Hook String constructor

[awakened1712]

I have the below script to hook public String(char[] data) method

Java.perform(function () {
    var String = Java.use('java.lang.String');
    String.$init.overload('[C').implementation = function(p0) {
        console.log('String.init');
        return String.$init(p0);
    }
}

It does not work (the log did not get printed out). Is there a reason behind? And is there any work around?

[enovella]

I don't have a clear answer for that, but I wasn't having any luck in previous versions of Frida. What I do know that works is to get all the calls to this constructor and then writing hooks for it. I automated that by using radare2 and custom scripts and I was able to hook up to 300 string constructors. It might not be an ideal solution but it saved my day and I recovered all the obfuscated strings at runtime.

[awakened1712]

@enovella do you mind sharing your scripts please?

[oleavr]

If you tried hooking all of the constructors, then it's safe to assume that strings are special-cased by the VM (for performance-reasons) and you'll have to hook its internals. This is possible by using Frida's Interceptor API and looking into libart.so's internals – the source code is available so that should help a lot.