Categories
Tags
8ksec 8ksec.io aidl android anti-debug anti-frida anti-hook APK broadcast-receiver bypass CC certification config content-provider CTF ctf cybersecurity cybertalents deep-links deeplink dex dexclassloader dylib dynamic-analysis dynamic-loading emulator exam exploitation file-encryption florida flutter frida ghidra hamida hextree.io hook hooking http-security ios ipc ISC2 jailbreak-detection Kali kiosk-mode logic-bug mobile mobile-exploitation native network-interception pentest plugin privacy proxy-detection python rce reverse-engineering runtime script security smali sql-injection static-analysis swift tls-pinning token-extraction url-parsing url-scheme vulnerability web webview writeup WSL2
50 words
1 minutes
Part 1 — Florida Patches
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
CAUTION#FreePalestine
WARNINGThis is just for educational purposes.
Part 1 — Florida Patches
This part covers source-level patches applied via Florida that strip Frida’s most obvious fingerprints, including hardcoded strings, thread names, memfd labels, and protocol markers.
Florida is a tool developed by Ylarod. Check the repository for more details.
Florida Patches
Patch 1 — Obfuscating the `frida:rpc` Protocol Identifier String
Replacing the hardcoded `frida:rpc` literal in Frida's RPC layer with a runtime double-Base64 decode so the string never appears as a contiguous sequence of bytes in the compiled agent binary.
1616 words
|
8 minutes
Patch 2 — Randomizing the `frida-agent-<arch>.so` Filename on Disk
Replacing the hardcoded `frida-agent-<arch>.so` filename with a runtime-generated random name so static and on-disk scanners can no longer identify the injected agent by its well-known filename.
1354 words
|
7 minutes
Patch 3 — Renaming the `frida_agent_main` Exported Symbol
Stripping or renaming the exported `frida_agent_main` symbol that detection tools use to identify the injected Frida agent in the target process.
1807 words
|
9 minutes
Patch 4 — Hiding the `gum-js-loop` Thread Name
Obfuscating the well-known `gum-js-loop` thread name that Frida's JavaScript runtime creates and that detectors enumerate via `/proc/self/task`.
1520 words
|
8 minutes
Patch 5 — Hiding the `gmain` Thread Name
Obfuscating the `gmain` thread name used by GLib's main event loop inside the Frida agent to remove a predictable thread-enumeration fingerprint.
1523 words
|
8 minutes
Patch 6 — Removing the `FRIDA:UNEXPECTED` Protocol Error Marker
Patching the protocol error string that Frida emits on unexpected commands, eliminating another static string fingerprint present in the agent binary.
1463 words
|
7 minutes
Patch 7 — Automating the Double-Encoding with a Python Script
A companion Python script that automates generating double-Base64-encoded replacements for any Frida string literal targeted by the Florida patch set.
2073 words
|
10 minutes
Patch 8 — Renaming the `pool-frida` Thread Pool
Renaming the `pool-frida` thread pool name that Frida's GLib-based thread pool creates, removing another readily enumerable thread-name fingerprint.
1605 words
|
8 minutes
Patch 9 — Renaming the `jit-cache` memfd Descriptor
Changing the `jit-cache` name passed to `memfd_create` so that Frida's JIT code cache no longer appears with a recognisable label in `/proc/self/fd`.
1455 words
|
7 minutes
Patch 10 — Disabling Frida's Own Anti-Anti-Frida Logic
Removing Frida's built-in logic that detects and patches common anti-Frida checks, reducing the agent's active behavioural footprint inside the target process.
1518 words
|
8 minutes
Patch 11 — Renaming the `frida-gum` Thread Pool
Renaming the `frida-gum` thread pool name used by Gum's internal worker pool, closing the final thread-name detection surface covered by Part 1.
1792 words
|
9 minutes
