# APP Tracing with Frida

### 01. Introduction

> Frida is a dynamic code instrumentation toolkit. It lets you inject your script into black-box processes(No source code needed). It allows you to inject your own code and to programmatically and interactively inspect and change running processes.
>
> Frida, on the other hand, allows you to interact with the Android APK so you can inject code to bypass many of the techniques developers use to secure the apps.

Goal of this exercise is to trace the CrackmeSimple application with frida and find a way to decode the password.

<div align="center"><img src="/files/dNzM667uMmw73rFh2zvk" alt=""></div>

APK File:

{% embed url="<https://www.dropbox.com/s/oollff62pg86q5z/CrackmeSimple.apk?dl=0>" %}

### 02. Install Frida

If you haven't setup frida you can install it with the following commands:

```
pipenv –python 3 shell
pip install frida
pip install frida-tools

git clone https://github.com/Hamz-a/frida-android-helper.git
cd frida-android-helper
python3 setup.py install
```

In Android Studio I'll setup a Nexus 5 Device with Android 9.0 running on it. This version works much more stable and faster in my virtual environment than other Android Images I’ve tested before.

<div align="left"><img src="/files/Zjp19vhyFmFTmKeOTdia" alt=""></div>

Install the APK File on the device:

```
adb install CrackmeSimple.apk
```

### 03. Tracing the app

First we must push the frida server on the device

```
python fah.py server update
```

Starting the frida server as root on the device:

```
adb shell
su 
cd /data/local/temp 
./frida-server &
```

![](/files/WNxVxhPqtzrdUANM8HJt)

List running processes with frida:

```
frida-ps -U
```

List running applications with frida:

```
frida-ps -Ua
```

List installed applications with frida:

```
frida-ps -Uai
```

![](/files/pyYFWTafCHXTC6HkSFc3)

I try to hook all imported classes with the following command:

```
frida-trace -U -j 'org.bfe*!*' 'CrackMe*' 
```

Frida catched 39 classes. Let's see what we get when I type a wrong password:

![](/files/lsaQIbleSk1SedN6NJy8)

Let's have a closer look on the return values:

```
<= [72,76,123,82,51,118,51,114,115,105,110,103,46,70,85,78,125]
```

### 04. Decoding with Cyberchef

I'll use Cyberchef to decode the values:

<div align="left"><img src="/files/q25OjeekdHdVhE5nVR8X" alt=""></div>

![](/files/laOmWTX5xK6WkGF7PopU)

<div align="left"><img src="/files/2W9OYzCqpdO71F8cPgdO" alt=""></div>

<div align="center"><img src="/files/ONDgu9c8RlTS15XeFUhD" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/android-malware/app-tracing-with-frida.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.