Search app memory with Frida
First, install Frida on your local system.
- pip3 install frida
- pip3 install frida-tools
Now, we need to download frida-server, and copy it on the Android phone. We’ll assume it’s this one: frida-server-16.3.3-linux-arm64.xz.
- unxz frida-server-16.3.3-linux-arm64.xz
- mv frida-server-16.3.3-linux-arm64 frida-server
- adb push frida-server /data/local/tmp
- adb shell
- cd /data/local/tmp
- chmod 755 frida-server
- ./frida-server
If you want to run a specific app, execute frida-ps -U -ai and copy the name of the application you want to run. In this example, we’ll use com.your.target.app, but replace it as you see fit.
Now that everything is set, we can run frida on the local system. We’ll use the “-U” flag to tell it to check the USB devices.
frida -U com.your.target.app
If we want to search the memory, we can use the following JS code (we’ll search for “A A A A”)
const ranges = Process.enumerateRanges('rw-'); ranges.forEach(function(range) { if (range.base > 0x0) { // if you want to skip certain addresses var flag = 0; try { // Attempt to read memory at the given address Memory.readByteArray(ptr(range.base), range.size); } catch (e) { flag = 1; } if (flag == 0) { const results = Memory.scanSync(range.base, range.size, "41 41 41 41"); // search for AAAA results.forEach(function(match) { console.log('Found pattern at:', match.address.toString()); //Memory.writeU8(ptr(match.address.toString()), 0x42); // auto patch -> BAAA }); } } else {console.log('Skip ', range.base.toString());} });
If you want to change/patch the value of a byte, you can use the following command (we’ll assume 0x12345678 is the address where 0x41 0x41 0x41 0x41 was found.
Memory.writeU8(ptr(‘0x12345678’), 0x42);