Generic Script To Bypass Some AntiFrida Checks
Generic Script To Bypass Some AntiFrida Checks
Please Star or Fork it if you use it -> it give confidence that community likes it
Feel Free to send more Bypass as a PR or Improve it.
Note - It won't support for Bypassing Frida Checks with Direct Syscalls yet
Roadmap -
for AntiFrida_Google.js,
I failed to hook using the following code because I thought it would be too slow to hook using javascript and could be faster using cmodule instead
const __android_log_print_ptr = Module.findExportByName(null, '__android_log_print')
const strlen = Module.getExportByName(null, 'strlen');
const malloc_ptr = Module.findExportByName(null, 'malloc')
const perror_ptr = Module.findExportByName(null, 'perror')
const exit_ptr = Module.findExportByName(null, 'exit')
Interceptor.attach(strlen, new CModule(`
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gum/gumprocess.h>
#include <gum/guminterceptor.h>
extern void on_message(const gchar *message);
extern int __android_log_print(int prio, const char* tag, const char* fmt, ...);
extern void *malloc(size_t __byte_count);
extern void *perror(const char* tag);
extern int exit(int prio);
/**
字符串替换
如:
原字符串bigString: 79859ea000-79859ec000 rwxp 001a8000 07:90 118 /apex/com.android.art/lib64/libart.so
查找的字符串oldSubString: "rwxp"
替换的字符串newSubString: "r-xp"
结果: 79859ea000-79859ec000 r-xp 001a8000 07:90 118 /apex/com.android.art/lib64/libart.so
*/
char *replaceSubstring(const char *bigString, const char *oldSubString, const char *newSubString)
{
size_t bigLen = strlen(bigString);
size_t oldLen = strlen(oldSubString);
size_t newLen = strlen(newSubString);
char *result = NULL;
const char *src = bigString;
const char *oldSrc = oldSubString;
char *dst = NULL;
size_t count = 0;
// 计算需要的总长度
while (*src) {
if (strstr(src, oldSrc) == src) {
count++;
src += oldLen;
} else {
src++;
}
}
count *= (newLen - oldLen);
size_t totalLen = bigLen + count;
// 分配足够的内存
result = (char *)malloc(totalLen + 1);
if (!result) {
perror("Memory allocation failed");
exit(0);
}
// 复制和替换
dst = result;
src = bigString;
while (*src) {
if (strstr(src, oldSrc) == src) {
memcpy(dst, newSubString, newLen);
dst += newLen;
src += oldLen;
} else {
*dst++ = *src++;
}
}
*dst = '\\0';
return result;
}
char oldSubString[] = "rwxp";
char newSubString[] = "r-xp";
void onEnter (GumInvocationContext * ic)
{
char *str = (char *)ic->cpu_context->x[0];
char *position = strstr(str, oldSubString);
//on_message((char *)ic->cpu_context->x[0]);//控制台输出所有信息
if (position != NULL)
{
str = replaceSubstring(str,oldSubString,newSubString);
(char *)ic->cpu_context->x[0] = str;
on_message((char *)ic->cpu_context->x[0]);
}
}
`, {
malloc: malloc_ptr,
perror: perror_ptr,
exit: exit_ptr,
__android_log_print: __android_log_print_ptr,
on_message: new NativeCallback(function (strings)
{
console.log(strings.readUtf8String());
}, 'void', ['pointer']),
}));
Hello,
I am not sure whether this issue relevant to this repo or not. But my android app starts on crashing when I start the frida server and I tried it gives me Bad access due to invalid address error
it would be great if you could point me in the right direction?
Thanks
None of the scrips works, the game crashes while Frida is trying to attach a process. Is it because the protection is using Direct Syscalls? just wondering
Hello @apkunpacker ,
I have a java code that checks anti-frida,
and when I call apk with the code you wrote, I get the following error.
