Austin1
commented
9 months ago APK i'm trying to figure out how it interfaces with a Steam Generator in my home. https://m.apkpure.com/mrsteam-steamlinx-mobile-app/com.geckoportal.mrsteam
Closed Austin1 closed 9 months ago
Austin1
commented
9 months ago APK i'm trying to figure out how it interfaces with a Steam Generator in my home. https://m.apkpure.com/mrsteam-steamlinx-mobile-app/com.geckoportal.mrsteam
Austin1
commented
9 months ago I did some more digging and I'm not a developer so this is me trying to understand something that I dont,
Appears that something around here is causing the issue: https://github.com/ksg97031/frida-gadget/blob/3e4728e62a40bc5dc088462f8faf0c56cc7ab5c4/scripts/cli.py#L118
I had CHATGPT try to analyze this and it said this might work. I dont have time to figure out how to fork/modify/compile and run this, so figured I'd share here in case someone could help and validate that the error is not user error and that the injection can be modified somehow to work?
for entrypoint in entrypoints:
idx = 0
while idx != len(text):
line = text[idx].strip()
if line.startswith('.method') and entrypoint in line:
if ".locals " in text[idx + 1]:
locals_line_bit = text[idx + 1].split(".locals ")
if len(locals_line_bit) > 1:
try:
locals_variable_count = min(int(locals_line_bit[1]), 15)
locals_line_bit[1] = str(locals_variable_count + 1)
if load_library_name.startswith('lib'):
load_library_name = load_library_name[3:]
text[idx + 1] = ".locals ".join(locals_line_bit)
text.insert(idx + 2,
f" invoke-static {{v{locals_variable_count}}}, "
"Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V")
text.insert(idx + 2,
f" const-string v{locals_variable_count}, "
f"\"{load_library_name}\"")
status = True
except ValueError:
# Handle the case where conversion to int fails
pass
break
idx += 1Here is the decompiled code that it seems to be trying to inject into, if helpful context:
package crc642612969569d7a084;
import android.os.Bundle;
import java.util.ArrayList;
import mono.android.IGCUserPeer;
import mono.android.Runtime;
import mono.android.TypeManager;
/* loaded from: classes.dex */
public class WelcomeActivity extends SussmanActivity implements IGCUserPeer {
public static final String __md_methods = "n_onCreate:(Landroid/os/Bundle;)V:GetOnCreate_Landroid_os_Bundle_Handler\nn_onResume:()V:GetOnResumeHandler\n";
private ArrayList refList;
private native void n_onCreate(Bundle bundle);
private native void n_onResume();
static {
Runtime.register("Sussman.Droid.WelcomeActivity, Sussman.Droid", WelcomeActivity.class, __md_methods);
}
public WelcomeActivity() {
if (getClass() == WelcomeActivity.class) {
TypeManager.Activate("Sussman.Droid.WelcomeActivity, Sussman.Droid", "", this, new Object[0]);
}
}
public WelcomeActivity(int i) {
super(i);
if (getClass() == WelcomeActivity.class) {
TypeManager.Activate("Sussman.Droid.WelcomeActivity, Sussman.Droid", "System.Int32, mscorlib", this, new Object[]{Integer.valueOf(i)});
}
}
@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
n_onCreate(bundle);
}
@Override // androidx.fragment.app.FragmentActivity, android.app.Activity
public void onResume() {
n_onResume();
}
@Override // crc642612969569d7a084.SussmanActivity, mono.android.IGCUserPeer
public void monodroidAddReference(Object obj) {
if (this.refList == null) {
this.refList = new ArrayList();
}
this.refList.add(obj);
}
@Override // crc642612969569d7a084.SussmanActivity, mono.android.IGCUserPeer
public void monodroidClearReferences() {
ArrayList arrayList = this.refList;
if (arrayList != null) {
arrayList.clear();
}
}
}
ksg97031
commented
9 months ago @Austin1
Thanks for providing detailed bug reports! 👍
I fixed the issue and deployed version 1.3.5 now.
Kindly update to the latest version and verify its functionality:
pip install frida-gadget --upgrade
After running the command, I get this error:
[DEBUG] Auto-detected your frida version: 16.1.9 [DEBUG] Downloading the frida gadget library(16.1.9) for arm64 [DEBUG] Checking internet permission and extractNativeLibs settings [DEBUG] Searching for the main activity in the smali files [DEBUG] Found the main activity at '/Users/austin/Documents/GitHub/SteamLinx/SteamLinx/smali/crc642612969569d7a084/WelcomeActivity.smali' [DEBUG] Locating the entrypoint method and injecting the loadLibrary code Traceback (most recent call last): File "/Users/austin/.pyenv/versions/3.11.3/bin/frida-gadget", line 8, in
sys.exit(run())
^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1130, in call
return self.main(args, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/click/core.py", line 760, in invoke
return __callback(args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 268, in run
inject_gadget_into_apk(apk_path, arch, decompiled_path)
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 198, in inject_gadget_into_apk
insert_loadlibary(decompiled_path, main_activity, load_library_name)
File "/Users/austin/.pyenv/versions/3.11.3/lib/python3.11/site-packages/scripts/cli.py", line 119, in insert_loadlibary
locals_variable_count = min(int(locals_line_bit[1]), 15)