Author: admin

Reverse Engineering Android Crypto: Unveiling Secrets with Advanced Frida Hooks

Introduction: The Crucial Role of Cryptography in Android Security

In the vast landscape of Android applications, cryptography stands as a cornerstone of security, protecting sensitive user data, communication channels, and intellectual property. However, poorly implemented or misunderstood cryptographic schemes can introduce severe vulnerabilities. For penetration testers, security researchers, and reverse engineers, the ability to inspect and manipulate an application’s cryptographic operations is paramount. This article delves into advanced techniques for reverse engineering Android application cryptography using Frida, a dynamic instrumentation toolkit, to unveil hidden keys, IVs, plaintext, and ciphertext.

Understanding an application’s cryptographic routines allows us to identify weaknesses, bypass licensing mechanisms, or even create custom tools to interact with proprietary protocols. While static analysis (e.g., using JADX or Ghidra) can provide initial insights into an app’s structure and API calls, dynamic analysis with Frida offers unparalleled visibility into runtime values and execution flow, making it an indispensable tool for cracking crypto secrets.

Prerequisites and Environment Setup

Before diving into advanced Frida hooks, ensure you have the following tools and a suitable environment configured:

Rooted Android Device or Emulator: Necessary for running Frida server and debugging.
ADB (Android Debug Bridge): For interacting with your Android device/emulator.
Frida: The dynamic instrumentation toolkit. Install the CLI tools on your host machine and the Frida server on your target Android device.
A Target Android Application: For this tutorial, we’ll assume a hypothetical application that performs some form of encryption/decryption using standard Java Crypto Architecture (JCA) APIs.
Basic JavaScript Knowledge: Frida scripts are written in JavaScript.

Installing Frida and ADB

On your host machine, install Frida CLI:

pip install frida-tools

Download the appropriate `frida-server` for your Android device’s architecture from Frida Releases. Push it to your device and run it:

adb push frida-server-<arch> /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &"

Identifying Android Crypto APIs

Android applications primarily use the Java Cryptography Architecture (JCA) for cryptographic operations. Key classes to look out for include:

javax.crypto.Cipher: For encryption and decryption.
javax.crypto.spec.SecretKeySpec: For creating secret keys from byte arrays.
javax.crypto.spec.IvParameterSpec: For creating initialization vectors (IVs).
java.security.MessageDigest: For hashing functions.
javax.crypto.KeyGenerator: For generating symmetric keys.

Static analysis with tools like JADX or Ghidra can help locate calls to these classes within the target application’s bytecode. Search for `Cipher.getInstance`, `SecretKeySpec`, `doFinal`, etc. This initial reconnaissance provides a roadmap for where to place your Frida hooks.

Basic Interception: Hooking Cipher.getInstance()

The first step in understanding an application’s crypto is to identify which algorithms, modes, and padding schemes are being used. `Cipher.getInstance()` is the perfect place to start. It takes a transformation string (e.g., “AES/CBC/PKCS5Padding”).

Java.perform(function () {    var Cipher = Java.use('javax.crypto.Cipher');    Cipher.getInstance.overload('java.lang.String').implementation = function (transformation) {        console.log("[+] Cipher.getInstance called with: " + transformation);        return this.getInstance(transformation);    };    // This hook is for when a Provider is explicitly specified    Cipher.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (transformation, provider) {        console.log("[+] Cipher.getInstance called with: " + transformation + ", Provider: " + provider);        return this.getInstance(transformation, provider);    };});

To run this script (e.g., `hook_cipher_instance.js`) against your target app:

frida -U -f com.example.targetapp -l hook_cipher_instance.js --no-pause

Replace `com.example.targetapp` with your application’s package name. When the app initializes a `Cipher` object, you’ll see the transformation string logged.

Advanced Interception: Extracting Keys, IVs, and Data

Knowing the transformation is just the beginning. We need the actual cryptographic parameters: the secret key and the initialization vector (IV). We also want to see the plaintext before encryption and the ciphertext after. This requires hooking `SecretKeySpec`, `IvParameterSpec`, and `Cipher.doFinal()` or `Cipher.update()`.

Hooking SecretKeySpec and IvParameterSpec

Keys and IVs are often constructed from byte arrays. `SecretKeySpec` and `IvParameterSpec` are standard ways to encapsulate these bytes for use with a `Cipher` object.

function bytesToHex(bytes) {    if (!bytes) return "null";    var result = '';    for (var i = 0; i < bytes.length; i++) {        result += (bytes[i] & 0xff).toString(16).padStart(2, '0');    }    return result;}Java.perform(function () {    // Hook SecretKeySpec constructor to get the key    var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');    SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function (keyBytes, algorithm) {        console.log("[+] SecretKeySpec created.");        console.log("  Key (hex): " + bytesToHex(keyBytes));        console.log("  Algorithm: " + algorithm);        this.$init(keyBytes, algorithm);    };    // Hook IvParameterSpec constructor to get the IV    var IvParameterSpec = Java.use('javax.crypto.spec.IvParameterSpec');    IvParameterSpec.$init.overload('[B').implementation = function (ivBytes) {        console.log("[+] IvParameterSpec created.");        console.log("  IV (hex): " + bytesToHex(ivBytes));        this.$init(ivBytes);    };});

By running this script, you’ll capture the raw bytes of the secret key and IV as they are being initialized. The `bytesToHex` helper function is crucial for displaying byte arrays in a readable format.

Extracting Plaintext and Ciphertext

The `Cipher.doFinal()` method is where the actual encryption or decryption happens. By hooking its various overloads, we can capture the input (plaintext for encryption, ciphertext for decryption) and the output (ciphertext for encryption, plaintext for decryption).

Java.perform(function () {    var Cipher = Java.use('javax.crypto.Cipher');    // Hook doFinal(byte[] input)    Cipher.doFinal.overload('[B').implementation = function (input) {        var operationMode = this.getMode(); // 1=ENCRYPT_MODE, 2=DECRYPT_MODE        console.log("n[+] Cipher.doFinal(byte[]) called. Mode: " + operationMode);        console.log("  Input (hex): " + bytesToHex(input));        var output = this.doFinal(input);        console.log("  Output (hex): " + bytesToHex(output));        if (operationMode === 1) { // ENCRYPT_MODE            console.log("  Plaintext: " + hextoAscii(bytesToHex(input)));            console.log("  Ciphertext: " + hextoAscii(bytesToHex(output)));        } else if (operationMode === 2) { // DECRYPT_MODE            console.log("  Ciphertext: " + hextoAscii(bytesToHex(input)));            console.log("  Plaintext: " + hextoAscii(bytesToHex(output)));        }        return output;    };    // Helper function to convert hex string to ASCII for readability (might not always be ASCII)    function hextoAscii(hex) {        var str = '';        for (var i = 0; i < hex.length; i += 2) {            str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));        }        return str;    }    // Add other doFinal overloads as needed:    // doFinal(byte[] input, int inputOffset, int inputLen)    Cipher.doFinal.overload('[B', 'int', 'int').implementation = function (input, inputOffset, inputLen) {        // ... similar logic ...        return this.doFinal(input, inputOffset, inputLen);    };    // doFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)    // ... etc.});

The `getMode()` call helps differentiate between encryption and decryption operations. The `hextoAscii` function is a simple utility to try and interpret the byte arrays as ASCII characters, which is useful for text-based payloads. Remember that cryptographic data is often arbitrary binary data, not always human-readable ASCII.

Putting It All Together: A Comprehensive Crypto Scraper

Combining these hooks allows you to build a powerful script to scrape most of the necessary cryptographic information in one go. Here’s a consolidated example:

function bytesToHex(bytes) {    if (!bytes) return "null";    var result = '';    for (var i = 0; i < bytes.length; i++) {        result += (bytes[i] & 0xff).toString(16).padStart(2, '0');    }    return result;}function hextoAscii(hex) {    var str = '';    for (var i = 0; i = 32 && charCode <= 126) { // Printable ASCII range            str += String.fromCharCode(charCode);        } else {            str += '.'; // Replace non-printable characters with a dot        }    }    return str;}Java.perform(function () {    console.log("[+] Starting Android Crypto Interception with Frida...");    // 1. Hook Cipher.getInstance()    var Cipher = Java.use('javax.crypto.Cipher');    Cipher.getInstance.overload('java.lang.String').implementation = function (transformation) {        console.log("n[!] Cipher.getInstance (Transformation): " + transformation);        return this.getInstance(transformation);    };    Cipher.getInstance.overload('java.lang.String', 'java.lang.String').implementation = function (transformation, provider) {        console.log("n[!] Cipher.getInstance (Transformation, Provider): " + transformation + ", " + provider);        return this.getInstance(transformation, provider);    };    // 2. Hook SecretKeySpec constructor    var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');    SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function (keyBytes, algorithm) {        console.log("n[!] SecretKeySpec (Key): ");        console.log("  Algorithm: " + algorithm);        console.log("  Key (hex): " + bytesToHex(keyBytes));        // Optionally store the key for later use with doFinal hooks if needed        this.$init(keyBytes, algorithm);    };    // 3. Hook IvParameterSpec constructor    var IvParameterSpec = Java.use('javax.crypto.spec.IvParameterSpec');    IvParameterSpec.$init.overload('[B').implementation = function (ivBytes) {        console.log("n[!] IvParameterSpec (IV): ");        console.log("  IV (hex): " + bytesToHex(ivBytes));        this.$init(ivBytes);    };    // 4. Hook Cipher.doFinal() for data interception    Cipher.doFinal.overload('[B').implementation = function (input) {        var opMode = this.getMode();        console.log("n[!] Cipher.doFinal (Data Intercepted). Operation Mode: " + (opMode === 1 ? "ENCRYPT" : "DECRYPT"));        console.log("  Input (hex): " + bytesToHex(input));        console.log("  Input (ASCII): " + hextoAscii(bytesToHex(input)));        var output = this.doFinal(input);        console.log("  Output (hex): " + bytesToHex(output));        console.log("  Output (ASCII): " + hextoAscii(bytesToHex(output)));        return output;    };    // You can add more overloads for doFinal and update methods as observed in static analysis});

This script provides a solid foundation. Save it as `crypto_scraper.js` and run it with `frida -U -f com.example.targetapp -l crypto_scraper.js –no-pause`. Interact with the application to trigger cryptographic operations, and observe the detailed output in your console.

