M 513: Instrumenting with Frida (on Windows) (15 pts extra)

What You Need for This Project

Purpose

To practice instrumenting, overriding Java functions.

This is the Windows version, accepting that Python on Windows is useless, and the only use for Windows is to host Linux, an operating system that actually works.

Setup

First do project M 148 to set up an Android-x86 emulator running in VMware, connected to a Debian Linux virtual machine running in VMware.

Finding your Phone's IP Address

Start your emulated phone.

Open Settings.

Tap "Network & Internet".

At the top, tap Wi-Fi.

At the top, tap AndroidWiFi.

At the bottom, tap Advanced.

Find your device's IP address, as shown below.

Connecting Linux to Android

On your Debian Linux system, execute this command, replacing the IP address with the IP address of your Android emulator: 
adb connect 192.168.30.131
It should connect successfully.

If not, you need to troubleshoot your networking.

After you establish a connection, execute this command to disconnect, replacing the IP address with the IP address of your Android emulator: 

adb disconnect 192.168.30.131

Installing Frida-Tools on Linux

On your Debian Linux system, in a Terminal, execute these commands: 
sudo apt update
sudo apt install python3-venv

python3 -m venv venv
source venv/bin/activate
python3 -m pip install frida-tools
On your Debian Linux system, execute this command: 
frida --version
Note your version of Frida. When I did it in Nov, 2025, it was version 17.5.1, as shown below.

Downloading Frida-Server

On your host system, in a Web browser, go to

https://github.com/frida/frida/releases

Download the appropriate version of frida-server for your emulator's processor, with the same version number you found above, or as close as possible.

I used frida-server-17.5.1-android-x86_64.xz, outlined in the image below.

Download the file to your Downloads folder.

Uncompress Frida-Server

On Windows, use 7-zip to unzip the .XZ file.

This will create a file in your Downloads folder without the .xz extension.

Installing Frida-Server on your Android Device

On your host Windows system, in a Command Prompt, execute these commands, inserting the IP address of your Android emulator in the second command. 
cd Downloads
adb connect 192.168.30.131
adb push frida-server-17.5.1-android-x86_64 /data/local/tmp/
The file should be pushed successfully, as shown below.

Starting Frida-Server

On your host Windows system, execute these commands: 
adb shell
su
chmod 755 /data/local/tmp/*
/data/local/tmp/frida-server-17.5.1-android-x86_64 -l 0.0.0.0:27042
There is no output, as shown below.

Leave this window open.

Testing Frida-Server

On your Debian Linux system, open a new Terminal window and execute these commands, using the IP address of your Android system in the second command: 
source venv/bin/activate
frida-ps --host 192.168.30.131
A long list of processes running on Android appears, as shown below.

Installing a Vulnerable App

We'll use an intentionally vulnerable app.

On your host system, in a Web browser, go to

https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk

On that page, on the right side, next to "Raw", click the download button to download UnCrackable-Level1.apk.

If that page is not available, use this alternate link.

On your host Windows system, open a new CMD window and execute these commands: 

cd Downloads
adb install UnCrackable-Level1.apk
On your emulator, launch the Uncrackable app.

It refuses to run, complaining about the phone being rooted, as shown below.

Don't tap OK--leave the app running.

Viewing the Code in jadx-gui

Open the UnCrackable-Level1.apk file in jadx-gui.

Navigate to the Main Activity and click OnCreate(Bundle), as shown below.

The root detection uses three functions: c.a(), c.b(), and c.c().

Navigate to sg.vantagepoint.a.c, as shown below.

The three functions: c.a(), c.b(), and c.c() are performing various tests to see if the phone is rooted.

Finding the App's Name

On your Debian Linux system, execute this command: 
adb shell pm list packages | grep crack
The name of the vulnerable app appears, as shown below.

The name is owasp.mstg.uncrackable1

Creating a JavaScript Payload

On your Debian Linux system, execute this command: 
nano disableRoot.js
Paste in this code, as shown below.

This code will override the a, b, and c functions and always return false. 

Java.perform(function() {

       var theClass = Java.use("sg.vantagepoint.a.c");

       theClass.a.implementation = function(v) {
            console.log("In function A");
             return false;
         }
       theClass.b.implementation = function(v) {
           console.log("In function B");
            return false;
        }
      theClass.c.implementation = function(v) {
           console.log("In function C");
            return false;
        }

       console.log("Exploit Complete")

})

Type Ctrl+x, y, Enter to save the file.

Closing the App

On your Android device, click OK to close the app.

Exploiting the App

This command will launch the app in a frozen state, let the instrumentation occur, and then continue execution.

On your Debian Linux system, in the window using the venv virtual environment, execute this command, replacing the IP address with the IP address of your Android emulator: 

frida --host 192.168.30.131 -l disableRoot.js -f owasp.mstg.uncrackable1

M 513.1: Message

The app opens.

The flag is covered by a green rectangle in the image below.

Sources

Android Hacking with FRIDA

Updated 11-13-25