Tutorial FRIDA API Set Up and Injection (Hook,Unity)

Theeundertakeer

Platinian
Good day Dear commrades . After having succesfull experience with many games witht he help of FRIDA I want to share a tutorial on how to use FRIDA API to hook to method and change it's values.​
Pre-Requests :
  1. Basic Knowledge in JavaScript
  2. Basic knowledge of DNSpy and DLL Dumper
  3. Basic Android SDK knowledge
  4. Rooted Android Phone
* If this tutorial will be wanted enough, I will make separate tutorial on how to use FRIDA with non-rooted Android Phones

So let's get started. Firstly you need to download Frida by following this link - Frida API , here you need to choose the Architeture on which your phone is running (99% it is ARM64) so choose
.

Connect your phone to you PC/Laptot
Download MINIMAL ADB or if you have Android Studio , then it is enough.

Open CMD and type the following commands in order.

Code:
adb devices -l

This will show up your connected devices, be sure to check the devices are there. Then type :

Code:
  adb push frida-server /data/local/tmp/

this will push our downloaded frida-server into phones temporary storage. (Be advised that you need to specify the path to our downloaded frida server file and exact name as well)

Then :

Code:
 adb shell "chmod 755 /data/local/tmp/frida-server"

And the last and important one

Code:
 adb shell "su -c /data/local/tmp/frida-server &"

And if there is nothing written after our last command it means your server now is running and listening to incoming FRIDA events, press ctrl+c to start typing the next :

Now we need to execute our frida and start listening to events but before that we need JavaScript scripts to be able to write what we are going to do.

This is basic and widely used example of JavaScript hooking. Create JavaScript file and paste this code :


JavaScript:
var offsetAddress = 0x323F8F8

var func_ptr =Module.findBaseAddress('libil2cpp.so').add(offsetAddress )
Interceptor.attach(func_ptr, {
    onEnter: function (args) {
        console.log("method was called called")

    },
    onLeave: function (retval) {
        console.log("exiting method and returning value ")
        retval.replace(10000000);
    }
})


So let's break down this now :

First to first, you are creating pointer to our unity library and adding the offset which we are going to get through DLL dumper.

Then you attach interceptor to listen to the function invokation (this is your hooking to a function)

Interceptor gives 2 callbacks - one when function was entered , the second when you are about to leave the function and that's the place where we are going to return different value and crack the method.

Now go ahead and download the dumper by the link - Dumper . Run the exe file and choose corresponding libil2cpp and global-meta.dat files (I am not going to cover decompilation of apk in this tutorial).

After you get the dumped DLLs now head to DNSpy site and download it - DNSpy

Open your DLLs which were dumped into DummyDLL folder and look for your desired method.

I will cover 2 cases - where you will return boolean or will return an integer.

So let's say we have a decompiled DLL method like this
C#:
        [Token(Token = "0x6000058")]
        [Address(RVA = "0x323F8F8", Offset = "0x374757", VA = "0x323F8F8", Slot = "23")]
        public bool CanBuy(Currency money)
        {
            return default(bool);
        }

Now we want to modify this method so it will always return true :

* Notice - you can modify JavaScript file after you executed it on the devices, save it and it will automatically be replicated so you won't need to reran the command of attaching frida to the device again.

So let's now modify our script and finally start our FRIDA server.

Take a notice of the offset from CanBuy and copy it into your JavaScripts offset variable like so:


JavaScript:
var offsetAddress = 0x374757

var func_ptr =Module.findBaseAddress('libil2cpp.so').add(offsetAddress )
Interceptor.attach(func_ptr, {
    onEnter: function (args) {
        console.log("method was called called")

    },
    onLeave: function (retval) {
        console.log("exiting method and returning value ")
    }
})


now save it and open CMD and run this command :

as you've ran adb-devices -l already take anotice of DEVICE ID and run this :

Code:
frida -D <your device id> -l <path to your script (you can drag drop onto CMD as well)> -f <"the package name of the application">

so the final result would look something like this :

Code:
frida -D 1990303193 -l C:\Users\vladi\Desktop\my_hackable_script.js -f "com.hackedapp.something"

As soon as you hit enter you will be brought to CMD shell of FRIDA where you need to quickly type :

Code:
%resume

To be able to resume the main threadso your app won't freeze and crash.

At this point your script is loaded and hooked to a function but there is 1 more thing left - to actually hack it!

Now change your script like this:

JavaScript:
var offsetAddress = 0x374757

var func_ptr =Module.findBaseAddress('libil2cpp.so').add(offsetAddress )
Interceptor.attach(func_ptr, {
    onEnter: function (args) {
        console.log("method was called called")

    },
    onLeave: function (retval) {
        console.log("exiting method and returning value ")
     retval.replace(1)
    }
})

So we added one small line - " retval.replace(1)" in general it means - whenver the function is called and about to leave, before leaving, return number 1 (or true)

So you know for booleans you can return 1 as true and 0 as false , now click ctrl+s to save it and nothing else to do just try to buy anything - you'll see that now function is called and you have changed the invocation return value.

Totally the same goes for manipulation numerical numbers, for money hacks you could return 10000000000 like so - "retval.replace(1000000)" or if you need double "retval.replace(1000000.00)"


This is it, experiment with this as this tool is super handy and gives you tons of control but be advised that whenever your terminated frida server, your function acts just as usual so don't wait your function to be chagned- it only changes on the runtime while frida is connected but not forever. it is useful tohack money, hack some achievements or bypass any boolean condition which can be there.

Hope you liked it.

If you have any questions, don't hesitate to comment and ask me.
 
Last edited:
Nice tutorial!
Hello Friend! I would like to know if it is possible to work with vector3 and quaternion types

Thank you!

As long as you have the correct offset of the vector3 variable or method you can hook to hit and change it's values, in fact Vector is just a wrapper class which still contains primitive data types so you can go to Vector class, find the offsset of the float which is being returned, change it and woala you have done it
 
i meant hooking field , not just methods with long offset , how about short offsets fields .
and things like aimbot or esp , that require complex combinations of codes , can it be done too by that >?
 
Back
Top Bottom