Error code is :
Error: unable to find module containing 0xffe1db0c
Error: unable to find module containing 0xffe1db10
Error: unable to find module containing 0xdceffad0
Error: unable to find module containing 0xca7a56f4
Error: unable to find module containing 0xca7a56f8
Error: unable to find module containing 0xdceffb50
Error: unable to find module containing 0x0
Error: unable to find module containing 0xdf123a00
Error: unable to find module containing 0xffe1d328
Error: unable to find module containing 0xffe1d34c
Error: unable to find module containing 0xdcedaf00
Error: unable to find module containing 0xffe1d1e8
Error: unable to find module containing 0xffe1d20c
Error: unable to find module containing 0xdcedb400
Error: unable to find module containing 0xffe1d248
Error: unable to find module containing 0xffe1d26c
Java Code is :
`public class SecurityUtils {
public static ChangeQuickRedirect changeQuickRedirect;
public static Boolean isSecure;
static {
Covode.recordClassIndex(114126);
}
public static boolean isFridaExist() {
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 11);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
try {
InetAddress.getByName(decode("3132372e302e302e31"));
new Socket("3132372e302e302e31", Integer.parseInt(decode("3237303432")));
return true;
} catch (IOException unused) {
return false;
}
}
public static boolean isRoot() {
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 3);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
if (getRoSecureProp() == 0) {
return true;
}
return isSUExist();
}
public static boolean isSecure() {
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 1);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
Boolean bool = isSecure;
if (bool == null || bool.booleanValue()) {
return true;
}
return false;
}
public static int getRoSecureProp() {
Object invoke;
String str = null;
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 5);
if (proxy.isSupported) {
return ((Integer) proxy.result).intValue();
}
try {
invoke = INVOKESTATIC_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_ss_android_ugc_aweme_lancet_mira_opt_MiraReflectLancet_forName("android.os.SystemProperties").getMethod("get", String.class).invoke(null, decode("726f2e736563757265"));
} catch (Exception unused) {
}
if (invoke == null) {
return 1;
}
str = (String) invoke;
if (str == null || !"0".equals(str)) {
return 1;
}
return 0;
}
public static boolean isSUExist() {
String[] strArr;
int i;
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 7);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
try {
strArr = new String[]{decode("2f7362696e2f7375"), decode("2f73797374656d2f62696e2f7375"), decode("2f73797374656d2f7862696e2f7375"), decode("2f646174612f6c6f63616c2f7862696e2f7375"), decode("2f646174612f6c6f63616c2f62696e2f7375"), decode("2f73797374656d2f73642f7862696e2f7375"), decode("2f73797374656d2f62696e2f6661696c736166652f7375"), decode("2f646174612f6c6f63616c2f7375")};
i = 0;
} catch (Exception unused) {
}
while (!new File(strArr[i]).exists()) {
i++;
if (i >= 8) {
return false;
}
}
return true;
}
public static boolean findHookAppFile() {
MethodCollector.i(14877);
PatchProxyResult proxy = PatchProxy.proxy(new Object[0], null, changeQuickRedirect, true, 13);
if (proxy.isSupported) {
boolean booleanValue = ((Boolean) proxy.result).booleanValue();
MethodCollector.o(14877);
return booleanValue;
}
try {
HashSet<String> hashSet = new HashSet();
BufferedReader bufferedReader = new BufferedReader(new FileReader("/proc/" + Process.myPid() + "/maps"));
while (true) {
String readLine = bufferedReader.readLine();
if (readLine == null) {
break;
} else if (readLine.endsWith(".so") || readLine.endsWith(".jar")) {
hashSet.add(readLine.substring(readLine.lastIndexOf(" ") + 1));
}
}
bufferedReader.close();
for (String str : hashSet) {
if (str.contains(decode("636f6d2e73617572696b2e737562737472617465"))) {
MethodCollector.o(14877);
return true;
} else if (str.contains(decode("58706f7365644272696467652e6a6172"))) {
MethodCollector.o(14877);
return true;
} else if (str.contains(decode("6c696273616e64686f6f6b2e656478702e736f"))) {
MethodCollector.o(14877);
return true;
}
}
} catch (Exception unused) {
}
MethodCollector.o(14877);
return false;
}
public static String decode(String str) {
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{str}, null, changeQuickRedirect, true, 15);
if (proxy.isSupported) {
return (String) proxy.result;
}
return DownloadUtils.hexToString(str);
}
public static Class INVOKESTATIC_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_ss_android_ugc_aweme_lancet_mira_opt_MiraReflectLancet_forName(String str) {
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{str}, null, changeQuickRedirect, true, 6);