Dealing with Obfuscation and Native Code Crypto

Obfuscation

Android applications often employ obfuscation techniques (e.g., ProGuard, DexGuard) to make reverse engineering harder. This renames classes, methods, and fields. When static analysis shows `a.b.c` instead of `javax.crypto.Cipher`, you’ll need to adapt your Frida hooks.

Method Tracing: Use Frida’s `Java.use(‘className’).method.overload().implementation` to trace method calls and identify the real obfuscated class names.
Dynamic Enumeration: Frida can enumerate loaded classes and their methods. Look for methods taking `byte[]` and returning `byte[]` in suspected crypto classes.

// Example of finding obfuscated Cipher class by method signatureJava.perform(function () {    Java.enumerateLoadedClasses({        onMatch: function (className) {            if (className.includes('com.example.targetapp')) { // Narrow down search                try {                    var targetClass = Java.use(className);                    targetClass.methods.forEach(function (method) {                        if (method.name.includes('doFinal') || method.name.includes('update')) {                            console.log("Possible crypto method: " + className + "." + method.name);                        }                    });                } catch (e) {                    // Ignore classes that cannot be used                    // console.log("Error accessing class: " + className + ", " + e);                }            }        },        onComplete: function () {            console.log("Class enumeration complete.");        }    });});

Native Code Cryptography

Some applications implement critical cryptographic logic in native libraries (C/C++ via JNI) to further deter reverse engineering. For these cases, you’ll need to use Frida’s `Module.findExportByName` and `Interceptor.attach` to hook native functions. Identify native functions using tools like Ghidra or objdump on the `.so` files.

Interceptor.attach(Module.findExportByName('libnativecrypto.so', 'decrypt_data_func'), {    onEnter: function (args) {        console.log("[!] Native decrypt_data_func called!");        console.log("  Input Buffer Ptr: " + args[0]);        // Read native memory for input/output buffers and key/IV pointers    },    onLeave: function (retval) {        // Inspect return value or modified output buffers    }});

Conclusion

Frida provides an incredibly powerful and flexible platform for dynamic analysis of Android applications, particularly for reverse engineering cryptographic implementations. By strategically hooking key JCA API calls, you can uncover critical information such as algorithms, keys, IVs, and the actual plaintext and ciphertext flowing through the application. While challenges like obfuscation and native code present additional hurdles, Frida’s capabilities, combined with static analysis, equip you to tackle even the most resilient crypto schemes. Mastering these techniques is essential for any serious Android security researcher or penetration tester.

May 29, 2026

Advanced JNI Patches: Implementing Inline Hooking with Frida for Android Native Code
Introduction to Advanced JNI Hooking

Android applications frequently leverage the Java Native Interface (JNI) to execute performance-critical operations, access platform-specific features, or incorporate existing C/C++ libraries. While JNI provides a powerful bridge between Java and native code, it also introduces complexities for security analysis and reverse engineering. Traditional dynamic analysis techniques often rely on hooking exported native functions, but what happens when the target function is not exported, or when you need to intercept calls deep within the native execution flow? This is where advanced techniques like inline hooking with Frida become indispensable.

This article delves into implementing inline hooking using Frida to intercept JNI and other native calls within Android applications. We will explore how to identify target functions, calculate their runtime addresses, and use Frida’s powerful `Interceptor` API to patch code execution directly, even for unexported symbols.

Understanding JNI and Native Method Calls

JNI acts as a glue layer, allowing Java code to call native functions written in languages like C/C++ and vice-versa. When a Java method is declared `native`, it signals that its implementation resides in a shared library (e.g., `.so` file). The JNI function signature typically follows a specific naming convention: `Java_PackageName_ClassName_MethodName`. For instance, a Java method `com.example.app.NativeClass.nativeAdd(int a, int b)` would map to `Java_com_example_app_NativeClass_nativeAdd` in the native library.

Native functions receive at least two parameters: a `JNIEnv` pointer and a `jobject` (for non-static methods) or `jclass` (for static methods). The `JNIEnv` pointer is crucial as it provides access to the JNI function table, allowing native code to interact with the Java Virtual Machine (JVM)—e.g., creating new Java objects, throwing exceptions, or calling Java methods from native code.

Example JNI Native Method
```
#include <jni.h>#include <string.h>#include <android/log.h>#define LOG_TAG "NativeLib"#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)// This is an exported JNI functionJNIEXPORT jstring JNICALL Java_com_example_app_NativeLib_stringFromJNI(JNIEnv* env, jobject thiz) {    LOGD("stringFromJNI called!");    const char* hello = "Hello from C++";    return (*env)->NewStringUTF(env, hello);}// This is an internal, unexported native functionstatic int calculateSum(int a, int b) {    LOGD("calculateSum called with a=%d, b=%d", a, b);    return a + b;}// A JNI function that calls the internal functionJNIEXPORT jint JNICALL Java_com_example_app_NativeLib_performCalculation(JNIEnv* env, jobject thiz, jint x, jint y) {    LOGD("performCalculation called with x=%d, y=%d", x, y);    return calculateSum(x, y);}
```
The Challenge: Hooking Unexported Functions

While Frida excels at hooking exported functions using `Module.findExportByName()`, many critical operations in native libraries are performed by internal, unexported functions. These functions are often static or hidden from the dynamic linker’s export table to deter analysis. Inline hooking directly patches the target function’s prologue in memory, redirecting execution to our custom hook code, regardless of whether the function is exported.

Implementing Inline Hooking with Frida

To perform inline hooking, we need two key pieces of information:
1. The base address of the native library in memory.
2. The offset of the target function from the library’s base address.
1. Finding the Library Base Address

Frida’s `Module.findBaseAddress()` function can easily retrieve the runtime base address of a loaded library.
```
var moduleName = 'libnative-lib.so';var baseAddress = Module.findBaseAddress(moduleName);if (baseAddress) {    console.log('[+] ' + moduleName + ' loaded at: ' + baseAddress);} else {    console.error('[-] ' + moduleName + ' not found!');    return;}
```
2. Finding the Function Offset

This is the reverse engineering step. You’ll need tools like IDA Pro or Ghidra to analyze the native library (`.so` file) and determine the exact offset of your target function from the library’s base. For our `calculateSum` function from the example, after disassembling `libnative-lib.so`, you might find its entry point at, for instance, `0x1234` bytes from the start of the `.text` segment. This offset will vary depending on the compiler, architecture, and code. Let’s assume for demonstration purposes, `calculateSum` is at offset `0x1337` in `libnative-lib.so`.

3. Attaching the Interceptor

Once you have the base address and the function offset, you can calculate the absolute memory address of the target function and use `Interceptor.attach()`.
```
var moduleName = 'libnative-lib.so';var baseAddress = Module.findBaseAddress(moduleName);if (!baseAddress) {    console.error('[-] ' + moduleName + ' not found!');    return;}// Assume calculateSum is at offset 0x1337 within libnative-lib.so// (This offset must be determined via reverse engineering tools like IDA/Ghidra)var calculateSumOffset = 0x1337; // Example offsetvar targetFunctionAddress = baseAddress.add(calculateSumOffset);console.log('[+] Target function calculateSum at: ' + targetFunctionAddress);Interceptor.attach(targetFunctionAddress, {    onEnter: function(args) {        // args[0] and args[1] will typically be the first and second arguments        // In C/C++ ARM/ARM64 calling conventions, the first few arguments are passed in registers        // For calculateSum(int a, int b), a is args[0], b is args[1]        this.a = args[0].toInt32();        this.b = args[1].toInt32();        console.log('[*] Entering calculateSum(' + this.a + ', ' + this.b + ')');    },    onLeave: function(retval) {        // retval holds the return value of the function        console.log('[*] calculateSum returned: ' + retval.toInt32() + ' (Expected: ' + (this.a + this.b) + ')');    }});console.log('[+] Hooked calculateSum successfully!');
```
To run this script:
```
frida -U -f com.example.app --no-pause -l hook.js
```
Advanced Considerations: Hooking JNIEnv Functions

The `JNIEnv` pointer is a double pointer to a structure that contains pointers to JNI functions (the `JNINativeInterface` table). Hooking these functions requires a slightly different approach, as their addresses are relative to the `JNIEnv` table structure, not directly within `libnative-lib.so`. You can still inline hook them by finding the specific function pointer within the `JNIEnv` table at runtime.

For instance, to hook `NewStringUTF`:
1. Get an active `JNIEnv*` pointer (e.g., from an `onEnter` hook of any JNI method).
2. Dereference `JNIEnv*` to get `JNINativeInterface**`.
3. Dereference again to get `JNINativeInterface*`.
4. Locate the `NewStringUTF` entry within this structure (its index is fixed by the JNI specification).
```
// This is more complex and typically done in a CModule or by parsing JNIEnv struct// For simplicity, Frida often provides higher-level APIs or you can hook known JNI functions from the libjvm.so// However, if you need to inline hook a *specific* JNIEnv method implementation,// you'd need the address of that specific method in memory.var moduleName = 'libart.so'; // Or libdalvik.so depending on Android versionvar baseAddress = Module.findBaseAddress(moduleName);if (!baseAddress) {    console.error('[-] ' + moduleName + ' not found!');    return;}// Example: Hooking 'NewStringUTF' from the JNI function table// The offset of NewStringUTF within the JNIEnv table can be found in Android's source code or by reversing libart.so// For demonstration, let's assume NewStringUTF is at a certain offset (e.g., 0x480 for ARM64) from the JNIEnv table base.// This is highly architecture and Android version dependent.var NewStringUTF_offset_in_JNIEnv_table = 0x480; // Placeholder value for ARM64 typicallyvar jni_env_ptr = NULL;Interceptor.attach(Module.findExportByName('libnative-lib.so', 'Java_com_example_app_NativeLib_stringFromJNI'), {    onEnter: function(args) {        // args[0] is JNIEnv*        jni_env_ptr = args[0];        // Dereference JNIEnv* to get JNINativeInterface**        var jni_native_interface_ptr = jni_env_ptr.readPointer();        // Calculate address of NewStringUTF function pointer        var newStringUTF_fn_ptr_addr = jni_native_interface_ptr.add(NewStringUTF_offset_in_JNIEnv_table);        // Get the actual function address        var newStringUTF_fn_addr = newStringUTF_fn_ptr_addr.readPointer();        console.log('[*] JNIEnv->NewStringUTF function address: ' + newStringUTF_fn_addr);        // Now, you can hook this specific NewStringUTF implementation if it hasn't been already        if (!this.hookedNewStringUTF) {            Interceptor.attach(newStringUTF_fn_addr, {                onEnter: function(args_jni_str) {                    // args_jni_str[0] is the JNIEnv* again                    // args_jni_str[1] is the const char*                    var c_string = args_jni_str[1].readCString();                    console.log('[**] NewStringUTF called with C string: ' + c_string);                },                onLeave: function(retval_jni_str) {                    // retval_jni_str is the jstring result                    console.log('[**] NewStringUTF returning jstring.');                }            });            this.hookedNewStringUTF = true;            console.log('[+] Hooked NewStringUTF successfully!');        }    }});
```
Conclusion

