frida-java-bridge 4.5.1 → 5.2.0

package/index.js

@@ -576,6 +576,6 @@ function initFactoryFromLoadedApk (factory, apk) {
 }
 
 const runtime = new Runtime();
-WeakRef.bind(runtime, () => { runtime._dispose(); });
+Script.bindWeak(runtime, () => { runtime._dispose(); });
 
 module.exports = runtime;

package/lib/android.js

@@ -22,6 +22,8 @@ const kAccCriticalNative = 0x00200000;
 const kAccFastInterpreterToInterpreterInvoke = 0x40000000;
 const kAccSkipAccessChecks = 0x00080000;
 const kAccSingleImplementation = 0x08000000;
+const kAccNterpEntryPointFastPathFlag = 0x00100000;
+const kAccNterpInvokeFastPathFlag = 0x00200000;
 const kAccPublicApi = 0x10000000;
 const kAccXposedHookedMethod = 0x10000000;
 
@@ -908,7 +910,7 @@ function _getArtMethodSpec (vm) {
     const entrypointFieldSize = (apiLevel <= 21) ? 8 : pointerSize;
 
     const expectedAccessFlags = kAccPublic | kAccStatic | kAccFinal | kAccNative;
-    const allFlagsExceptPublicApi = ~kAccPublicApi >>> 0;
+    const relevantAccessFlagsMask = ~(kAccPublicApi | kAccNterpInvokeFastPathFlag) >>> 0;
 
     let jniCodeOffset = null;
     let accessFlagsOffset = null;
@@ -926,7 +928,7 @@ function _getArtMethodSpec (vm) {
 
       if (accessFlagsOffset === null) {
         const flags = field.readU32();
-        if ((flags & allFlagsExceptPublicApi) === expectedAccessFlags) {
+        if ((flags & relevantAccessFlagsMask) === expectedAccessFlags) {
           accessFlagsOffset = offset;
           remaining--;
         }
@@ -1539,7 +1541,7 @@ set_replacement_method (gpointer original_method,
   g_mutex_lock (&lock);
 
   g_hash_table_insert (methods, original_method, replacement_method);
-  g_hash_table_add (replacements, replacement_method);
+  g_hash_table_insert (replacements, replacement_method, original_method);
 
   g_mutex_unlock (&lock);
 }
@@ -1561,6 +1563,20 @@ delete_replacement_method (gpointer original_method)
   g_mutex_unlock (&lock);
 }
 
+gpointer
+translate_method (gpointer method)
+{
+  gpointer translated_method;
+
+  g_mutex_lock (&lock);
+
+  translated_method = g_hash_table_lookup (replacements, method);
+
+  g_mutex_unlock (&lock);
+
+  return (translated_method != NULL) ? translated_method : method;
+}
+
 gpointer
 find_replacement_method_from_quick_code (gpointer method,
                                          gpointer thread)
@@ -1689,6 +1705,7 @@ on_leave_gc_concurrent_copying_copying_phase (GumInvocationContext * ic)
       get: new NativeFunction(cm.get_replacement_method, 'pointer', ['pointer'], fastOptions),
       set: new NativeFunction(cm.set_replacement_method, 'void', ['pointer', 'pointer'], fastOptions),
       delete: new NativeFunction(cm.delete_replacement_method, 'void', ['pointer'], fastOptions),
+      translate: new NativeFunction(cm.translate_method, 'pointer', ['pointer'], fastOptions),
       findReplacementFromQuickCode: cm.find_replacement_method_from_quick_code
     },
     getOatQuickMethodHeaderImpl,
@@ -1791,6 +1808,10 @@ function makeMethodMangler (methodId) {
   return new MethodMangler(methodId);
 }
 
+function translateMethod (methodId) {
+  return artController.replacedMethods.translate(methodId);
+}
+
 function revertGlobalPatches () {
   patchedClasses.forEach(entry => {
     entry.vtablePtr.writePointer(entry.vtable);
@@ -2316,14 +2337,14 @@ class ArtMethodMangler {
 
     patchArtMethod(replacementMethodId, {
       jniCode: impl,
-      accessFlags: ((originalFlags & ~(kAccCriticalNative | kAccFastNative)) | kAccNative) >>> 0,
+      accessFlags: ((originalFlags & ~(kAccCriticalNative | kAccFastNative | kAccNterpEntryPointFastPathFlag)) | kAccNative) >>> 0,
       quickCode: api.artClassLinker.quickGenericJniTrampoline,
       interpreterCode: api.artInterpreterToCompiledCodeBridge
     }, vm);
 
