[FIXED] Not working with bereal

[xKiian]

App: https://play.google.com/store/apps/details?id=com.bereal.ft

I tried the ssl demo app and it worked just fine, but with bereal i get an error:

i use memu with http toolkit.

[pimterry]

I'm not sure about the exact cause, but I'm confident that it's not related to these scripts, because you get the exact same error without them if you just run:

frida -U -f com.bereal.ft

That means this is either due to Bereal doing some kind of Frida detection (and crashing weirdly on purpose I guess?) or a Frida bug. Your guess is as good as mine :smile:. I'm going to close this since it's not related to these scripts, but do please share more details here if you do work out what's going on.

[xKiian]

ok so i fixed it myself:

• i disabled debug (it crashed when using it)
• i added this code at the top of config.js:

Interceptor.attach(Module.findExportByName(null, "strlen"), {
    onEnter: function(args) {
        var cmd = args[0].readCString();
        if (cmd.indexOf("rwxp") !== -1) {          
            cmd = cmd.replaceAll("rwxp", "r-xp");
            args[0].writeUtf8String(cmd);
        }
    }
})

• run frida -U -l config.js -l android-certificate-unpinning.js -f com.bereal.ft

[pimterry]

Oh neat! That makes sense, very nice. You deleted the command but it looks like that came from https://github.com/apkunpacker/AntiFrida_Bypass which has some other interesting examples too.

I'd like to include fixes for detection approaches like this by default if possible, but it's difficult to do safely - patching strlen to potentially modify any string for example clearly might have side effects and could cause confusing issues. It's fine as a one-off but difficult to include here as standard. If you have any ideas for general-purpose hooks to add here to patch out these kinds of checks reliably for all apps, I'd love to hear about them :smile: