Best solution to avoid wasting time on static analysis while our target function is large and heavily obfuscated.

Let's say we want to hook a function protection that is heavily obfuscated and jadx can't decompile it. We can use frida to hook the function and get execution chain.

Simple view:

We can see many invokation using reflection. We can use this script to hook the function and get the execution chain.

First we need to write simple hook to function, in this case we will hook protection function. Best way to do this is to use jadx built in script creator. Just open jadx, open the class that contains the function, right click on the function and select Copy as frida snipset.

Paste the code into frida_reflection_stalker.js That's how it should look like:

Now you need to mark the moment when function starts and ends execution. You must insert intercept = true before the function starts execution and intercept = false after the function ends execution.

Example:

And that's it. Now you can run the script and get the execution chain.

frida -U -f com.package.name -l frida_reflection_stalker.js --no-pause

Boom! We got the execution chain. Our test function checks if the device is rooted.

Of course, you can use this script to hook any function, not only the one that is heavily obfuscated.