if (proxy.isSupported) {
return (Class) proxy.result;
}
if (!C0Y5.LIZ()) {
return Class.forName(str);
}
try {
return Class.forName(str);
} catch (Throwable th) {
if (th instanceof PluginClassNotFoundException) {
throw th;
} else if ((th instanceof ClassNotFoundException) || (th instanceof NoClassDefFoundError)) {
return MiraPluginFix.forName(str);
} else {
throw th;
}
}
}
public static boolean hasSimCard(Context context) {
int simState;
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 10);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
try {
simState = ((TelephonyManager) context.getSystemService("phone")).getSimState();
} catch (Throwable unused) {
}
if (simState == 1 || simState == 0) {
return false;
}
return true;
}
public static boolean isDebug(Context context) {
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 4);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
if ((context.getApplicationInfo().flags & 2) != 0) {
return true;
}
return false;
}
public static boolean isXposedExist(Context context) {
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 12);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
if (findHookAppFile() || findHookAppName(context)) {
return true;
}
return false;
}
public static boolean findHookAppName(Context context) {
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 14);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
List<String> asList = Arrays.asList(decode("64652e726f62762e616e64726f69642e78706f736564"), decode("636f6d2e746f706a6f686e77752e6d616769736b"), decode("696f2e76612e6578706f736564"), decode("636f6d2e77696e642e636f74746572"), decode("6f72672e6d656f776361742e656478706f7365642e6d616e61676572"), decode("6d652e7765697368752e657870"), decode("636f6d2e73617572696b2e737562737472617465"));
PackageManager packageManager = context.getPackageManager();
for (String str : asList) {
if (packageManager.getPackageInfo(str, 0) != null) {
return true;
}
}
return false;
}
public static synchronized void init(Context context) {
synchronized (SecurityUtils.class) {
MethodCollector.i(14876);
boolean z = true;
if (PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 2).isSupported) {
MethodCollector.o(14876);
return;
}
if (isSecure == null) {
try {
if (isRoot() || isDebug(context) || isUsbCharging(context) || !hasSimCard(context) || isFridaExist() || isXposedExist(context)) {
z = false;
}
isSecure = Boolean.valueOf(z);
MethodCollector.o(14876);
return;
} catch (Exception e) {
e.printStackTrace();
}
}
MethodCollector.o(14876);
}
}
public static boolean isUsbCharging(Context context) {
Intent INVOKEVIRTUAL_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_bytedance_sysoptimizer_ReceiverRegisterLancet_registerReceiver;
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context}, null, changeQuickRedirect, true, 8);
if (proxy.isSupported) {
return ((Boolean) proxy.result).booleanValue();
}
if ((!RomUtils.isEmui() || Build.VERSION.SDK_INT > 23) && (INVOKEVIRTUAL_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_bytedance_sysoptimizer_ReceiverRegisterLancet_registerReceiver = INVOKEVIRTUAL_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_bytedance_sysoptimizer_ReceiverRegisterLancet_registerReceiver(context, null, new IntentFilter("android.intent.action.BATTERY_CHANGED"))) != null && INVOKEVIRTUAL_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_bytedance_sysoptimizer_ReceiverRegisterLancet_registerReceiver.getIntExtra("plugged", -1) == 2) {
return true;
}
return false;
}
public static Intent INVOKEVIRTUAL_com_ss_android_socialbase_appdownloader_util_SecurityUtils_com_bytedance_sysoptimizer_ReceiverRegisterLancet_registerReceiver(Context context, BroadcastReceiver broadcastReceiver, IntentFilter intentFilter) {
String str;
PatchProxyResult proxy = PatchProxy.proxy(new Object[]{context, broadcastReceiver, intentFilter}, null, changeQuickRedirect, true, 9);
if (proxy.isSupported) {
return (Intent) proxy.result;
}
if (broadcastReceiver != null) {
str = broadcastReceiver.toString();
} else {
str = "";
}
ReceiverRegisterLancet.loge("optimize_receiver", str);
try {
return context.registerReceiver(broadcastReceiver, intentFilter);
} catch (Exception e) {
if (ReceiverRegisterCrashOptimizer.fixedOpen()) {
return ReceiverRegisterCrashOptimizer.registerReceiver(broadcastReceiver, intentFilter);
}
throw e;
}
}
}`
Game still crashes when I launch with anti frida scripts
PS F:\Mobile-Modding\Frida\AntiFrida_Bypass-main> frida -U -f "com.candywriter.bitlife" -l AntiAntiFrida.js
____
/ _ | Frida 16.1.5 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to G8341 (id=QV702XTV0X)
Spawned `com.candywriter.bitlife`. Resuming main thread!