Inline hooking with Frida provides an unparalleled level of control over native code execution within Android applications. By understanding how to identify function offsets and leverage Frida’s `Interceptor` API, reverse engineers and penetration testers can bypass traditional symbol-based hooking limitations. This technique is crucial for analyzing obfuscated code, bypassing anti-tampering mechanisms, and gaining deep insights into the most critical parts of an application’s logic that reside in native libraries. Mastering inline hooking empowers you to truly patch and analyze the heart of Android’s native runtime.
May 29, 2026

Frida for Android Crypto: Hooking AES/RSA & Extracting Keys – A Practical Guide

Introduction: Unveiling Android’s Cryptographic Secrets with Frida

In the realm of Android application penetration testing, understanding and manipulating an app’s cryptographic operations is paramount. Many applications rely on client-side encryption for sensitive data, and without insight into these processes, bypassing security controls or extracting valuable information can be impossible. This guide delves into using Frida, a dynamic instrumentation toolkit, to hook Android’s core cryptographic APIs (AES and RSA) to extract keys, initialization vectors (IVs), and unencrypted data.

Frida’s power lies in its ability to inject JavaScript into running processes, allowing us to inspect, modify, and even bypass functions in real-time. For cryptographic analysis, this means we can intercept calls to `Cipher.init()`, `Cipher.doFinal()`, and key generation methods, exposing the underlying cryptographic primitives and parameters.

Prerequisites

An Android device or emulator with root access.
Frida server running on the Android device.
Frida command-line tools installed on your host machine (`pip install frida-tools`).
Android Debug Bridge (ADB) installed and configured.
Basic understanding of Java/Android development concepts.

Setting Up Frida on Android

First, ensure your Android device is properly set up with Frida. Download the appropriate `frida-server` for your device’s architecture (e.g., `frida-server-*-android-arm64`) from the Frida releases page.

adb push /path/to/frida-server /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Verify Frida is running by listing processes:

frida-ps -U

Hooking AES Encryption/Decryption and Extracting Keys

AES (Advanced Encryption Standard) is a symmetric block cipher widely used in Android applications. We’ll focus on intercepting `javax.crypto.Cipher` methods, specifically `init()` to get the key and IV, and `doFinal()` to capture plaintext/ciphertext.

Identifying Target Methods

The `javax.crypto.Cipher` class is the central point. The most interesting overloads for `init` are:

`init(int opmode, Key key)`
`init(int opmode, Key key, AlgorithmParameterSpec params)`
`init(int opmode, Key key, IvParameterSpec iv)`

And for `doFinal`:

`doFinal(byte[] input)`
`doFinal(byte[] input, int inputOffset, int inputLen)`

Frida Script for AES Hooking

Let’s create a Frida script (`aes_hook.js`) to intercept these methods:

Java.perform(function() {
    console.log("[*] Starting AES Hooking Script");

    var Cipher = Java.use("javax.crypto.Cipher");

    Cipher.init.overload("int", "java.security.Key", "java.security.spec.AlgorithmParameterSpec").implementation = function(opmode, key, params) {
        var opmodeStr = (opmode == 1) ? "ENCRYPT_MODE" : ((opmode == 2) ? "DECRYPT_MODE" : "UNKNOWN_MODE");
        console.log("[*] Cipher.init(opmode=" + opmodeStr + ", key=" + key + ", params=" + params + ") called");

        // Extract AES Key
        var SecretKeySpec = Java.use("javax.crypto.spec.SecretKeySpec");
        if (key.$instanceof(SecretKeySpec)) {
            var secretKeyBytes = Java.cast(key, SecretKeySpec).getEncoded();
            console.log("    [+] AES Key (Hex): " + Array.from(secretKeyBytes).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
            console.log("    [+] AES Key (Base64): " + Java.use("android.util.Base64").encodeToString(secretKeyBytes, 0));
        }

        // Extract IV
        var IvParameterSpec = Java.use("javax.crypto.spec.IvParameterSpec");
        if (params.$instanceof(IvParameterSpec)) {
            var ivBytes = Java.cast(params, IvParameterSpec).getIV();
            console.log("    [+] AES IV (Hex): " + Array.from(ivBytes).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
            console.log("    [+] AES IV (Base64): " + Java.use("android.util.Base64").encodeToString(ivBytes, 0));
        }

        return this.init(opmode, key, params);
    };

    // Hooking the second common init overload (without AlgorithmParameterSpec)
    Cipher.init.overload("int", "java.security.Key").implementation = function(opmode, key) {
        var opmodeStr = (opmode == 1) ? "ENCRYPT_MODE" : ((opmode == 2) ? "DECRYPT_MODE" : "UNKNOWN_MODE");
        console.log("[*] Cipher.init(opmode=" + opmodeStr + ", key=" + key + ") called");

        var SecretKeySpec = Java.use("javax.crypto.spec.SecretKeySpec");
        if (key.$instanceof(SecretKeySpec)) {
            var secretKeyBytes = Java.cast(key, SecretKeySpec).getEncoded();
            console.log("    [+] AES Key (Hex): " + Array.from(secretKeyBytes).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
            console.log("    [+] AES Key (Base64): " + Java.use("android.util.Base64").encodeToString(secretKeyBytes, 0));
        }
        return this.init(opmode, key);
    };

    Cipher.doFinal.overload("[B").implementation = function(input) {
        var ret = this.doFinal(input);
        console.log("[*] Cipher.doFinal([B]) called");
        console.log("    [+] Input (Hex): " + Array.from(input).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
        console.log("    [+] Input (Base64): " + Java.use("android.util.Base64").encodeToString(input, 0));
        console.log("    [+] Output (Hex): " + Array.from(ret).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
        console.log("    [+] Output (Base64): " + Java.use("android.util.Base64").encodeToString(ret, 0));
        // Attempt to decrypt if in ENCRYPT_MODE or encrypt if in DECRYPT_MODE (requires known key/IV)
        return ret;
    };

    Cipher.doFinal.overload("[B", "int", "int").implementation = function(input, inputOffset, inputLen) {
        var ret = this.doFinal(input, inputOffset, inputLen);
        console.log("[*] Cipher.doFinal([B, int, int]) called");
        var actualInput = input.slice(inputOffset, inputOffset + inputLen);
        console.log("    [+] Input (Hex): " + Array.from(actualInput).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
        console.log("    [+] Input (Base64): " + Java.use("android.util.Base64").encodeToString(actualInput, 0));
        console.log("    [+] Output (Hex): " + Array.from(ret).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
        console.log("    [+] Output (Base64): " + Java.use("android.util.Base64").encodeToString(ret, 0));
        return ret;
    };
    console.log("[*] AES Hooking Script Loaded. Waiting for activity.");
});

Running the AES Hook

To run this script against a target Android application (replace `com.example.targetapp` with the actual package name):

frida -U -f com.example.targetapp -l aes_hook.js --no-pause

Frida will attach to the app, load the script, and then resume the app. All AES operations will now be logged to your console.

Hooking RSA Encryption/Decryption and Key Extraction

RSA is an asymmetric cipher, commonly used for secure key exchange or digital signatures. We’re interested in extracting public and private keys and observing their usage.

Identifying Target Methods for RSA

Similar to AES, `javax.crypto.Cipher` is used for RSA operations. Additionally, we’ll look at `java.security.KeyFactory` for generating keys from specifications and `java.security.KeyPairGenerator` for generating new key pairs.

Frida Script for RSA Hooking

Create `rsa_hook.js`:

Java.perform(function() {
    console.log("[*] Starting RSA Hooking Script");

    var Cipher = Java.use("javax.crypto.Cipher");

    Cipher.init.overload("int", "java.security.Key", "java.security.SecureRandom").implementation = function(opmode, key, random) {
        var opmodeStr = (opmode == 1) ? "ENCRYPT_MODE" : ((opmode == 2) ? "DECRYPT_MODE" : "UNKNOWN_MODE");
        console.log("[*] Cipher.init(RSA, opmode=" + opmodeStr + ", key=" + key + ") called");

        var PublicKey = Java.use("java.security.PublicKey");
        var PrivateKey = Java.use("java.security.PrivateKey");

        if (key.$instanceof(PublicKey)) {
            var pubKeyBytes = Java.cast(key, PublicKey).getEncoded();
            console.log("    [+] RSA Public Key (X.509, Base64): " + Java.use("android.util.Base64").encodeToString(pubKeyBytes, 0));
        } else if (key.$instanceof(PrivateKey)) {
            var privKeyBytes = Java.cast(key, PrivateKey).getEncoded();
            console.log("    [+] RSA Private Key (PKCS#8, Base64): " + Java.use("android.util.Base64").encodeToString(privKeyBytes, 0));
        }

        return this.init(opmode, key, random);
    };

    Cipher.init.overload("int", "java.security.Key").implementation = function(opmode, key) {
        var opmodeStr = (opmode == 1) ? "ENCRYPT_MODE" : ((opmode == 2) ? "DECRYPT_MODE" : "UNKNOWN_MODE");
        console.log("[*] Cipher.init(RSA, opmode=" + opmodeStr + ", key=" + key + ") called");

        var PublicKey = Java.use("java.security.PublicKey");
        var PrivateKey = Java.use("java.security.PrivateKey");

        if (key.$instanceof(PublicKey)) {
            var pubKeyBytes = Java.cast(key, PublicKey).getEncoded();
            console.log("    [+] RSA Public Key (X.509, Base64): " + Java.use("android.util.Base64").encodeToString(pubKeyBytes, 0));
        } else if (key.$instanceof(PrivateKey)) {
            var privKeyBytes = Java.cast(key, PrivateKey).getEncoded();
            console.log("    [+] RSA Private Key (PKCS#8, Base64): " + Java.use("android.util.Base64").encodeToString(privKeyBytes, 0));
        }

        return this.init(opmode, key);
    };

