I ran an APK through dex2jar and JD-GUI and found the class I'm interested in:
public class RESTClient {
....
private bdG.\u0269 \u02CB\u0971() {
return (new bdG.\u0269()).\u02CA((new bdq.if()).\u0971("www.google.com", new String[] { "sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs=" }).\u02CE()).\u02CE((bdF)\u02BD\u0971()).\u02CB((bdv)\u02BC\u0971());
}
}
I've been trying to use Frida to replace the sha256/... string but have been unsuccessful thus far.
Here's what I've done:
Java.perform(function() {
var StringBuilder = Java.use('java.lang.StringBuilder');
StringBuilder.$init.overload('java.lang.String').implementation = function(str) {
return this.$init.call(this, str);
}
StringBuilder.toString.implementation = function() {
var result = this.toString.call(this);
if(result == "sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs=") {
console.log("[x] Found and replaced!");
return "sha256/somethingelsegoeshere";
}
return result;
}
});
While this code does match, the returned string doesn't appear to have any effect. How can I find and replace the string in memory directly?
EDIT: Including jadx output too:
private C9575bdG.C4644 m708() {
return new C9575bdG.C4644().m73741(new C9612bdq.Cif().m74142("www.google.com", "sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs=").m74141()).m73751((C9574bdF) m695()).m73747((C9617bdv) m694());
}
EDIT: Including smali output from apktool:
.method private ˋॱ()Lo/bdG$ɩ;
.locals 6
.prologue
.line 99
new-instance v0, Lo/bdG$ɩ;
invoke-direct {v0}, Lo/bdG$ɩ;-><init>()V
new-instance v1, Lo/bdq$if;
invoke-direct {v1}, Lo/bdq$if;-><init>()V
const-string v2, "www.google.com"
const/4 v3, 0x1
new-array v3, v3, [Ljava/lang/String;
const/4 v4, 0x0
const-string v5, "sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs="
aput-object v5, v3, v4
.line 100
invoke-virtual {v1, v2, v3}, Lo/bdq$if;->ॱ(Ljava/lang/String;[Ljava/lang/String;)Lo/bdq$if;
move-result-object v1
invoke-virtual {v1}, Lo/bdq$if;->ˎ()Lo/bdq;
move-result-object v1
invoke-virtual {v0, v1}, Lo/bdG$ɩ;->ˊ(Lo/bdq;)Lo/bdG$ɩ;
move-result-object v0
.line 101
invoke-direct {p0}, Lcom/target/android/data/remote/RESTClient;->ʽॱ()Lo/bfa;
move-result-object v1
invoke-virtual {v0, v1}, Lo/bdG$ɩ;->ˎ(Lo/bdF;)Lo/bdG$ɩ;
move-result-object v0
.line 102
invoke-direct {p0}, Lcom/target/android/data/remote/RESTClient;->ʼॱ()Lo/qz;
move-result-object v1
invoke-virtual {v0, v1}, Lo/bdG$ɩ;->ˋ(Lo/bdv;)Lo/bdG$ɩ;
move-result-object v0
.line 99
return-object v0
.end method
This call in Java:
.\u0971("www.google.com", new String[] {"sha256/asdIa1tHg96AnzarJ6GJLu6JiogJla3UDsPWMDICs=" })
is found in smali at:
invoke-virtual {v1, v2, v3}, Lo/bdq$if;->ॱ(Ljava/lang/String;[Ljava/lang/String;)Lo/bdq$if;
The Java class is o.bdq$if (class if is nested inside o.bdq). The method name is ॱ
Java.perform(function() {
var ObfuscatedClass = Java.use('o.bdq$if');
ObfuscatedClass.ॱ.implementation = function(string, stringArray) { // replace original implementation
var modifiedStringArray = ...; // do your stuff with the stringArray that contains your hash
return this.ॱ(string, modifiedStringArray); // call original method with modified string array containing new hash
}
});