Using Java.choose on android.widget.EditText does not always find the current instances.
Java.perform(function () {
// Works with android.widget.TextView
var SpannableStringBuilder = Java.use("android.text.SpannableStringBuilder");
var String = Java.use("java.lang.String");
Java.choose("android.widget.EditText", {
onMatch: function (instance) {
console.log("Found instance: " + instance);
console.log("[*] EditText RootView: " + instance.getRootView());
console.log("[*] EditText InputType: " + instance.getInputType());
console.log("[*] EditText Text: " + Java.cast(instance.getText(), SpannableStringBuilder));
console.log("[*] EditText Hint: " + Java.cast(instance.getHint(), String));
},
onComplete: function () {
console.log("[*] Finished heap search");
}
});
});In Uncrackable1, all instances are found and all data is shown:
frida -U sg.vantagepoint.uncrackable1 -l list_editText.js
____
/ _ | Frida 12.2.27 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
Attaching...
Found instance: android.widget.EditText{81eed6e VFED..CL. .F....ID 0,1-849,119 #7f080000 app:id/edit_text}
[*] EditText RootView: DecorView@296cc0f[MainActivity]
[*] EditText InputType: 131073
[*] EditText Text: hiui
[*] EditText Hint: Enter the Secret String
[*] Finished heap search
in OMTG App, nothing related to EditText is found, even when they are already instantiated.
frida -U sg.vp.owasp_mobile.omtg_android -l list_editText.js
____
/ _ | Frida 12.2.27 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
Attaching...
[*] Finished heap search
[Android Emulator 5554::sg.vp.owasp_mobile.omtg_android]-> q
Thank you for using Frida!
It is only possible to access the instance by performing a hook:
Java.perform(function () {
try {
var EditText = Java.use("android.widget.EditText");
var SpannableStringBuilder = Java.use("android.text.SpannableStringBuilder");
EditText.getText.overload().implementation = function () {
retval = this.getText.call(this);
var text = Java.cast(retval, SpannableStringBuilder);
console.log("[*] EditText Return: " + text);
console.log("[*] EditText Instance Info: " + this.toString());
console.log("[*] EditText Full Layout Id: " + this.getResources().getResourceEntryName(this.getId()));
console.log("[*] EditText Layout Id: " + this.getResources().getResourceName(this.getId()));
console.log("[*] EditText inputType: " + this.getInputType());
return retval;
};
}
catch(e) {
console.log(e.message);
}
});Which results in:
frida -U sg.vp.owasp_mobile.omtg_android -l hook_editText_get_instance_info.js
____
/ _ | Frida 12.2.27 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
[Android Emulator 5554::sg.vp.owasp_mobile.omtg_android]->
[*] EditText Return: hiui
[*] EditText Instance Info: android.support.v7.widget.AppCompatEditText{67578a8 VFED..CL. .F...... 42,264-1038,382 #7f0d0088 app:id/loggingPassword}
[*] EditText Full Layout Id: loggingPassword
[*] EditText Layout Id: sg.vp.owasp_mobile.omtg_android:id/loggingPassword
[*] EditText inputType: 129
- https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk
- https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/OMTG-Android-App/app
- Emulator 7.1.1
- Frida 12.2.25 and 12.2.27