im reverse engineering a app (with the permission of the dev) and im still new to this but is it possible to get the name of the native function thats calling a java method? and in which library?? i know for sure the native functions are being called yet if i try to intercept the library using frida i get a error saying that frida cant find the library i decompiled the apk using jd-gui and i couldnt find the library in the libs folder i tried to intercept the System.loadLibrary() but the app crashes with invalid address error yet i did find a library being loaded by the app if i enumertae loaded modules using frida i dont find that library name and its also not found in the libs folder is there a way to specify a native library path in java? and how can the app load librarys yet frida cant see them??
-
So you have an app that obviously contains no native libraries and you find no native calls but you are still sure that it uses at least native library - why? Also make sure you have a full app APK, modern apps are distributed by Google in form of multiple APK files, one for the code, one for the native libs, one for the language specific strings,... – Robert Dec 31 '20 at 12:14
-
i did find the native calls and they are being called but a apk from playstore can be without librarys and can it use another apk libs? – ahmed mani Dec 31 '20 at 15:50
-
@technically the libraries can be downloaded and then loaded. Or the libraries are contained within the APK files or an OBB files but obfuscated or in a different path so that you don't identify them as libraries. – Robert Dec 31 '20 at 16:29
2 Answers
If I understood well you want to find native function name that is called BY Java?
- list all calls to System.loadLibrary() to detect all libraries
- using IDA Pro (or one of its alternatives here: https://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro) check for all methods starting with "Java_...."
The theory behind this is that all native methods should start with "Java_" and continue by the rest of package name.
For example:
Java_com_foobar_main_test(...);
rapresents a method "test()" in packagename "com.foobar" and classfile "main". Overloaded methods could have their signature after the method name like:
Java_com_foobar_main_test__Ljava_lang_String_I(..., jstring text, jint integer);
but the concept remains the same as before.
If you want to know which Java method is called by a specific native method, then you have to find "GetMethodID(..)" or "GetStaticMethodID(..)" from native code and check the string as 3rd argument: it's the name of Java method.
- 2,547
- 2
- 16
- 20
-
you can change the name of the function in a c++/c file so it cannot be traced hooking the system.loadlibrary() crashes the app i already tried that – ahmed mani Dec 31 '20 at 15:49
-
Java native methods don't have to be named that way (and exported). There is a way to dynamically register them using the `RegisterNatives` method. – Robert Dec 31 '20 at 16:31
my skills have advanced since this question so hopefully someone finds this helpful
sadly there is no way to get a java traceback using frida that includes C++ functions however there is better solutions but before that how is a java function get called from native layer?
first a method id of the java method is fetched using the jni function "GetMethodID" which returns a unique integer relative to the method
then the methodid and the method javaobject which the method will called on is passed to one of these functions depending on the return value of the java method for example if the java returns void "callVoidMethod" will be called and so on
the idea here is to hook getmethodid and log the params as the method signature will be passed as string
second solution is to emulate the so library inside a android so emulator and to print the debug log there currently 2 emus capable of doing this
- 182
- 1
- 10