    // Hooking KeyFactory.generatePublic to catch key generation from specs
    var KeyFactory = Java.use("java.security.KeyFactory");
    KeyFactory.generatePublic.implementation = function(keySpec) {
        var ret = this.generatePublic(keySpec);
        console.log("[*] KeyFactory.generatePublic(keySpec=" + keySpec + ") called");
        var pubKeyBytes = ret.getEncoded();
        console.log("    [+] Generated Public Key (X.509, Base64): " + Java.use("android.util.Base64").encodeToString(pubKeyBytes, 0));
        return ret;
    };

    KeyFactory.generatePrivate.implementation = function(keySpec) {
        var ret = this.generatePrivate(keySpec);
        console.log("[*] KeyFactory.generatePrivate(keySpec=" + keySpec + ") called");
        var privKeyBytes = ret.getEncoded();
        console.log("    [+] Generated Private Key (PKCS#8, Base64): " + Java.use("android.util.Base64").encodeToString(privKeyBytes, 0));
        return ret;
    };

    // Hooking KeyPairGenerator.generateKeyPair to catch dynamically generated pairs
    var KeyPairGenerator = Java.use("java.security.KeyPairGenerator");
    KeyPairGenerator.generateKeyPair.implementation = function() {
        var keyPair = this.generateKeyPair();
        console.log("[*] KeyPairGenerator.generateKeyPair() called");
        var pubKeyBytes = keyPair.getPublic().getEncoded();
        var privKeyBytes = keyPair.getPrivate().getEncoded();
        console.log("    [+] Generated Public Key (X.509, Base64): " + Java.use("android.util.Base64").encodeToString(pubKeyBytes, 0));
        console.log("    [+] Generated Private Key (PKCS#8, Base64): " + Java.use("android.util.Base64").encodeToString(privKeyBytes, 0));
        return keyPair;
    };

    // Cipher.doFinal for RSA is similar to AES, but ensure context is RSA
    // (could check algorithm via cipher.getAlgorithm() if needed)
    Cipher.doFinal.overload("[B").implementation = function(input) {
        var ret = this.doFinal(input);
        if (this.getAlgorithm().indexOf("RSA") != -1) {
            console.log("[*] RSA Cipher.doFinal([B]) called");
            console.log("    [+] Input (Hex): " + Array.from(input).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
            console.log("    [+] Input (Base64): " + Java.use("android.util.Base64").encodeToString(input, 0));
            console.log("    [+] Output (Hex): " + Array.from(ret).map(b => ('0' + (b & 0xFF).toString(16)).slice(-2)).join(''));
            console.log("    [+] Output (Base64): " + Java.use("android.util.Base64").encodeToString(ret, 0));
        }
        return ret;
    };

    console.log("[*] RSA Hooking Script Loaded. Waiting for activity.");
});

Running the RSA Hook

frida -U -f com.example.targetapp -l rsa_hook.js --no-pause

Advanced Considerations and Challenges

While these scripts provide a strong foundation, real-world applications often employ techniques to hinder analysis:

Obfuscation: Tools like ProGuard or DexGuard rename classes and methods, making it harder to find the exact targets. You might need to use static analysis (decompilers like Jadx or Ghidra) to identify the obfuscated names.
Anti-Frida Measures: Apps can detect Frida by checking for `frida-server` processes, specific memory regions, or network ports. Bypassing these often involves modifying Frida’s behavior or patching the app’s detection logic.
Custom Cryptography: Some applications implement their own cryptographic primitives, bypassing standard Android APIs. In such cases, you might need to hook lower-level native functions (e.g., in JNI libraries) or analyze the custom implementation statically.
Key Derivation Functions (KDFs): Keys are often not stored directly but derived from passwords or other secrets using KDFs (e.g., PBKDF2). You would need to hook the KDF itself to extract the final derived key.

Conclusion

Frida is an indispensable tool for dynamic analysis of Android applications, particularly when it comes to understanding and manipulating cryptographic operations. By strategically hooking `Cipher.init`, `Cipher.doFinal`, and key generation methods, you can gain deep insights into an app’s security mechanisms, extract crucial cryptographic parameters, and effectively bypass client-side encryption. This practical guide provides a solid starting point for any security researcher or penetration tester looking to enhance their Android crypto analysis capabilities.

May 29, 2026

Targeting JNI_OnLoad: Frida Techniques for Initializing Native Library Hooks

Introduction

In the realm of Android application penetration testing and reverse engineering, understanding and manipulating native libraries is often a critical step. Android apps frequently leverage the Java Native Interface (JNI) to execute performance-critical or obfuscated code written in C/C++. A particularly challenging scenario arises when native functions are initialized very early in the application lifecycle, specifically within the JNI_OnLoad function. This detailed guide will explore advanced Frida techniques to effectively hook functions initialized or registered during JNI_OnLoad, enabling powerful interception capabilities for security researchers.

The Challenge of Early Initialization

When an Android application loads a native library (e.g., via System.loadLibrary()), the Android runtime looks for and executes a special function named JNI_OnLoad within that library. This function is the native library’s entry point for initialization. Critical functions might be registered, obfuscation layers set up, or anti-tampering checks performed within JNI_OnLoad. If you attempt to hook a function directly using Module.findExportByName() after the library has technically loaded but before JNI_OnLoad has fully completed its execution and registered all its native methods, you might miss the window or find that the target function’s address is not yet available.

Standard Frida hooking often involves waiting for the library to be loaded and then attaching to exported symbols or resolved internal addresses. However, for functions whose pointers are resolved or registered *within* JNI_OnLoad itself, or functions that perform checks immediately after JNI_OnLoad finishes, a different strategy is required: intercepting JNI_OnLoad and performing your hooks from within its execution context.

Understanding JNI_OnLoad

The JNI_OnLoad function is a crucial callback in any native library that uses JNI. Its primary purpose is to initialize the native code environment for the Java Virtual Machine (JVM). It has the following C/C++ signature:

jint JNI_OnLoad(JavaVM* vm, void* reserved);

Here’s what each parameter signifies:

JavaVM* vm: A pointer to the JavaVM structure. This can be used to obtain a JNIEnv* pointer, which is essential for interacting with the JVM from native code.
void* reserved: Reserved for future use by the JNI specification, typically NULL.

Inside JNI_OnLoad, a native library typically:

Obtains a JNIEnv* pointer from the JavaVM*.
Registers native methods using RegisterNatives, mapping Java methods to C/C++ functions.
Performs any library-specific initialization, such as decrypting strings, setting up global variables, or initializing cryptographic contexts.
Returns the JNI version the native library expects (e.g., JNI_VERSION_1_6).

By hooking JNI_OnLoad, we gain control at the earliest possible moment within the native library’s execution flow.

Frida’s Approach: Intercepting JNI_OnLoad

The most effective strategy for targeting functions initialized by JNI_OnLoad is to hook JNI_OnLoad itself. This allows us to execute our Frida script *before* or *during* the original JNI_OnLoad execution. Inside our `onEnter` callback for JNI_OnLoad, we can then perform our target hooks, knowing that the library context is being set up or has just been set up.

Why this timing is crucial:

Guaranteed Presence: JNI_OnLoad is guaranteed to be called if the library exports it.
Early Access: You get control before most other native code within the library executes.
Context Awareness: You’re operating within the native library’s loading context, which can be useful for understanding its initialization flow.

Step-by-Step Guide with Frida

Let’s walk through an example. Suppose we have an Android application with a native library named libnative-lib.so, and it registers a crucial native function, say Java_com_example_app_NativeLib_calcSecret, within its JNI_OnLoad. We want to intercept this function.

1. Identify the Target Library

First, identify the native library that contains the JNI_OnLoad you’re interested in. You can use frida-ps to list loaded modules for your target app:

frida-ps -Uai "YourAppName" | grep .so

Look for the library name, e.g., libnative-lib.so.

2. Locate JNI_OnLoad

Once you have the library name, you can find the address of JNI_OnLoad using Module.findExportByName() in your Frida script.

3. Hook JNI_OnLoad

Now, we’ll write a Frida script to intercept JNI_OnLoad. Inside its onEnter callback, we’ll obtain the library’s base address and then wait for a moment (or directly attempt to hook) for our target function.

Consider a simple C++ native library structure:

#include <jni.h>#include <string>jstring Java_com_example_app_NativeLib_calcSecret(JNIEnv* env, jobject /* this */, jint a, jint b) {    int secret = a * b + 123;    return env->NewStringUTF(std::to_string(secret).c_str());}static const JNINativeMethod methods[] = {    {"calcSecret", "(II)Ljava/lang/String;", (void*)Java_com_example_app_NativeLib_calcSecret}};// JNI_OnLoad implementationjint JNI_OnLoad(JavaVM* vm, void* reserved) {    JNIEnv* env;    if (vm->GetEnv(reinterpret_cast<void**>(&env), JNI_VERSION_1_6) != JNI_OK) {        return JNI_ERR;    }    // Register native methods    jclass clazz = env->FindClass("com/example/app/NativeLib");    if (clazz == nullptr) {        return JNI_ERR;    }    env->RegisterNatives(clazz, methods, sizeof(methods) / sizeof(methods[0]));    return JNI_VERSION_1_6;}

And here’s the Frida script to hook JNI_OnLoad and then Java_com_example_app_NativeLib_calcSecret:

