Here's what I want to achieve: I want to see exactly what parameters + arguments a method uses. This is how I proceeded:
- Find the call with frida-trace:
frida-trace -U -F -j '*!setImageBitmap'
Log 1:
14227 ms AppCompatImageView.setImageBitmap("<instance: android.graphics.Bitmap>")
14227 ms | ImageView.setImageBitmap("<instance: android.graphics.Bitmap>")
- Now i use the following hook script
Java.perform(() =>{
const cl = Java.use('androidx.appcompat.widget.AppCompatImageView')
cl.setImageBitmap.implementation = function(arg) {
console.log("this : " + this)
console.log("arg : " + arg)
this.setImageBitmap(arg)
}
})
Now I get the following output:
Log 2:
this : androidx.appcompat.widget.AppCompatImageView{e9b4cb7 V.QD..... ......MA 681,37-992,344 #7f0a05ee app:id/whatever}
arg : android.graphics.Bitmap@6099c24
- Try passing my own bitmap type:
Java.perform(() =>{
const cl = Java.use('androidx.appcompat.widget.AppCompatImageView')
const bm = Java.use('android.graphics.Bitmap')
cl.setImageBitmap.implementation = function(arg) {
console.log("this : " + this)
console.log("arg : " + arg)
// define bitmap
let newBitmap = bm.$new()
let newBitmap2 = bm.$new(100, 100, newBitmap.Config.ARGB_8888)
this.setImageBitmap(newBitmap2)
}
})
I get the following error message:
Log 3:
Error: Bitmap(): argument types do not match any of:
.overload('long', 'int', 'int', 'int', 'boolean', 'boolean', '[B', 'android.graphics.NinePatch$InsetStruct')
at X (frida/node_modules/frida-java-bridge/lib/class-factory.js:622)
at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1141)
at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:606)
at <anonymous> (/home/besc/work/fickBB/frieda-trace/snippets/traceThisTest.js:9)
at apply (native)
at ne (frida/node_modules/frida-java-bridge/lib/class-factory.js:673)
at <anonymous> (frida/node_modules/frida-java-bridge/lib/class-factory.js:651)
Question:
Is the interpretation of the output of frieda-trace (Log 1) correct, the methodsetImageBitmapexpects 1 argument with typeandroid.graphics.Bitmap?Question:
Is the interpretation of the output from the frieda hook script (Log 2) correct that the argument passed to the methodsetImageBitmapis everything between the curly brackets, i.e. this:e9b4cb7 V.QD..... ......MA 681,37-992,344 #7f0a05ee app:id/whatever
is this an argument? Or more? If it is one, then this should be an android.graphics.Bitmap, right? But to me that looks like 6 arguments ( .overload('long', 'int', 'int', 'int', 'boolean', 'boolean', '[B', 'android.graphics.NinePatch$InsetStruct')) If yes, then frida-trace is wrong, why?
- Question:
Is the interpretation of the output from the frieda hook script (Log 2) correct that the output of arg is a pointer to the bitmap (@6099c24)? If yes, how can I access/view it, since the value I'm looking for is probably there, right?