How I was able to get extra coins

Before we start we have to understand working of Frida

What is Frida?

It’s a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.

To setup Frida you need a rooted device. How to setup Frida

In our case I used Frida to change function return value during run time.

Case study

Since this is a private program let’s assume the program name to be game.com. This is a game android application in which you need to have a minimum coin of around 10,000 to play.

The application has a feature that provides you a daily bonus of coins ranging from ( 1000 to 50,000 ) you can claim this bonus only once per 24hrs.

so either you wait for 24hrs to get coins and play or you pay $20 dollars to get coins and then play.

POC

Downloaded the APK file and Decompile it. I used jadx Decompiler

After decompiling the APK I started to search for daily bonus

bug vapt

and found one of the function with following code

public final boolean shouldShowDailyBonus() {

        if (dailyBonusModel == null || dailyBonusModel.getAvailable() <= 0 || dailyBonusModel.isClaimed() || ((Boolean) this.cardGame.getFromSessionStorage(DAILY_BONUS_SHOWN_KEY, false)).booleanValue()) {
            return false;
        }
        return true;
    }
bug android

As you can see the return value is set to false once you claim the bonus

To get the daily bonus again I just have to return a true value for this function, to do this I used Frida

In order to hook Frida JavaScript file you need to first start Frida server in your android phone

adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" 

JavaScript Code that is used to change return value from False to True

Java.perform(function() {
var classA = Java.use("com.game.class.name");

classA.shouldShowDailyBonus.implementation = function(x) {
console.log("In function shouldShowDailyBonus");
return True;
};

To hook Frida file use following command

frida -U --no-pause -l javascript_file_name.js -f com.game.name

as soon as the function is called the Frida calls the hooked JavaScript file and returns the value true which indeed displays the daily bonus page and I was able to collect extra coins.

giphy