Interceptor.attach(Module.findExportByName("libnative-lib.so", "JNI_OnLoad"), {    onEnter: function (args) {        console.log("[+] JNI_OnLoad called!");        // The library is now loading or has just loaded.        // We can now safely find and hook other functions within this library.        let libNativeLibBase = Module.findBaseAddress("libnative-lib.so");        if (libNativeLibBase) {            console.log("[+] libnative-lib.so base address: " + libNativeLibBase);            // Attempt to find the target function.            // If it's dynamically registered, Module.findExportByName won't work.            // We might need to scan for patterns or use a symbol resolver            // if the function isn't exported or directly registered.            // For this example, let's assume 'calcSecret' isn't exported,            // but we know its relative offset or can find it by its Java name            // after JNI_OnLoad has registered it.            // In real scenarios, you might use:            // let calcSecretPtr = Module.findExportByName("libnative-lib.so", "Java_com_example_app_NativeLib_calcSecret");            // Or, if it's an internal function called by a registered method,            // you'd look for its address once JNI_OnLoad completes.            // For functions registered via RegisterNatives, Frida's Java.perform            // and attaching to the specific Java method might be easier after this.            // However, if we need to hook *before* the Java method is called,            // or the native method's address is crucial, we need to find it here.            // A more robust way to hook registered natives:            // You can also hook JNIEnv->RegisterNatives to see what methods are being registered.            // For direct hooking of 'calcSecret' assuming we know its symbol address after load:            // (This relies on JNI_OnLoad completing the registration)            // Let's assume a dummy offset or a known symbol for demonstration            // A better way would be to hook RegisterNatives or wait for the symbol to appear            // For this example, we will attach to the *Java* side of the registered native.            // This demonstrates that once JNI_OnLoad has run, the Java-native link is established.            // If the goal is to hook the *native implementation* from JNI_OnLoad context:            // You'd need to reverse engineer the specific library to find the address of            // Java_com_example_app_NativeLib_calcSecret *after* RegisterNatives has run            // or hook RegisterNatives itself.            // Assuming for a moment that after JNI_OnLoad, the symbol is resolvable or known:            // Example of hooking JNIEnv->RegisterNatives (more advanced)            let registerNativesPtr = Module.findExportByName("libart.so", "_ZN3art7JNIEnvExt15RegisterNativesEP7_jclassPK15JNINativeMethodi"); // Android 10+ symbol            if (registerNativesPtr) {                console.log("[+] Hooking JNIEnv->RegisterNatives...");                Interceptor.attach(registerNativesPtr, {                    onEnter: function(args) {                        let jclass = new Java.Wrapper(args[0]);                        let methods = args[1];                        let numMethods = args[2].toInt32();                        let className = Java.vm.get === 'undefined' ? jclass.toString() : Java.vm.getEnv().getObjectClassName(args[0]);                        console.log(`[+] RegisterNatives called for class: ${className} with ${numMethods} methods.`);                        if (className.includes("com.example.app.NativeLib")) {                            for (let i = 0; i < numMethods; i++) {                                let methodNamePtr = Memory.readPointer(methods.add(i * Process.pointerSize * 3)); // 3 pointers per JNINativeMethod struct (name, signature, fnPtr)                                let methodSignaturePtr = Memory.readPointer(methods.add(i * Process.pointerSize * 3 + Process.pointerSize));                                let fnPtr = Memory.readPointer(methods.add(i * Process.pointerSize * 3 + Process.pointerSize * 2));                                let methodName = methodNamePtr.readCString();                                let methodSignature = methodSignaturePtr.readCString();                                console.log(`[+] Method: ${methodName}, Signature: ${methodSignature}, FunctionPtr: ${fnPtr}`);                                if (methodName === "calcSecret") {                                    console.log("[+] Found calcSecret! Hooking its native implementation...");                                    Interceptor.attach(fnPtr, {                                        onEnter: function (args_calc) {                                            let arg_a = args_calc[2].toInt32();                                            let arg_b = args_calc[3].toInt32();                                            console.log(`[+] calcSecret called with a=${arg_a}, b=${arg_b}`);                                        },                                        onLeave: function (retval) {                                            let env = this.context.x0; // JNIEnv* is usually the first argument (x0/r0)                                            // Need to create a JNIEnv object to read jstring                                            let jniEnvWrapper = new JNIEnv(env);                                            let result = jniEnvWrapper.jstringToString(retval);                                            console.log(`[+] calcSecret returned: ${result}`);                                        }                                    });                                }                            }                        }                    }                });            } else {                console.warn("[-] Could not find JNIEnv::RegisterNatives symbol. This might be due to Android version differences.");            }        } else {            console.error("[-] Could not find base address for libnative-lib.so");        }    },    onLeave: function (retval) {        console.log("[+] JNI_OnLoad finished.");    }});class JNIEnv {    constructor(envPtr) {        this.envPtr = envPtr;        // These offsets might vary slightly by Android version/architecture        // Common offsets for JNI functions in JNIEnv* table        // Need to reverse engineer actual offsets for specific target        // For ARM64 on recent Android, NewStringUTF is usually at offset 0x2E0 (76th function)        // GetStringUTFChars at 0x2A8 (67th function)        // ReleaseStringUTFChars at 0x2AC (68th function)        // Here's an example for jstringToString, relying on GetStringUTFChars        this.GetStringUTFChars_offset = 0x2A8; // Example offset, verify for your target        this.ReleaseStringUTFChars_offset = 0x2AC; // Example offset        this.GetStringUTFChars = this.envPtr.readPointer().add(this.GetStringUTFChars_offset).readPointer();        this.ReleaseStringUTFChars = this.envPtr.readPointer().add(this.ReleaseStringUTFChars_offset).readPointer();    }    jstringToString(jstringPtr) {        if (jstringPtr.isNull()) {            return null;        }        let isCopy = Memory.alloc(4);        isCopy.writeInt(0);        let c_str_ptr = new NativeFunction(this.GetStringUTFChars, 'pointer', ['pointer', 'pointer', 'pointer'])(this.envPtr, jstringPtr, isCopy);        let result = c_str_ptr.readCString();        new NativeFunction(this.ReleaseStringUTFChars, 'void', ['pointer', 'pointer', 'pointer'])(this.envPtr, jstringPtr, c_str_ptr);        return result;    }}

In this advanced example, instead of guessing the native function’s address, we hook JNIEnv::RegisterNatives itself. This allows us to dynamically discover the addresses of all native methods being registered by JNI_OnLoad and then apply a more precise hook to our target function (`calcSecret`) as it’s being registered.

4. Execute the Frida Script

Attach Frida to your target application:

frida -U -f com.example.app --no-pause -l frida_jni_on_load_hook.js

Replace com.example.app with your target package name and frida_jni_on_load_hook.js with your script filename.

Advanced Considerations

Dealing with JNIEnv* and JavaVM*

Inside JNI_OnLoad, you receive JavaVM*. From this, the native code typically calls GetEnv to obtain a JNIEnv*. If your target functions require JNIEnv* (which most JNI functions do), you can grab this pointer if you hook GetEnv or observe it directly from arguments if you’re hooking a function called after GetEnv.
Bypassing Anti-Tampering Checks

Some applications might perform anti-tampering checks (e.g., integrity checks on the .so file or runtime environment checks) within JNI_OnLoad or immediately after it. By hooking JNI_OnLoad, you have the opportunity to nullify these checks or manipulate their outcomes before they can affect your analysis.
Hooking `RegisterNatives`

As demonstrated, directly hooking JNIEnv::RegisterNatives is a powerful technique. This allows you to log all registered native methods, their signatures, and their corresponding native function pointers. You can then dynamically intercept specific native implementations based on their names or signatures, making your hooks more resilient to code changes or obfuscation that might hide symbols.
JNI_OnUnload

For completeness, native libraries can also define JNI_OnUnload, which is called when the class loader containing the native library is garbage collected. While less common for initial hooking, it can be useful for understanding cleanup routines or potential memory manipulation during library unloading.

Conclusion

Targeting JNI_OnLoad with Frida is an indispensable technique for Android app penetration testers and reverse engineers. It grants early and powerful control over native library initialization, allowing you to intercept crucial functions that might otherwise be hidden or bypass early anti-tampering measures. By understanding the JNI lifecycle and employing advanced Frida features like hooking RegisterNatives, you can achieve a superior level of introspection and manipulation of even the most robust native Android applications.

May 29, 2026

Automating JNI Hook Discovery: Crafting Dynamic Frida Scripts for Native Android RE
Introduction to JNI Hooking and Dynamic Discovery

The Java Native Interface (JNI) serves as a critical bridge, enabling Java code running in the Android Virtual Machine (AVM) to interact with native applications and libraries written in languages like C/C++. For security researchers and reverse engineers, JNI presents both a powerful capability and a significant challenge. Many sensitive operations, cryptographic routines, or anti-tampering checks are often implemented in native code to evade Java-layer analysis and obfuscation techniques. Directly hooking these native functions can be complex due to factors like varying memory addresses, dynamic loading, and the sheer volume of potential targets.

This article delves into an advanced methodology for Android Reverse Engineering: automating JNI hook discovery using Frida. We’ll explore how to craft dynamic Frida scripts that not only identify native methods registered via JNI but also generate and apply hooks to them on the fly, transforming a tedious manual process into an efficient, automated workflow.

The Challenge of Manual JNI Hooking

Traditional JNI hooking often involves a multi-step process:
1. Static Analysis: Using tools like IDA Pro or Ghidra to analyze native libraries (e.g., .so files) to locate JNI_OnLoad and calls to RegisterNatives. This can be time-consuming, especially with large or obfuscated binaries.
2. Identifying Function Pointers: Manually extracting method names, signatures, and the corresponding native function pointers from the JNINativeMethod structures passed to RegisterNatives.
3. Crafting Static Hooks: Writing individual Frida hooks for each identified native function by hardcoding their addresses. This approach is fragile, breaking with recompilations or different library versions.
Our goal is to overcome these limitations by dynamically discovering and hooking JNI methods during runtime, making our analysis more robust and less reliant on static pre-analysis.

Frida for Advanced Native Interception

Frida is a dynamic instrumentation toolkit that allows injecting custom scripts into processes. Its ability to interact with native code, explore memory, and intercept function calls makes it ideal for JNI analysis. Key Frida features we’ll leverage include:
- Interceptor.attach(): To hook function calls.
- Module.findExportByName(): To locate exported functions like JNI_OnLoad.
- Memory.readPointer(), Memory.readCString(): For reading memory regions.
- NativeCallback(): To create native functions callable from JavaScript.
- Java.perform(): To ensure execution within the Java context if needed.
Identifying JNI Functions Dynamically

The cornerstone of JNI method registration is the RegisterNatives function. This function, part of the JNIEnv interface, is called by native libraries (typically within their JNI_OnLoad function) to map Java native methods to specific C/C++ functions. By intercepting RegisterNatives, we can dynamically discover all native methods an application registers.

