--- title: Frida & R2Frida categories: [cheatsheets] tags: [reversing, mobile] --- # Frida and r2frida on Android Apps ## Workflow ~ initial * Setup the Phone (rooted = better) * download frida-server (arm64) and move it to the phone `adb push frida-server /data/local/tmp/frida-server && adb shell "chmod 755 /data/local/tmp/frida-server"` * Connect to the server using Frida/r2frida ### Frida * Test the connection with: `frida-ps -U` to list all the processes on the device. * List all devices: `frida-ls-devices -U` * Interactive Scripting with `frida -U -f com.app.name` (-f to start the application (1)) ### r2frida * To interact with it: `radare2 frida://<device-id>/<pid,name, ..>` * Get device id with `frida-ls-devices -U` * usen two slashes to tell r2frida to start the application if its not already started (1). * All frida commands can be used with `\<command>` , for example `\?` to view the help page. * List all java classes: `\ic` (2) ## Hooking Functions # Notes * (1) when starting directly with frida, this can bypass security mechanisms, because the app is instrumented before the startup happens! * (2) This works better than the Java.Enumerate...Classes() function in Frida