Frida call function of reverse engineered smali code (Android)

Question

I want to call a function through frida in an apk while only having decompiled smali code. The code looks like the following:

b.smali

.class public final Lcom/company/a/b;
.super Ljava/lang/Object;
.source ""

# annotations
.annotation system Ldalvik/annotation/MemberClasses;
    value = {
        Lcom/company/a/b$c;
    }
.end annotation

.annotation runtime Lkotlin/Metadata;
[...]
    d2 = {
        "Lcom/company/a/b;",
        [...]
        "f",
        [...]
    }
[...]
.end annotation


# static fields
[...]

.field public static final f:Lcom/company/a/b$c;

b$c.smali

.class public final Lcom/company/a/b$c;
.super Ljava/lang/Object;
.source ""


# annotations
.annotation system Ldalvik/annotation/EnclosingClass;
    value = Lcom/company/a/b;
.end annotation

.annotation system Ldalvik/annotation/InnerClass;
    accessFlags = 0x19
    name = "c"
.end annotation

.annotation runtime Lkotlin/Metadata;
[...]
    d2 = {
        "Lcom/company/a/b$c;",
[...]
        "cp2",
[...]
    }
.end annotation

# direct methods
[...]

.method public final cp2()V
    .locals 2
    .annotation build Landroidx/annotation/Keep;
    .end annotation

    [...]

    return-void
.end method

Here I want to call the function cp2() from object f. How do I do this? The .js file I pass to frida contains:

Java.perform(function(){
    var class = Java.use("com.company.a.b");
    class.f.cp2();
});

But it returns me:

* Unable to call

Is it even possible to call a funtion of an object in frida?

score 0 · Answer 1 · answered Jun 25 '21 at 12:27

Your code has two problems:

The method cp2 is not a member of class com.company.a.b but of it's inner class com.company.a.b$c.

Therefore you need the following class reference:

var class = Java.use("com.company.a.b$c");

The second problem is that the method cp2 is not a static method which makes calling it a bit more complicated as you can't call it just on the class. Instead you need a reference to an existing instance of the class com.company.a.b$c.

As the posted code does not include the constructor of com.company.a.b$c I don't know how to create an instance of com.company.a.b$c.

A simple workaround would be to search a method that is called that is getting an instance to com.company.a.b$c as parameter and to hook that method. Inside the hook you would then have an instance you could call cp2 on.

Thank you. But isn't the object `f (.field public static final f:Lcom/company/a/b$c;)` in `com.company.a.b` already an instantiated object which has `cp2` and therefore can be called? So I just have to find an instantiated class of `com.company.a.b` or hooking the constructor of `b` and calling on passed `f`? — pythonimus, Jun 28 '21 at 08:57

Frida call function of reverse engineered smali code (Android)

1 Answers1