Hooking JNI_OnLoad and RegisterNatives

First, we need to locate and hook JNI_OnLoad in the target native library. This function is an exported entry point for most JNI libraries and is called by the AVM when the library is loaded. It receives a JavaVM* pointer, from which we can obtain a JNIEnv*. The JNIEnv pointer’s vtable contains pointers to all JNI functions, including RegisterNatives.
```
Java.perform(function() {    var moduleName =
```
May 29, 2026
Reverse Engineering Native Android Libraries: A Frida JNI Hooking Lab Introduction: Unveiling Native Android Secrets Android applications often leverage native libraries (written in C/C++ and compiled into .so files) to achieve high performance, protect intellectual property, or interface with low-level system functionalities. These native components are a goldmine for reverse engineers and security analysts, often containing critical logic, cryptographic operations, or obfuscated algorithms. However, analyzing them can be challenging. This article serves as an expert-level guide to dynamically reverse engineering native Android libraries using Frida, focusing specifically on advanced JNI (Java Native Interface) hooking techniques. Frida, a dynamic instrumentation toolkit, provides unparalleled capabilities for interacting with running processes. By hooking JNI functions, we can observe, log, and even modify the interactions between the Java layer and the underlying native code, offering deep insights into an application’s hidden logic without needing to decompile or modify the application binary. Understanding JNI Fundamentals Before diving into hooking, it’s crucial to understand how Java communicates with native code via JNI. JNI acts as a bridge, allowing Java code to call native functions and native functions to interact with the Java Virtual Machine (JVM). Key JNI Concepts: JNIEnv*: This is a pointer to a structure containing a table of function pointers that the native code uses to interact with the JVM (e.g., creating Java objects, calling Java methods, handling exceptions). It’s typically the first argument to any JNI-exported function. jobject: Represents a reference to a Java object. In static native methods, it’s a reference to the Class object; in non-static methods, it’s a reference to the instance of the object the method was called on. It’s usually the second argument. Method Signatures: JNI uses a specific syntax to describe Java method signatures. For instance, (Ljava/lang/String;I)V represents a method that takes a String and an int and returns void. JNI_OnLoad: An optional, but commonly implemented, function that the JVM calls when a native library is loaded. It’s often used to register native methods dynamically or perform initialization tasks. Native methods are typically declared in Java as public native String myNativeMethod(String arg); and implemented in C/C++ with a specific naming convention: Java_PackageName_ClassName_MethodName. For example, Java_com_example_myapp_NativeLib_myNativeMethod(JNIEnv* env, jobject thiz, jstring arg). Setting Up Your Frida JNI Hooking Lab To follow along, you’ll need: An Android device or emulator with root access. ADB (Android Debug Bridge) installed and configured. Frida installed on your host machine (pip install frida-tools). Frida server running on your Android device. A static analysis tool like Ghidra or IDA Pro (optional, but highly recommended for initial reconnaissance). Basic understanding of C/C++ and JavaScript. Installing Frida Server on Android: adb push frida-server /data/local/tmp/frida-serveradb shell May 29, 2026
Frida’s JNIEnv: Handling Complex C/C++ Objects and Pointers in Native Hooks Introduction Android applications frequently bridge the gap between Java/Kotlin and native C/C++ code using the Java Native Interface (JNI). While hooking simple native functions with Frida is often straightforward, interacting with complex Java objects, arrays, or raw C/C++ pointers passed across the JNI boundary presents unique challenges. This article delves into advanced JNI hooking techniques using Frida’s powerful JNIEnv proxy, empowering penetration testers and reverse engineers to manipulate intricate data structures within native contexts. Understanding JNI and Native Methods JNI acts as a foreign function interface, allowing Java code running in the Java Virtual Machine (JVM) to call and be called by native applications and libraries written in other languages like C and C++. Each native method registered with JNI receives a JNIEnv* pointer as its first argument (after JNIEnv* and jclass/jobject). This pointer is crucial; it provides access to a vast array of functions (the JNI function table) that allow native code to interact with the JVM, create Java objects, call Java methods, throw exceptions, and manipulate Java types. A typical native method declaration in C++ looks like this: extern "C" JNIEXPORT jstring JNICALL Java_com_example_app_MainActivity_myNativeMethod( JNIEnv* env, jobject /* this */, jstring javaInputString, jobject javaCustomObject, jlong nativeStructAddress) { // Native implementation } Here, env is our gateway to JVM interaction, while javaInputString and javaCustomObject are opaque JNI references (`jstring`, `jobject`) that require JNIEnv methods to be dereferenced or manipulated. The Challenge of Complex Types in Native Hooks When hooking a native function, Frida provides the raw arguments. For primitive types (like jint, jboolean, jlong), these are directly usable in JavaScript. However, JNI types like jstring, jarray, or generic jobject are merely references to Java objects managed by the JVM. Simply reading them as JavaScript strings or objects will yield meaningless memory addresses. Furthermore, native functions might receive or return raw C/C++ pointers (often cast to jlong when crossing the JNI boundary) that point to complex C/C++ structures or dynamically allocated memory. Without understanding how to interpret these pointers and their contents, introspection becomes impossible. Frida’s JNIEnv Proxy: Your Gateway to the JVM Frida provides an elegant solution to this problem through its JavaScript JNIEnv proxy. You can obtain a reference to the current thread’s JNIEnv object using Java.vm.getEnv(). This env object mirrors many of the essential functions available via the native JNIEnv* pointer, but exposed as JavaScript methods. let env = Java.vm.getEnv(); // Now 'env' contains methods like env.getStringUtfChars, env.callObjectMethod, etc. This proxy allows you to directly call JNI functions from your Frida script, enabling sophisticated interaction with Java objects and the JVM from within your native hooks. Case Study 1: Hooking a Native Method Receiving jstring and jobject Consider a native function that takes a Java string and a custom Java object. Let’s assume our target APK contains a native library libnative-lib.so with a function: extern "C" JNIEXPORT jstring JNICALL Java_com_example_app_MainActivity_stringFromJNI( JNIEnv* env, jobject thiz, // 'this' reference to the Java object jstring inputString, jobject customObject, jlong nativeStructPtr) { /* ... */ } First, we need to locate the address of this native function. You can use tools like nm -D libnative-lib.so or Ghidra for static analysis, or Frida’s Module.findExportByName() for dynamic resolution. Java.perform(function() { let libnativeLib = Module.findBaseAddress("libnative-lib.so"); if (libnativeLib) { console.log("Found libnative-lib.so at: " + libnativeLib); // Resolve the exact function address let targetFunction = Module.findExportByName("libnative-lib.so", "Java_com_example_app_MainActivity_stringFromJNI"); if (targetFunction) { console.log("Hooking Java_com_example_app_MainActivity_stringFromJNI at: " + targetFunction); Interceptor.attach(targetFunction, { onEnter: function(args) { console.log("[+] Native method entered!"); this.env = Java.vm.getEnv(); // Get JNIEnv for this thread // Arg 0 is JNIEnv* // Arg 1 is jobject (this) // Arg 2 is jstring inputString // Arg 3 is jobject customObject // Arg 4 is jlong nativeStructPtr let jInputString = args[2]; let jCustomObject = args[3]; // 1. Extract string from jstring let javaString = this.env.getStringUtfChars(jInputString, null).readUtf8String(); console.log(" Input Java String: " + javaString); // 2. Interact with the custom Java object // We need to know its class and method signatures let customClass = this.env.getObjectClass(jCustomObject); let getValueMethodId = this.env.getMethodId(customClass, "getValue", "()Ljava/lang/String;"); if (getValueMethodId) { let jValue = this.env.callObjectMethod(jCustomObject, getValueMethodId); let customValue = this.env.getStringUtfChars(jValue, null).readUtf8String(); console.log(" Custom Object Value: " + customValue); // Remember to release local references if you create many, or for long-lived objects this.env.deleteLocalRef(jValue); } this.env.deleteLocalRef(customClass); // Store values for onLeave if needed this.javaString = javaString; }, onLeave: function(retval) { console.log("[-] Native method exited."); console.log(" Original string was: " + this.javaString); // Modify the return value if it's a jstring // this.env.newStringUtf("Hooked Return Value"); } }); } else { console.log("Target function not found."); } } }); In this script, this.env.getStringUtfChars() is used to convert the jstring into a C-style UTF-8 string, which Frida’s Memory.readUtf8String() can then read. Similarly, we use this.env.getObjectClass() and this.env.getMethodId() to reflect on the Java object and call its methods using this.env.callObjectMethod(). Case Study 2: Handling C/C++ Pointers and Structures Native functions often work directly with memory addresses, especially when dealing with custom C/C++ structures or large data buffers. A jlong argument in JNI is frequently used to pass a raw memory address (a void* or a pointer to a struct) from Java to native code, as jlong can hold a 64-bit address. Let’s extend our example where nativeStructPtr is a jlong pointing to a CustomNativeStruct: struct CustomNativeStruct { int id; char name[32]; void* data_ptr; // Pointer to more data }; Within the onEnter hook, we can read this pointer and its contents: // ... inside onEnter hook let nativeStructAddress = args[4]; // jlong argument is a Number in JS, representing the address if (nativeStructAddress.compare(0) > 0) { // Check if pointer is not null console.log(" Native Struct Pointer: " + nativeStructAddress); // Define the C structure in Frida for easier access // Using NativePointer.read* methods is also an option. let CustomNativeStruct = new (Java.use("java.lang.Object").$new().getClass().forName("java.lang.Integer"))({ id: 'int', name: ['char', 32], data_ptr: 'pointer' }); // Note: The above is a simplified concept; direct struct definition is complex. // A more practical approach is manual memory reading for complex structs. // Manual memory reading for CustomNativeStruct: let structId = nativeStructAddress.readInt(); let structName = nativeStructAddress.add(4).readUtf8String(32); // name starts at offset 4, max 32 bytes let structDataPtr = nativeStructAddress.add(4 + 32).readPointer(); // data_ptr after id (4 bytes) and name (32 bytes) console.log(" Native Struct -> ID: " + structId); console.log(" Native Struct -> Name: " + structName); console.log(" Native Struct -> Data Ptr: " + structDataPtr); if (structDataPtr.compare(0) > 0) { // Example: If data_ptr points to a C string let pointedData = structDataPtr.readUtf8String(); console.log(" Data Ptr points to string: " + pointedData); } } Frida’s NativePointer methods like readInt(), readUtf8String(), add(), and readPointer() are invaluable for navigating and interpreting memory pointed to by raw addresses. For more complex C++ objects (e.g., those with virtual tables), you would need to combine this with an understanding of the object’s memory layout and potentially RTTI information. Advanced Techniques: Creating and Passing Java Objects Frida’s JNIEnv also allows you to create new Java objects or obtain references to existing ones from within your native hook. This is powerful for injecting test data or modifying execution flow. Creating new Java Strings:let newJavaString = this.env.newStringUtf("Injected string from Frida"); Finding and instantiating Java classes: let StringClass = this.env.findClass("java/lang/String"); let constructorId = this.env.getMethodId(StringClass, "", "([B)V"); // Constructor taking byte array let byteArray = this.env.newByteArray(5); this.env.setByteArrayRegion(byteArray, 0, 5, [72, 101, 108, 108, 111]); // "Hello" let newString = this.env.newObject(StringClass, constructorId, byteArray); this.env.deleteLocalRef(StringClass); this.env.deleteLocalRef(constructorId); this.env.deleteLocalRef(byteArray); Calling static Java methods:let SystemClass = this.env.findClass("java/lang/System"); let currentTimeMillisMethod = this.env.getStaticMethodId(SystemClass, "currentTimeMillis", "()J"); let time = this.env.callStaticLongMethod(SystemClass, currentTimeMillisMethod); These new objects or references can then be passed to other JNI functions or used to replace arguments of the current hooked function on onEnter. Conclusion Frida’s JNIEnv proxy elevates native Android penetration testing from mere function hooking to deep introspection and manipulation of the entire Java-Native ecosystem. By mastering the JNIEnv methods, along with Frida’s powerful memory manipulation capabilities, you gain the ability to accurately interpret complex Java objects, dissect intricate C/C++ structures pointed to by raw addresses, and even inject custom data or objects into the application’s native execution flow. This level of control is indispensable for advanced vulnerability research, bypass development, and understanding the intricate workings of Android apps at their core. May 29, 2026
Unveiling Android Natives: Deep Dive into JNI Function Hooking with Frida Introduction to JNI and Native Android Security The Android ecosystem, predominantly built on Java or Kotlin, often relies on Native Code Interfacing (JNI) to leverage high-performance C/C++ libraries. This is common for critical functionalities like cryptography, DRM, game engines, or performance-sensitive computations. From a security perspective, native code presents a unique challenge: it’s harder to reverse engineer, less susceptible to typical Java-level obfuscation, and often contains crucial anti-tampering or license validation logic. Understanding and manipulating these native interactions is paramount for effective Android app penetration testing. When Java methods invoke native code, the execution flow crosses the JNI bridge, providing a perfect interception point to observe or alter an application’s deepest secrets. The Power of Frida for Native Interception Why JNI Hooking? Bypassing Security Controls: Many apps implement robust anti-tampering, root detection, or license verification within native libraries. Hooking JNI functions allows attackers to disable or alter these checks. Understanding Obfuscated Logic: Highly obfuscated Java/Kotlin code often delegates complex operations to native libraries. Intercepting JNI calls helps in understanding the actual data flow and logic. Manipulating Critical Data: Extracting encryption keys, modifying sensitive input/output, or changing game states can be achieved by intercepting data passed across the JNI bridge. Prerequisites To follow along with advanced JNI hooking, you’ll need: A rooted Android device or emulator (Frida-server installed and running). ADB (Android Debug Bridge) installed and configured. Frida-tools installed on your host machine (`pip install frida-tools`). Basic knowledge of C/C++ and Java/Kotlin. (Optional but recommended) Android NDK for compiling example native applications. Identifying Native Entry Points Native methods are linked to Java/Kotlin methods in two primary ways: Static Registration (JNI_OnLoad/Java_packageName_className_methodName): The JVM automatically links native methods based on a specific naming convention: `Java_PackageName_ClassName_MethodName`. For example, a Java method `native String getSecret(String arg);` in `com.example.app.MainActivity` would look for a native function named `Java_com_example_app_MainActivity_getSecret`. Dynamic Registration (RegisterNatives): More commonly, native libraries explicitly register their functions with the JVM using the `RegisterNatives` JNI function. This happens dynamically, often within the `JNI_OnLoad` function, making it harder to spot statically. Tools like `nm -D ` can list exported symbols, helping identify statically registered functions or the `JNI_OnLoad` entry point. Hands-On: Hooking Statically Registered JNI Functions Let’s create a simple Android app with a statically registered native method. Example Android App (Java/Kotlin & C/C++) `MainActivity.java` (or Kotlin equivalent): package com.example.jnidemo;import androidx.appcompat.app.AppCompatActivity;import android.os.Bundle;import android.util.Log;public class MainActivity extends AppCompatActivity { static { System.loadLibrary( May 29, 2026
