida android security pentest frida-gadget apk reversing

frida-gadget's Introduction

frida-gadget

frida-gadget is a tool that can be used to patch APKs in order to utilize the Frida Gadget.

This tool automates the process of downloading the Frida gadget library and injecting the loadlibrary code into the main activity.

Installation

pip install frida-gadget --upgrade

Prerequirement

You should install Apktool and add it to your PATH environment variable.

# Install Apktool on macOS
brew install apktool

# Add Apktool to your PATH environment variable
export PATH=$PATH:$HOME/.brew/bin

For other operating systems, you can refer to the Install Guide.

Docker

The -v flag is used to bind mount the current directory to the /workspace/mount directory inside the container.

Ensure that your APK file is located in the current directory, or replace $APK_DIRECTORY with the path to the directory where the APK file is stored.

APK_DIRECTORY=$PWD
APK_FILENAME=example.apk
docker run -v $APK_DIRECTORY/:/workspace/mount ksg97031/frida-gadget mount/$APK_FILENAME --arch arm64

...
# New apk is in the $APK_DIRECTORY/example/dist/example.apk

Usage

$ frida-gadget --help
  Usage: cli.py [OPTIONS] APK_PATH

    Patch an APK with the Frida gadget library

  Options:
    --arch TEXT           Target architecture of the device. (options: arm64, x86_64, arm, x86)
    --main-activity TEXT  Specify the main activity if desired. (e.g., com.example.MainActivity)
    --sign                Automatically sign the APK using uber-apk-signer.
    --use-aapt2           Use aapt2 instead of aapt.
    --no-res              Do not decode resources.
    --skip-decompile      Skip decompilation if desired.
    --skip-recompile      Skip recompilation if desired.
    --version             Show version and exit.
    --help                Show this message and exit.

How do I begin?

Simply provide the APK file with the target architecture.

$ frida-gadget handtrackinggpu.apk --arch arm64 --sign
  [INFO] Auto-detected frida version: 16.1.3
  [INFO] APK: '[REDACTED]\demo-apk\handtrackinggpu.apk'
  [INFO] Gadget Architecture(--arch): arm64(default)
  [DEBUG] Decompiling the target APK using apktool
  [DEBUG] Downloading the frida gadget library for arm64
  [DEBUG] Checking internet permission and extractNativeLibs settings
  [DEBUG] Adding 'android.permission.INTERNET' permission to AndroidManifest.xml
  [DEBUG] Searching for the main activity in the smali files
  [DEBUG] Found the main activity at '[REDACTED]\frida-gadget\tests\demo-apk\handtrackinggpu\smali\com\google\mediapipe\apps\handtrackinggpu\MainActivity.smali'
  [DEBUG] Locating the onCreate method and injecting the loadLibrary code
  [DEBUG] Recompiling the new APK using apktool
  ...
  I: Building apk file...
  I: Copying unknown files/dir...
  I: Built apk into: [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk
  [INFO] Success
  ...

$ unzip -l [REDACTED]\demo-apk\handtrackinggpu\dist\handtrackinggpu.apk | grep libfrida-gadget
  21133848  09-15-2021 02:28   lib/arm64-v8a/libfrida-gadget-16.1.3-android-arm64.so

How to know device architecture?

Connect your device and run the following command:

adb shell getprop ro.product.cpu.abi

This command will output the architecture of your device, such as arm64-v8a, armeabi-v7a, x86, or x86_64.

- Most modern Android emulators use the x86_64 architecture.

- Newer high-end devices typically use arm64-v8a.

- Older or lower-end devices might use armeabi-v7a.

- Some specific emulators or devices may still use x86.

How to Identify?

Observe the main activity; the injected loadLibrary code will be visible.

Resigning the APK

After modifying the APK, you need to re-sign it.

You can quickly re-sign your application with the --sign option.

This option uses uber-apk-signer.

Contributing

frida-gadget's People

Contributors

Stargazers

Watchers

frida-gadget's Issues

Smali over register

Invalid register: v16. Must be between v0 and v15, inclusive

Invalid register error

disclaimer: I'm really new to apk patching, I don't know what I'm doing

I'm trying to path an app so I can debug it. When I use

frida-gadget base.apk --arch arm64

I get the error:

I: Smaling smali folder into classes.dex...
[[edited]]/SplashActivity.smali[545,4] Invalid register: v19. Must be between v0 and v15, inclusive.
Could not smali file: [[edited]]/SplashActivity.smali
[ERROR] Try recompile the APK manually using the '--skip-recompile' option.
Traceback (most recent call last):
  File "/opt/homebrew/bin/frida-gadget", line 8, in <module>
    sys.exit(run())
             ^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/scripts/cli.py", line 279, in run
    run_apktool(recompile_option, str(decompiled_path.resolve()))
  File "/opt/homebrew/lib/python3.11/site-packages/scripts/cli.py", line 56, in run_apktool
    raise subprocess.CalledProcessError(process.returncode, cmd,

Adding --use-aapt2 --no-res, as suggested by the app, didn't help.