     // Remove kAccFastInterpreterToInterpreterInvoke and kAccSkipAccessChecks to disable use_fast_path
     // in interpreter_common.h
-    let hookedMethodRemovedFlags = kAccFastInterpreterToInterpreterInvoke | kAccSingleImplementation;
+    let hookedMethodRemovedFlags = kAccFastInterpreterToInterpreterInvoke | kAccSingleImplementation | kAccNterpEntryPointFastPathFlag;
     if ((originalFlags & kAccNative) === 0) {
       hookedMethodRemovedFlags |= kAccSkipAccessChecks;
     }
@@ -4043,6 +4064,7 @@ module.exports = {
   ArtStackVisitor,
   ArtMethod,
   makeMethodMangler,
+  translateMethod,
   revertGlobalPatches,
   deoptimizeEverything,
   deoptimizeBootImage,

package/lib/class-factory.js

@@ -265,7 +265,7 @@ class ClassFactory {
   wrap (handle, klass, env) {
     const C = klass.$C;
     const wrapper = new C(handle, STRATEGY_VIRTUAL, env, false);
-    wrapper.$r = WeakRef.bind(wrapper, vm.makeHandleDestructor(handle));
+    wrapper.$r = Script.bindWeak(wrapper, vm.makeHandleDestructor(handle));
     return wrapper;
   }
 
@@ -746,7 +746,7 @@ function Wrapper (handle, strategy, env, owned = true) {
     if (owned) {
       const h = env.newGlobalRef(handle);
       this.$h = h;
-      this.$r = WeakRef.bind(this, vm.makeHandleDestructor(h));
+      this.$r = Script.bindWeak(this, vm.makeHandleDestructor(h));
     } else {
       this.$h = handle;
       this.$r = null;
@@ -834,7 +834,7 @@ Object.defineProperties(Wrapper.prototype, {
       const ref = this.$r;
       if (ref !== null) {
         this.$r = null;
-        WeakRef.unbind(ref);
+        Script.unbindWeak(ref);
       }
 
       if (this.$h !== null) {

package/lib/env.js

@@ -229,7 +229,7 @@ Env.prototype.throwIfExceptionPending = function () {
 
   const error = new Error(descriptionStr);
   error.$h = handle;
-  WeakRef.bind(error, makeErrorHandleDestructor(this.vm, handle));
+  Script.bindWeak(error, makeErrorHandleDestructor(this.vm, handle));
 
   throw error;
 };
@@ -531,6 +531,10 @@ Env.prototype.monitorExit = proxy(218, 'int32', ['pointer', 'pointer'], function
   return impl(this.handle, obj);
 });
 
+Env.prototype.getDirectBufferAddress = proxy(230, 'pointer', ['pointer', 'pointer'], function (impl, obj) {
+  return impl(this.handle, obj);
+});
+
 Env.prototype.getObjectRefType = proxy(232, 'int32', ['pointer', 'pointer'], function (impl, ref) {
   return impl(this.handle, ref);
 });

package/lib/types.js

@@ -446,7 +446,15 @@ function getArrayType (typeName, unbox, factory) {
         }
       }
 
-      result.$w = factory.cast(arr, factory.use(typeName), owned);
+      // The type name we get is not always the correct representation of the type so we make it so here.
+      const internalTypeName = '[L' + elementTypeName.replace(/\./g, '/') + ';';
+      try {
+        result.$w = factory.cast(arr, factory.use(internalTypeName), owned);
+      } catch (e) {
+        // We need to load the array type before using it.
+        factory.use('java.lang.reflect.Array').newInstance(factory.use(elementTypeName).class, 0);
+        result.$w = factory.cast(arr, factory.use(internalTypeName), owned);
+      }
 
       result.$dispose = disposeObjectArray;
 
@@ -580,7 +588,7 @@ function PrimitiveArray (handle, spec, type, length, env, owned = true) {
   if (owned) {
     const h = env.newGlobalRef(handle);
     this.$h = h;
-    this.$r = WeakRef.bind(this, env.vm.makeHandleDestructor(h));
+    this.$r = Script.bindWeak(this, env.vm.makeHandleDestructor(h));
   } else {
     this.$h = handle;
     this.$r = null;
@@ -654,7 +662,7 @@ Object.defineProperties(PrimitiveArray.prototype, {
       const ref = this.$r;
       if (ref !== null) {
         this.$r = null;
-        WeakRef.unbind(ref);
+        Script.unbindWeak(ref);
       }
     }
   },
@@ -726,6 +734,11 @@ Object.defineProperties(PrimitiveArray.prototype, {
         return values;
       });
     }
+  },
+  toString: {
+    value () {
+      return this.toJSON().toString();
+    }
   }
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "4.5.1",
+  "version": "5.2.0",
   "description": "Java runtime interop from Frida",
   "main": "index.js",
   "files": [
@@ -48,7 +48,6 @@
       "ThumbWriter",
       "UnixInputStream",
       "UnixOutputStream",
-      "WeakRef",
       "X86Relocator",
       "X86Writer",
       "ptr",