Real-World Scenarios: Bypassing Root Detection in Banking/Gaming Apps with Objection Introduction Root detection is a ubiquitous security measure implemented by developers of sensitive applications, particularly in the banking, financial, and gaming sectors. Its primary goal is to prevent the application from running on rooted Android devices, thereby mitigating risks associated with compromised device integrity, such as unauthorized access to data, cheating, or circumventing licensing. For penetration testers and security researchers, however, bypassing these controls is a crucial step in evaluating an application’s true security posture. This article delves into practical techniques for bypassing Android root detection using Objection, a powerful runtime mobile exploration toolkit powered by Frida. Frida is a dynamic instrumentation toolkit that allows developers and security researchers to inject JavaScript snippets into native apps on Windows, macOS, Linux, iOS, Android, and QNX. Objection leverages Frida’s capabilities, providing a user-friendly command-line interface to interact with mobile applications at runtime, enabling tasks like SSL pinning bypass, root detection bypass, and memory manipulation. Understanding Android Root Detection Mechanisms Before we can bypass root detection, we must understand how it typically works. Android applications employ various heuristics to determine if a device is rooted: File-based Checks: Applications often search for the presence of root-specific binaries or files, such as `su` (superuser), `magisk`, `busybox`, or `xposed` in common paths like `/system/bin`, `/system/xbin`, `/sbin`, or `/data/local/tmp`. Property-based Checks: Checking system properties like `ro.boot.flash.locked` (which might indicate an unlocked bootloader) or `ro.secure` can hint at a modified system. Package-based Checks: Detecting the presence of known root management apps (e.g., Magisk Manager, SuperSU) by checking installed packages. Binary Execution Checks: Attempting to execute `su` with a non-zero exit code indicating root privileges. Signature/Integrity Checks: Verifying the integrity of system libraries or the application’s own code to detect tampering. Setting Up Your Penetration Testing Environment To follow along, you’ll need the following: A rooted Android device or emulator (e.g., with Magisk). ADB (Android Debug Bridge) installed and configured on your host machine. Frida server installed on your Android device. Objection installed on your host machine via pip: pip3 install objection First, ensure Frida server is running on your device. Download the appropriate Frida server binary from the Frida releases page for your device’s architecture (e.g., `frida-server-*-android-arm64`). adb push /path/to/frida-server /data/local/tmp/frida-serveradb shell "chmod 755 /data/local/tmp/frida-server"adb shell "/data/local/tmp/frida-server &" Verify Frida server is running by executing frida-ps -U on your host. This should list processes on your Android device. Objection’s Built-in Root Detection Bypass Objection offers a straightforward command to bypass common root detection mechanisms. Let’s assume our target application has the package name `com.example.bankapp`. First, launch Objection, attaching to the target application: objection --gadget com.example.bankapp explore Once connected, you’ll be presented with the Objection prompt. To attempt a general root detection bypass, simply use: android root disable This command injects a set of Frida hooks designed to intercept and modify the return values of common root detection methods. For instance, it might hook methods like `java.io.File.exists()` when called on `su` binary paths, or modify the output of `Runtime.exec()` calls that attempt to execute `which su`. The output will show which methods were hooked and what their return values were changed to (typically `false` or an empty string). Advanced Bypass: Custom Frida Hooks with Objection While `android root disable` is effective against many common checks, sophisticated applications might implement custom root detection logic that isn’t covered by Objection’s default hooks. In such cases, we need to identify the specific methods responsible for root detection and craft custom Frida scripts. Identifying Target Methods This often involves a combination of static and dynamic analysis: Static Analysis: Decompile the APK (e.g., with Jadx-GUI) and search for keywords like “root”, “su”, “magisk”, “isRooted”, “checkForRoot”, “RootDetector”, `busybox`, `xposed` in the source code. This helps pinpoint potential root detection classes and methods. Dynamic Analysis with Objection: If static analysis doesn’t yield clear results, or if the code is heavily obfuscated, we can use Objection’s dynamic exploration capabilities. android hooking search classes Rootandroid hooking search methods isRooted These commands help enumerate classes and methods containing the specified keywords, which can guide your investigation. Example: Bypassing a Custom isRooted() Method Let’s assume static analysis reveals a method `com.example.bankapp.utils.RootChecker.isRooted()` that returns `true` if the device is rooted. We can hook this method directly using Objection: android hooking watch class_method com.example.bankapp.utils.RootChecker.isRooted --dump-args --dump-backtrace --dump-return Observe the method’s behavior. If it indeed returns `true` on a rooted device, we can force it to return `false`: android hooking set return_value com.example.bankapp.utils.RootChecker.isRooted false This is a powerful way to override specific method outcomes dynamically. Example: Bypassing File Existence Checks with a Custom Script Consider an app that specifically checks for `/data/adb/magisk.img` and `/sbin/su` directly without using a generic `isRooted()` method. We can create a custom Frida script (`custom_bypass.js`) to target these specific checks: Java.perform(function () { var File = Java.use('java.io.File'); File.exists.implementation = function () { var path = this.getPath(); console.log("File.exists called for: " + path); if (path.includes("magisk.img") || path.includes("su")) { console.log("Bypassing existence check for: " + path); return false; } return this.exists(); };}); Now, load this script using Objection: objection --gadget com.example.bankapp explore -s custom_bypass.js The `-s` flag tells Objection to load the specified script at startup. This script will intercept all calls to `java.io.File.exists()` and return `false` for specific root-related files, effectively bypassing the check. Real-World Challenges and Best Practices Obfuscation: Production applications are often obfuscated (e.g., with ProGuard or R8), making class and method names meaningless. This requires more effort in static analysis and dynamic debugging to identify the correct targets. Native Root Detection: Some advanced applications implement root detection in native code (JNI/C/C++). Bypassing these requires deeper understanding of ARM assembly and using Frida’s native hooking capabilities, which can be done via Objection’s `frida` command for injecting more complex scripts. Anti-Tampering: Apps may detect if they are being debugged or if their code has been modified. These anti-tampering measures might need to be bypassed first before root detection can be addressed. Iterative Process: Bypassing root detection is often an iterative process. You might bypass one check only to discover another. Persistent logging and careful observation of application behavior are key. Conclusion Objection, powered by Frida, provides an indispensable toolkit for penetration testers to bypass various mobile application security controls, including root detection. While its built-in `android root disable` command handles many common scenarios, the ability to craft and inject custom Frida scripts empowers testers to tackle more complex, application-specific root detection mechanisms. Mastering these techniques is crucial for thorough security assessments, allowing researchers to delve deeper into an application’s vulnerabilities without being blocked by foundational security checks. May 29, 2026
Debugging Frida JNI Hooks: Common Pitfalls and Solutions for Native Android Apps Introduction to Frida JNI Hooking Frida has revolutionized mobile application penetration testing, offering unparalleled flexibility to inspect and modify application behavior at runtime. While JavaScript-based hooking for Java methods is straightforward, interacting with native C/C++ code via the Java Native Interface (JNI) presents a unique set of challenges. Debugging Frida scripts designed to hook JNI functions often requires a deeper understanding of both the JNI specification and the intricacies of native binary analysis. This article delves into the most common pitfalls encountered when debugging Frida JNI hooks in native Android applications and provides expert-level solutions. The Core Challenges of JNI Hooking Before diving into specific issues, it’s crucial to understand why JNI hooking can be significantly more complex than Java hooking: Native Code Context: You’re operating directly on machine code. Understanding CPU architecture (ARM, ARM64), calling conventions, and assembly becomes essential. JNI Bridge Mechanics: JNI functions involve specific argument passing conventions, including the mandatory JNIEnv* and jobject (or jclass) pointers. Symbol Resolution: C/C++ compilers often mangle function names, especially for C++ methods. Many native functions might also be static or internal, not exported directly by the library. JNI Type System: JNI uses specific types (e.g., jstring, jbyteArray, jint) that are distinct from their native C/C++ counterparts and require careful handling. Thread Safety & JNIEnv: The JNIEnv* pointer is thread-local. Mismanagement can lead to crashes or undefined behavior. Pitfall 1: Incorrect JNI Function Signatures One of the most frequent causes of crashes or unexpected behavior is supplying an incorrect function signature to Frida’s Interceptor.attach. JNI functions exposed to Java always follow a specific pattern. The Problem Consider a native function like this in C/C++: JNIEXPORT jstring JNICALL Java_com_example_app_NativeLib_greet(JNIEnv *env, jobject instance, jstring name) { const char *c_name = env->GetStringUTFChars(name, 0); std::string greeting = "Hello, " + std::string(c_name); env->ReleaseStringUTFChars(name, c_name); return env->NewStringUTF(greeting.c_str());} If you mistakenly hook it expecting only one argument after JNIEnv* and jobject, or misinterpret the type: // Incorrect Frida hook exampleInterceptor.attach(Module.findExportByName("libnativelib.so", "Java_com_example_app_NativeLib_greet"), { onEnter: function (args) { // args[0] is JNIEnv*, args[1] is jobject // args[2] is expected to be jstring, but if we mistype it as a pointer to a C string // and try to read it directly, it will crash or read garbage. console.log("Attempting to read args[2] as a raw C string: " + args[2].readUtf8String()); // CRASH! }}); The Solution: Verify Signatures Always verify the exact signature. This usually involves: Decompilation: Use tools like IDA Pro or Ghidra to analyze the native library. Look for the function’s entry point and its arguments. Source Code: If available, the native source code is the most reliable source. Frida’s own tools: In some cases, you might hook JNIEnv->RegisterNatives to dynamically discover registered native methods and their signatures, though this is for dynamically registered methods, not typically exported ones. // Correct Frida hook for Java_com_example_app_NativeLib_greetInterceptor.attach(Module.findExportByName("libnativelib.so", "Java_com_example_app_NativeLib_greet"), { onEnter: function (args) { const env = args[0]; const instance = args[1]; const jniName = args[2]; // This is a jstring (pointer to Java String object) // Proper way to read jstring content const nameStr = env.getStringUtfChars(jniName, null).readUtf8String(); console.log(`[+] greet() called with name: ${nameStr}`); // If we want to change the input // args[2] = env.newStringUtf("Frida World"); }, onLeave: function (retval) { const env = this.context.r0 || this.context.x0; // JNIEnv* from context (ARM/ARM64) const returnedJniString = retval; const returnedStr = env.getStringUtfChars(returnedJniString, null).readUtf8String(); console.log(`[+] greet() returned: ${returnedStr}`); // If we want to change the return value // retval.replace(env.newStringUtf("Hooked Return")); }}); Pitfall 2: Mismanaging JNIEnv and JavaVM The JNIEnv* pointer is crucial for interacting with the Java Virtual Machine (JVM) from native code. However, it’s thread-local and cannot be shared across threads. The Problem If you attempt to call Java methods or allocate Java objects from a Frida-spawned thread (e.g., using setTimeout, rpc.exports, or a custom native thread) without properly attaching it to the JVM, your script will crash. The Solution: Attach and Detach Threads When operating in a context where a valid JNIEnv* is not readily available (i.e., not directly in an onEnter/onLeave callback of a JNI method), you must explicitly attach the current native thread to the JVM and later detach it. function getJNIEnv() { const vm = Java.vm; let env = vm.getEnv(); if (env === null) { // Current thread not attached, attach it const threadName = "FridaWorker"; const JNI_VERSION_1_6 = 0x00010006; vm.attachCurrentThread(threadName); // You can specify a thread name env = vm.getEnv(); if (env === null) { console.error("[!] Failed to attach current thread to JVM"); return null; } // If this is a one-off operation, remember to detach later // vm.detachCurrentThread(); } return env;}// Example usage from a non-JNI context (e.g., rpc.exports function)rpc.exports = { callJavaMethod: function(className, methodName) { Java.perform(function() { // Always wrap Java interactions in Java.perform const env = getJNIEnv(); if (env) { const targetClass = env.findClass(className); if (targetClass) { // ... proceed to find and call the method using env->GetMethodID/CallObjectMethod console.log(`[+] Successfully got JNIEnv and class: ${className}`); } } }); }}; Pitfall 3: Symbol Resolution and Name Mangling Finding the exact address of a native function can be challenging due to C++ name mangling and the fact that many functions are not explicitly exported. The Problem You’ve identified a function like `MyClass::doSomething(int)` in a disassembler, but `Module.findExportByName( May 29, 2026


