I have published two new Frida instrumentation scripts to facilitate reverse engineering of mobile apps. They can be found on GitHub.

Let’s take raptor_frida_ios_trace.js for a ride against our favorite target Signal. First of all, we must edit the script to tell Frida what to trace:

Example usage of raptor_frida_ios_trace.js // usage examples if (ObjC.available) { trace("*[OWSMessageSender *]"); // trace("-[CredManager setPassword:]"); // trace("*[CredManager *]"); // trace("*[* *Password:*]"); // trace("exports:libSystem.B.dylib!CCCrypt"); // trace("exports:libSystem.B.dylib!open"); // trace("exports:*!open*"); } else { send("error: Objective-C Runtime is not available!"); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 // usage examples if ( ObjC . available ) { trace ( "*[OWSMessageSender *]" ) ; // trace("-[CredManager setPassword:]"); // trace("*[CredManager *]"); // trace("*[* *Password:*]"); // trace("exports:libSystem.B.dylib!CCCrypt"); // trace("exports:libSystem.B.dylib!open"); // trace("exports:*!open*"); } else { send ( "error: Objective-C Runtime is not available!" ) ; }

Then, with Frida properly set up on both our iOS device and workstation, we just run the following:

$ frida -U -f org.whispersystems.signal -l raptor_frida_ios_trace.js --no-pause 1 $ frida - U - f org .whispersystems .signal - l raptor_frida_ios_trace .js -- no - pause

And here’s the resulting trace after sending a text message:

On Android, we must use the raptor_frida_android_trace.js script, but the procedure remains the same. This time we target WhatsApp. First, we edit the script:

Example usage of raptor_frida_android_trace.js // usage examples setTimeout(function() { // avoid java.lang.ClassNotFoundException Java.perform(function() { trace("com.whatsapp.proto.E2E"); // trace("com.target.utils.CryptoUtils.decrypt"); // trace("com.target.utils.CryptoUtils"); // trace("CryptoUtils"); // trace(/crypto/i); // trace("exports:*!open*"); }); }, 0); 1 2 3 4 5 6 7 8 9 10 11 12 13 14 // usage examples setTimeout ( function ( ) { // avoid java.lang.ClassNotFoundException Java . perform ( function ( ) { trace ( "com.whatsapp.proto.E2E" ) ; // trace("com.target.utils.CryptoUtils.decrypt"); // trace("com.target.utils.CryptoUtils"); // trace("CryptoUtils"); // trace(/crypto/i); // trace("exports:*!open*"); } ) ; } , 0 ) ;

Then, with Frida properly set up on both our Android device and workstation, we run the following:

$ frida -U -f com.whatsapp -l raptor_frida_android_trace.js --no-pause 1 $ frida - U - f com . whatsapp - l raptor_frida_android_trace . js -- no - pause

The result will look like this:

That’s it! Both scripts have the capability to trace methods (as briefly shown in the previous examples) and functions, such as open() and CCCrypt(). There’s definitely still room for improvement, so PRs are welcome. Happy hacking!