Hermes engine hook react native function calls
4 views
5d3e4e46...
Description
Android Hermes engine hook react native function calls
How to Use
Download the script and run it with Frida CLI:
Download ScriptThen run with Frida:
frida -U -f YOUR_PACKAGE_NAME -l hermes-engine-hook-react-native-function-calls.js
Replace YOUR_PACKAGE_NAME with the target app's package name.
Source Code
JavaScript
let libhermesBaseAddress = Module.findBaseAddress("libhermes.so");
let hermesRuntimeImplCallAddress = libhermesBaseAddress.add(0x1f3931 - 0x00100000);
let runtimePtr = Module.findExportByName("libhermes.so", "_ZN8facebook6hermes17makeHermesRuntimeERKN6hermes2vm13RuntimeConfigE");
let valueToStringAddr = Module.findExportByName("libjsi.so", "_ZNK8facebook3jsi5Value8toStringERNS0_7RuntimeE");
Interceptor.attach(hermesRuntimeImplCallAddress, {
onEnter: function(args) {
console.log("HermesRuntimeImpl::call intercepted");
// Extracting arguments
let func = args[1]; // jsi::Function
let jsThis = args[2]; // jsi::Value
let jsArgs = args[3]; // jsi::Value
let count = args[4]; // size_t count
// Logging arguments
console.log(`Function: ${func}`);
console.log(`jsThis: ${jsThis}`);
console.log(`jsArgs: ${jsArgs}`);
console.log(`Count: ${count}`);
console.log(`runtimePtr: ${runtimePtr}`);
console.log(`valueToStringAddr: ${valueToStringAddr}`);
// Get the valueToString function address
let valueToString = new NativeFunction(valueToStringAddr, 'pointer', ['pointer', 'pointer']);
// Call the valueToString function with jsThis and runtimePtr
let resultPtr = valueToString(jsThis, runtimePtr);
// Convert the result pointer to a JavaScript string
let resultString = Memory.readUtf8String(resultPtr);
console.log("Value to String Result:", resultString);
}
});
Comments