	
	
		
	
	
	
	
		
			←Previous Page
			1
…
606
607
608
609
610
…
705
			Next Page→

Author: admin

Introduction: The Crucial Role of Cryptography in Android Security

Prerequisites and Environment Setup

Installing Frida and ADB

Identifying Android Crypto APIs

Basic Interception: Hooking Cipher.getInstance()

Advanced Interception: Extracting Keys, IVs, and Data

Hooking SecretKeySpec and IvParameterSpec

Extracting Plaintext and Ciphertext

Putting It All Together: A Comprehensive Crypto Scraper

Dealing with Obfuscation and Native Code Crypto

Obfuscation

Native Code Cryptography

Conclusion

Introduction to Advanced JNI Hooking

Understanding JNI and Native Method Calls

Example JNI Native Method

The Challenge: Hooking Unexported Functions

Implementing Inline Hooking with Frida

1. Finding the Library Base Address

2. Finding the Function Offset

3. Attaching the Interceptor

Advanced Considerations: Hooking JNIEnv Functions

Conclusion

Introduction: Unveiling Android’s Cryptographic Secrets with Frida

Prerequisites

Setting Up Frida on Android

Hooking AES Encryption/Decryption and Extracting Keys

Identifying Target Methods

Frida Script for AES Hooking

Running the AES Hook

Hooking RSA Encryption/Decryption and Key Extraction

Identifying Target Methods for RSA

Frida Script for RSA Hooking

Running the RSA Hook

Advanced Considerations and Challenges

Conclusion

Introduction

The Challenge of Early Initialization

Understanding JNI_OnLoad

Frida’s Approach: Intercepting JNI_OnLoad

Why this timing is crucial:

Step-by-Step Guide with Frida

1. Identify the Target Library

2. Locate JNI_OnLoad

3. Hook JNI_OnLoad

4. Execute the Frida Script

Advanced Considerations

Dealing with JNIEnv* and JavaVM*

Bypassing Anti-Tampering Checks

Hooking `RegisterNatives`

JNI_OnUnload

Conclusion

Introduction to JNI Hooking and Dynamic Discovery

The Challenge of Manual JNI Hooking

Frida for Advanced Native Interception

Identifying JNI Functions Dynamically

Hooking JNI_OnLoad and RegisterNatives

Introduction: Unveiling Native Android Secrets

Understanding JNI Fundamentals

Key JNI Concepts:

Setting Up Your Frida JNI Hooking Lab

Installing Frida Server on Android:

Introduction

Understanding JNI and Native Methods

The Challenge of Complex Types in Native Hooks

Frida’s JNIEnv Proxy: Your Gateway to the JVM

Case Study 1: Hooking a Native Method Receiving jstring and jobject

Case Study 2: Handling C/C++ Pointers and Structures

Advanced Techniques: Creating and Passing Java Objects

Conclusion

Introduction to JNI and Native Android Security

The Power of Frida for Native Interception

Why JNI Hooking?

Prerequisites

Identifying Native Entry Points

Hands-On: Hooking Statically Registered JNI Functions

Example Android App (Java/Kotlin & C/C++)

Introduction

Understanding Android Root Detection Mechanisms

Hooking `JNI_OnLoad` and `RegisterNatives`

Frida’s `JNIEnv` Proxy: Your Gateway to the JVM

Case Study 1: Hooking a Native Method Receiving `jstring` and `jobject`

Example: Bypassing a Custom `isRooted()` Method