Error: unable to find module containing 0x7fd53b4c08
Error: unable to find module containing 0x7fd53b4c10
Error: unable to find module containing 0x7d9205f0a0
[G8341::com.candywriter.bitlife ]-> Error: unable to find module containing 0x7d72713088
Error: unable to find module containing 0x7d72713090
Error: unable to find module containing 0x7d9205f220
Error: unable to find module containing 0x7d72615088
Error: unable to find module containing 0x7d72615090
Error: unable to find module containing 0x7d8b40da60
socket : 1 526338 0 Return : 53
Connect : 1 Port : 25647 Return : 0
Error: unable to find module containing 0x7d88225558
Error: unable to find module containing 0x7d72b0b168
Error: unable to find module containing 0x7d737fd1e0
Error: unable to find module containing 0x7d88225510
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Sony/G8341/G8341:9/47.2.A.11.228/3311891731:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 10414, tid: 10414, name: ywriter.bitlife >>> com.candywriter.bitlife <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'terminating with uncaught exception of type std::length_error: basic_string'
x0 0000000000000000 x1 00000000000028ae x2 0000000000000006 x3 0000000000000008
x4 fefefefefefefeff x5 fefefefefefefeff x6 fefefefefefefeff x7 7f7f7f7f7f7f7f7f
x8 0000000000000083 x9 4437bcff1a93566f x10 0000000000000000 x11 fffffffc7ffffbdf
x12 0000000000000001 x13 00000000654ff512 x14 0018f96d54d74000 x15 00004f760014d325
x16 0000007e164da2b8 x17 0000007e163fba50 x18 0000000000000000 x19 00000000000028ae
x20 00000000000028ae x21 ffffff80ffffffc8 x22 0000007fd53b1ac0 x23 0000007e164dc5b8
x24 0000007fd53b19a0 x25 0000007fd53b19e0 x26 0000000000000000 x27 0000007fd53b21f0
x28 00000000000028ae x29 0000007fd53b1910
sp 0000007fd53b18d0 lr 0000007e163ed084 pc 0000007e163ed0ac
backtrace:
#00 pc 00000000000220ac /system/lib64/libc.so (offset 0x22000) (abort+116)
#01 pc 0000000000000108 <anonymous:0000007e13eb9000>
***
[G8341::com.candywriter.bitlife ]->
Thank you for using Frida!
PS F:\Mobile-Modding\Frida\AntiFrida_Bypass-main> frida -U -f "com.candywriter.bitlife" -l AntiAntiFrida2.js
____
/ _ | Frida 16.1.5 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to G8341 (id=QV702XTV0X)
Spawned `com.candywriter.bitlife`. Resuming main thread!
[G8341::com.candywriter.bitlife ]-> socket : 1 526338 0 Return : 52
Connect : 1 Port : 25647 Return : 0
Process crashed: Trace/BPT trap
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Sony/G8341/G8341:9/47.2.A.11.228/3311891731:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 10476, tid: 10476, name: ywriter.bitlife >>> com.candywriter.bitlife <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'terminating with uncaught exception of type std::length_error: basic_string'
x0 0000000000000000 x1 00000000000028ec x2 0000000000000006 x3 0000000000000008
x4 fefefefefefefeff x5 fefefefefefefeff x6 fefefefefefefeff x7 7f7f7f7f7f7f7f7f
x8 0000000000000083 x9 4437bcff1a93566f x10 0000000000000000 x11 fffffffc7ffffbdf
x12 0000000000000001 x13 00000000654ff51b x14 002878b6514ef400 x15 000052c1e9bf7869
x16 0000007e164da2b8 x17 0000007e163fba50 x18 0000000000000000 x19 00000000000028ec
x20 00000000000028ec x21 ffffff80ffffffc8 x22 0000007fd53b1ac0 x23 0000007e164dc5b8
x24 0000007fd53b19a0 x25 0000007fd53b19e0 x26 0000000000000000 x27 0000007fd53b21f0
x28 00000000000028ec x29 0000007fd53b1910
sp 0000007fd53b18d0 lr 0000007e163ed084 pc 0000007e163ed0ac
backtrace:
#00 pc 00000000000220ac /system/lib64/libc.so (offset 0x22000) (abort+116)
#01 pc 0000000000000108 <anonymous:0000007e13eb9000>
***
[G8341::com.candywriter.bitlife ]->
Thank you for using Frida!
PS F:\Mobile-Modding\Frida\AntiFrida_Bypass-main>
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.