Search app memory with Frida

First, install Frida on your local system.

  1. pip3 install frida
  2. pip3 install frida-tools

Now, we need to download frida-server, and copy it on the Android phone. We’ll assume it’s this one: frida-server-16.3.3-linux-arm64.xz.

  1. unxz frida-server-16.3.3-linux-arm64.xz
  2. mv frida-server-16.3.3-linux-arm64 frida-server
  3. adb push frida-server /data/local/tmp
  4. adb shell
  5. cd /data/local/tmp
  6. chmod 755 frida-server
  7. ./frida-server

If you want to run a specific app, execute frida-ps -U -ai and copy the name of the application you want to run. In this example, we’ll use com.your.target.app, but replace it as you see fit.

Now that everything is set, we can run frida on the local system. We’ll use the “-U” flag to tell it to check the USB devices.

frida -U com.your.target.app

If we want to search the memory, we can use the following JS code (we’ll search for “A A A A”)

const ranges = Process.enumerateRanges('rw-'); ranges.forEach(function(range) {
    if (range.base > 0x0) { // if you want to skip certain addresses
        var flag = 0;
        try {
            // Attempt to read memory at the given address
            Memory.readByteArray(ptr(range.base), range.size);
          } catch (e) {
            flag = 1;
          }
        if (flag == 0) {
            const results = Memory.scanSync(range.base, range.size, "41 41 41 41"); // search for AAAA
            results.forEach(function(match) {
            console.log('Found pattern at:', match.address.toString());
            //Memory.writeU8(ptr(match.address.toString()), 0x42); // auto patch -> BAAA
            });
        }
    }
    else {console.log('Skip ', range.base.toString());}
  });

If you want to change/patch the value of a byte, you can use the following command (we’ll assume 0x12345678 is the address where 0x41 0x41 0x41 0x41 was found.

Memory.writeU8(ptr(‘0x12345678’), 0x42);