Frida hooking into custom constructor encountering errors (Expected a Pointer) [Android]

Question

I am trying to hook into a constructor that initialises a couple of interfaces, along with other objects. My Frida script is as such:

Java.perform(function(){
    Java.scheduleOnMainThread(function(){
        var Vid = Java.use('com.ss.android.testcamera.tcamera.TESTVideoMode');
        var TESTCamera2 = Java.use('com.ss.android.testcamera.TESTCamera2');
        var Context = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext();
        var CameraManager = Java.use('android.hardware.camera2.CameraManager');
        var Handler = Java.use('android.os.Handler');

        var type = 3; 
        var CameraEvents = Java.use('com.ss.android.testcamera.TESTCameraBase$CameraEvents');
        var PictureSizeCallback = Java.use('com.ss.android.testcamera.TESTCameraBase$PictureSizeCallBack');

        var TESTCam2 = TECamera2.$new.overload('int', 'android.content.Context', 'com.ss.android.testcamera.TESTCameraBase$CameraEvents', 'android.os.Handler', 'com.ss.android.testcamera.TESTCameraBase$PictureSizeCallBack');
        TESTCam2.call(TESTCamera2, type, Context, CameraEvents, Handler, PictureSizeCallback);

        var VidInstance = Vid.$new(TESTCam2, Context, CameraManager.$new(), Handler.$new());
    })
})

However, I am encountering errors, like the one shown below.

Error: expected a pointer
    at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1057)
    at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:580)
    at call (native)
    at <anonymous> (/camera.js:18)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:182)

For more context, the application code I am trying to hook is as such.

For Vid:

public TESTVideoMode(@NonNull TESTCamera2 camera2, @NonNull Context context, @NonNull CameraManager cameraManager, Handler handler) {
        super(camera2, context, cameraManager, handler);
    }

For TESTCamera2:

protected TESTCamera2(int type, Context context, TESTCameraBase.CameraEvents cameraEvents, Handler handler, TESTCameraBase.PictureSizeCallBack callBack) {
        super(context, cameraEvents, handler, callBack);

Interfaces listed:

    public interface CameraEvents {
        void onCameraClosed(TESTCameraBase TESTCameraBase);

        void onCameraError(int i, int i2, String str);

        void onCameraInfo(int i, int i2, String str);

        void onCameraOpened(int i, int i2, TESTCameraBase TESTCameraBase);
    }

    public interface PictureSizeCallBack {
        FSI getPictureSize(List<FSI> list, List<FSI> list2);
    }

My question is how do I initiate the TESTCam2.call without getting the expected a pointer error? Thanks in advance!

Edit: The code fails before Vid.$new, at the initialisation of TESTCam2.

I've attached console.log to every instance of Java.use, and here are the results:

Vid: <class: com.ss.android.testcamera.tcamera.TESTVideoMode> 
TESTCamera2: <class: com.ss.android.testcamera.TESTCamera2> 
Context: com.ss.android.ugc.aweme.CamApplication@7249ed6 
CameraManager: <class: android.hardware.camera2.CameraManager> 
Handler: <class: android.os.Handler> CameraEvents: [object Object] 
PictureSizeCallback: [object Object]

You should check if all the `Java.use` operations really succeeded (returned a class). It seems that on Android 9+ (or earlier?) not all classes are directly on app startup loaded/available in Frida. Furthermore I would rectify the line where you call `Vid.$new`. It contains too many calls that may fail in this case you don't know which one. — Robert, Dec 14 '21 at 18:41
Hi Robert, the code fails before Vid.$new, at the initialisation of TESTCam2. I've attached `console.log` to every instance of `Java.use`, and here are the results: `Vid: ` `TESTCamera2: ` `Context: com.ss.android.ugc.aweme.CamApplication@7249ed6` `CameraManager: ` `Handler: ` `CameraEvents: [object Object]` `PictureSizeCallback: [object Object]` The last 2 are from the interfaces, so couldn't `$new` them. — vificatem, Dec 15 '21 at 08:55
Please do not post code in comments (make it unreadable). Edit your question instead. — Robert, Dec 15 '21 at 09:54
`CameraManager.$new()` will not work as CameraManager is a system service that is received via `CameraManager manager = (CameraManager) activity.getSystemService(Context.CAMERA_SERVICE);` - as I wrote you should check all instances used in the last line... — Robert, Dec 16 '21 at 10:05

Frida hooking into custom constructor encountering errors (Expected a Pointer) [Android]

0 Answers0