Closed haniag closed 6 years ago
I think you may have checked out a buggy version. Please pull the latest and try again.
Still the same. I tried the following versions:
https://github.com/BishopFox/bfinject/blob/master/bfinject.tar https://github.com/BishopFox/bfinject/raw/master/bfinject.tar
Here's the output:
-bash-3.2# bash bfinject -p 1323 -l /jb/bfinject/test.dylib [+] Liberios detected [+] Injecting into '/var/containers/Bundle/Application/A582BA0F-8FB0-4727-B432-A575C7B801C7/XECurrency.app/XECurrency' [+] Getting Team ID from target application... [+] Signing injectable .dylib with Team ID N36M8KXLCD and platform entitlements... [bfinject] Getting tfp. [bfinject] Creating new remote thread [bfinject] Thread ID: 3075 (0xc03) [bfinject] Looking for RET gadget in the target app... gadget candidate: 0x104727b08 ... Found @ 0x104727b08 [bfinject] Fake stack frame is 536870912 bytes at 0x10c500000 in remote proc [bfinject] Looking for '_pthread_set_self' in the target process... [bfinject] Desired function '_pthread_set_self' is at 0x185ee3804 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ee3804 $sp = 0x124500000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] Looking for 'dlopen' in the target process... [bfinject] Desired function 'dlopen' is at 0x185ca3460 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca3460 $sp = 0x124500000 $x0 = 0x10c500000 $x1 = 0xa $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] dlopen() returned 0x0 (FAILURE) [bfinject] Looking for 'dlerror' in the target process... [bfinject] Desired function 'dlerror' is at 0x185ca32b0 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca32b0 $sp = 0x124500000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfdecrypt] dlerror() returned: dlopen(/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib, 10): no suitable image found. Did find: /System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib: code signature invalid for '/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib'
/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib: stat() failed with errno=1 [+] So long and thanks for all the fish.
Can you attach the dylib you're trying to inject please?
Just a simple UIAlertView: https://www.sendspace.com/file/tlow7c
Aha, it's a FAT binary (multiple CPU architecture support) which until 2 minutes ago wasn't supported by bfinject. I've added support to thin out fat binaries, so please pull the latest version and try again.
But it still won't work because your dylib has an unmet dependency: /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
Your dylib cannot work in its current state. Not a bug.
Edit: try injecting dylibs/simple.dylib and see if it works. If it does, you're good - you'll just need to build a dylib that doen't link against CydiaSubstrate.
hmm, thanks for your help. So this will probably not work since CydiaSubstrate doesn't yet work. Any workaround?
Depends what you want to do. If you need function hooking, use https://github.com/facebook/fishhook. If you need method swizzling, just use the built-in Objective-C swizzling methods. Closing this issue.
Using latest commit on i7 11.1, with LiberiOS 11.0.3:
bash bfinject -p 813 -l /jb/bfinject/test.dylib [+] Injecting into '/var/containers/Bundle/Application/E7C4881E-DA00-4DE0-83B1-463896AECD42/Twitter.app/Twitter' [+] Getting Team ID from target application... [+] Signing injectable .dylib with Team ID N66CZ3Y3BX and platform entitlements... [+] Injecting /jb/bfinject/test.dylib into target application, PID 813 [+] LiberiOS assumed. Using Bishop Fox bfinject to inject the dylib [bfinject] Getting tfp. [bfinject] Creating new remote thread [bfinject] Thread ID: 3075 (0xc03) [bfinject] Looking for RET gadget in the target app... gadget candidate: 0x104f27db8 ... Found @ 0x104f27db8 [bfinject] Fake stack frame is 536870912 bytes at 0x11536c000 in remote proc [bfinject] Looking for '_pthread_set_self' in the target process... [bfinject] Desired function '_pthread_set_self' is at 0x185ee3804 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ee3804 $sp = 0x12d36c000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] Looking for 'dlopen' in the target process... [bfinject] Desired function 'dlopen' is at 0x185ca3460 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca3460 $sp = 0x12d36c000 $x0 = 0x11536c000 $x1 = 0xa $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] dlopen() returned 0x0 (FAILURE) [bfinject] Looking for 'dlerror' in the target process... [bfinject] Desired function 'dlerror' is at 0x185ca32b0 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca32b0 $sp = 0x12d36c000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfdecrypt] dlerror() returned: dlopen(/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib, 10): no suitable image found. Did find: /System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib: code signature invalid for '/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib'
[+] So long and thanks for all the fish.