search

BishopFox / bfinject

Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
Apache License 2.0
624 stars 151 forks source link

dlopen no suitable image found #5

Closed haniag closed 6 years ago

haniag commented 6 years ago

Using latest commit on i7 11.1, with LiberiOS 11.0.3:

bash bfinject -p 813 -l /jb/bfinject/test.dylib [+] Injecting into '/var/containers/Bundle/Application/E7C4881E-DA00-4DE0-83B1-463896AECD42/Twitter.app/Twitter' [+] Getting Team ID from target application... [+] Signing injectable .dylib with Team ID N66CZ3Y3BX and platform entitlements... [+] Injecting /jb/bfinject/test.dylib into target application, PID 813 [+] LiberiOS assumed. Using Bishop Fox bfinject to inject the dylib [bfinject] Getting tfp. [bfinject] Creating new remote thread [bfinject] Thread ID: 3075 (0xc03) [bfinject] Looking for RET gadget in the target app... gadget candidate: 0x104f27db8 ... Found @ 0x104f27db8 [bfinject] Fake stack frame is 536870912 bytes at 0x11536c000 in remote proc [bfinject] Looking for '_pthread_set_self' in the target process... [bfinject] Desired function '_pthread_set_self' is at 0x185ee3804 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ee3804 $sp = 0x12d36c000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] Looking for 'dlopen' in the target process... [bfinject] Desired function 'dlopen' is at 0x185ca3460 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca3460 $sp = 0x12d36c000 $x0 = 0x11536c000 $x1 = 0xa $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] dlopen() returned 0x0 (FAILURE) [bfinject] Looking for 'dlerror' in the target process... [bfinject] Desired function 'dlerror' is at 0x185ca32b0 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca32b0 $sp = 0x12d36c000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfdecrypt] dlerror() returned: dlopen(/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib, 10): no suitable image found. Did find: /System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib: code signature invalid for '/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib'

[+] So long and thanks for all the fish.

0xhaggis commented 6 years ago

I think you may have checked out a buggy version. Please pull the latest and try again.

haniag commented 6 years ago

Still the same. I tried the following versions:

https://github.com/BishopFox/bfinject/blob/master/bfinject.tar https://github.com/BishopFox/bfinject/raw/master/bfinject.tar

Here's the output:

-bash-3.2# bash bfinject -p 1323 -l /jb/bfinject/test.dylib [+] Liberios detected [+] Injecting into '/var/containers/Bundle/Application/A582BA0F-8FB0-4727-B432-A575C7B801C7/XECurrency.app/XECurrency' [+] Getting Team ID from target application... [+] Signing injectable .dylib with Team ID N36M8KXLCD and platform entitlements... [bfinject] Getting tfp. [bfinject] Creating new remote thread [bfinject] Thread ID: 3075 (0xc03) [bfinject] Looking for RET gadget in the target app... gadget candidate: 0x104727b08 ... Found @ 0x104727b08 [bfinject] Fake stack frame is 536870912 bytes at 0x10c500000 in remote proc [bfinject] Looking for '_pthread_set_self' in the target process... [bfinject] Desired function '_pthread_set_self' is at 0x185ee3804 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ee3804 $sp = 0x124500000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] Looking for 'dlopen' in the target process... [bfinject] Desired function 'dlopen' is at 0x185ca3460 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca3460 $sp = 0x124500000 $x0 = 0x10c500000 $x1 = 0xa $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfinject] dlopen() returned 0x0 (FAILURE) [bfinject] Looking for 'dlerror' in the target process... [bfinject] Desired function 'dlerror' is at 0x185ca32b0 [bfinject] Setting registers with destination function [bfinject] New CPU state: $pc = 0x185ca32b0 $sp = 0x124500000 $x0 = 0x0 $x1 = 0x0 $x2 = 0x0 $x3 = 0x0 [bfinject] Resuming thread with hijacked regs [bfinject] Waiting for thread to hit the infinite loop gadget... [bfinject] We hit the infinite loop, call complete. Restoring stack and registers. [bfdecrypt] dlerror() returned: dlopen(/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib, 10): no suitable image found. Did find: /System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib: code signature invalid for '/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib'

/System/Library/Frameworks/bcf9afe16e82c545809594e77bdfa482.framework/bcf9afe16e82c545809594e77bdfa482.dylib: stat() failed with errno=1 [+] So long and thanks for all the fish.

0xhaggis commented 6 years ago

Can you attach the dylib you're trying to inject please?

haniag commented 6 years ago

Just a simple UIAlertView: https://www.sendspace.com/file/tlow7c

0xhaggis commented 6 years ago

Aha, it's a FAT binary (multiple CPU architecture support) which until 2 minutes ago wasn't supported by bfinject. I've added support to thin out fat binaries, so please pull the latest version and try again.

0xhaggis commented 6 years ago

But it still won't work because your dylib has an unmet dependency: /Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate

Your dylib cannot work in its current state. Not a bug.

Edit: try injecting dylibs/simple.dylib and see if it works. If it does, you're good - you'll just need to build a dylib that doen't link against CydiaSubstrate.

haniag commented 6 years ago

hmm, thanks for your help. So this will probably not work since CydiaSubstrate doesn't yet work. Any workaround?

0xhaggis commented 6 years ago

Depends what you want to do. If you need function hooking, use https://github.com/facebook/fishhook. If you need method swizzling, just use the built-in Objective-C swizzling methods. Closing this issue.