problem java.lang.ClassCastException: java.lang.Object[] cannot be cast to android.content.Intent[]
code show as below: frida-js:
var ProcessManagerG = Java.use('com.xxx.xxx.processManager.g')
var doInBackground = ProcessManagerG.doInBackground.overload('[Ljava.lang.Object;')
doInBackground.implementation = function (intentArr) {
doInBackground.call(this, intentArr)
}
Not a few other ways.Here is all the code.Other code has been removed.
Java.perform(function () {
Java.use('com.xxx.xxx.processManager.g').doInBackground.overload('[Ljava.lang.Object;').implementation = function (intentArr) {
try {
return this.doInBackground.apply(this, arguments);
} catch (e) {
console.log(e)
}
}
})
Java.perform(function () {
Java.use('com.xxx.xxx.processManager.g').doInBackground.overload('[Ljava.lang.Object;').implementation = function (intentArr) {
try {
var arr = [];
for (var i = 0, len = intentArr.length; i < len; i++) {
// console.log(arguments[i], Object.prototype.toString.call(arguments[i]))
send(intentArr[i]) // {'type': 'send', 'payload': ['<instance: java.lang.Object, $className: android.content.Intent>']}
arr.push(Java.cast(intentArr[i], Java.use('android.content.Intent')))
send(arr) // {'type': 'send', 'payload': ['<instance: android.content.Intent>']}
}
return this.doInBackground.apply(this, arr); // Error: doInBackground(): argument types do not match any of: .overload('[Ljava.lang.Object;')
} catch (e) {
console.log(e)
}
}
})
Java.perform(function () {
Java.use('com.xxx.xxx.processManager.g').doInBackground.overload('[Ljava.lang.Object;').implementation = function (intentArr) {
try {
send(intentArr) // {'type': 'send', 'payload': ['<instance: java.lang.Object, $className: android.content.Intent>']}
var arr = Java.array('Landroid.content.Intent;', intentArr);
send(arr) // {'type': 'send', 'payload': ['<instance: android.content.Intent>']}
return this.doInBackground.apply(this, arr); // Error: doInBackground(): argument types do not match any of: .overload('[Ljava.lang.Object;')
} catch (e) {
console.log(e)
}
}
})
Java.perform(function () {
Java.use('com.xxx.xxx.processManager.g').doInBackground.overload('[Ljava.lang.Object;').implementation = function (intentArr) {
try {
var arr = [];
for (var i = 0, len = intentArr.length; i < len; i++) {
send(intentArr[i]) // {'type': 'send', 'payload': ['<instance: java.lang.Object, $className: android.content.Intent>']}
arr.push(Java.cast(intentArr[i], Java.use('android.content.Intent')))
send(arr) // {'type': 'send', 'payload': ['<instance: android.content.Intent>']}
}
return this.doInBackground(Java.array('java.lang.Object', arr));
} catch (e) {
console.log(e)
}
}
})
java:
public Intent doInBackground(Intent... intentArr) {}
smali:
.method protected synthetic doInBackground([Ljava/lang/Object;)Ljava/lang/Object;
.registers 2
.line 61
check-cast p1, [Landroid/content/Intent;
invoke-virtual {p0, p1}, Lcom/xxx/xxx/processManager/g;->a([Landroid/content/Intent;)Landroid/content/Intent;
move-result-object p1
return-object p1
.end method
Thanks for the answer
From smali output, it seems the compiler has rewritten the doInBackground method to take an Object array, cast it to an Intent array, and pass it to an internal method called a (Lcom/xxx/xxx/processManager/g;->a). You must use this a method.
You should try something like:
Java.perform(function () {
Java.use('com.xxx.xxx.processManager.g').doInBackground.overload('[Ljava.lang.Object;').implementation = function (objectArray) {
return this.a.overload('[Landroid.content.Intent;').call(this, intentArray);
}
})