Exception: Not Found, target class file: LoginActivity.smali

[DEBUG] Searching the main activity from smali files
Traceback (most recent call last):
  File "/usr/local/bin/frida-gadget", line 8, in <module>
    sys.exit(run())
  File "/usr/local/lib/python3.10/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.10/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.10/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/scripts/cli.py", line 132, in run
    raise Exception("Not Found, target class file: " + ".".join(main_activity))
Exception: Not Found, target class file: LoginActivity.smali

OnCreate error

[ERROR] Can't find the onCreate method in main activity

Sir this error is coming for an app I'm trying maybe it doesn't have oncreate in main activity.Is there any alternative way to add frida-gadget.

Seems not working for Apple Silicon processor

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested rosetta error: Unimplemented syscall number 284 %

not work againt apk protected by jiagu

+cause no main activity in manifest.xml
+jiagu using fake classes.dex
+need to inject fridaG to libjiagu.so file

Newbie like the other issue, but different error

After running the command, I get this error:

[DEBUG] Auto-detected your frida version: 16.1.9
[DEBUG] Downloading the frida gadget library(16.1.9) for arm64
[DEBUG] Checking internet permission and extractNativeLibs settings
[DEBUG] Searching for the main activity in the smali files
[DEBUG] Found the main activity at '/Users/austin/Documents/GitHub/SteamLinx/SteamLinx/smali/crc642612969569d7a084/WelcomeActivity.smali'
[DEBUG] Locating the entrypoint method and injecting the loadLibrary code
Traceback (most recent call last):
File "/Users/austin/.pyenv/versions/3.11.3/bin/frida-gadget", line 8, in
sys.exit(run())
^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1130, in call
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 268, in run
inject_gadget_into_apk(apk_path, arch, decompiled_path)
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 198, in inject_gadget_into_apk
insert_loadlibary(decompiled_path, main_activity, load_library_name)
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 119, in insert_loadlibary
locals_variable_count = min(int(locals_line_bit[1]), 15)
~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
➜ SteamLinx

invalid resource directory name: (apktool issue)

Hi together,

there is an issue during building with apktool: Apktool/issues/1978

I could fix that by adding --use-aapt2 to scripts/cli.py:

result = run_apktool('b --use-aapt2', str(decompiled_path.resolve()))

application did not start after injection - Unity VR project apk on Meta Quest 3

I build a VR game apk by Unity, and after injection gadget and install it on Quest 3, the game did not start.

architecture: --arch arm64

I also tried --no-res and --use-aapt2 , and also did not work.

AttributeError: 'NoneType' object has no attribute 'replace'

apk: https://drive.google.com/file/d/1zmJMWgPpSZF0UXjY0BTFlg-wWnyaB-35/view?usp=sharing
game: com.EngineOrganic.HAX_Demo https://sidequestvr.com/app/3366/hax-demo

[DEBUG] Auto-detected your frida version: 16.2.1
[DEBUG] Downloading the frida gadget library(16.2.1) for arm64
[DEBUG] Checking internet permission and extractNativeLibs settings
[DEBUG] Adding 'android.permission.INTERNET' permission to AndroidManifest.xml
[DEBUG] Searching for the main activity in the smali files
Traceback (most recent call last):
  File "E:\ProgramData\Anaconda3\envs\frida\lib\runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "E:\ProgramData\Anaconda3\envs\frida\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "E:\ProgramData\Anaconda3\envs\frida\Scripts\frida-gadget.exe\__main__.py", line 7, in <module>
    sys.exit(run())
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\click\core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\click\core.py", line 1078, in main
    rv = self.invoke(ctx)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\click\core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\click\core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\scripts\cli.py", line 270, in run
    inject_gadget_into_apk(apk_path, arch, decompiled_path)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\scripts\cli.py", line 200, in inject_gadget_into_apk
    insert_loadlibary(decompiled_path, main_activity, load_library_name)
  File "E:\ProgramData\Anaconda3\envs\frida\lib\site-packages\scripts\cli.py", line 93, in insert_loadlibary
    target_relative_path = main_activity.replace(".", os.sep)
AttributeError: 'NoneType' object has no attribute 'replace'

Missing directory results in FileNotFoundError

The folder files does not exist when installing via pip or setup.py. This makes with open(output_file, 'wb') as asset error during download of the gadgets since output_file is venv/lib/python3.10/site-packages/scripts/files/frida-gadget-16.1.3-android-arm64.so.xz.

Workaround: mkdir venv/lib/python3.10/site-packages/scripts/files. (your path may vary)
Fix: Create the folder inside the python script or change the download path to an existing folder.