Injected Application Crashes on Load

UPDATE: Doing the EXACT same as below with an iOS 7.0.4 device (iPad 2) WORKS. But will crash on load with my iOS 9.1 device! (iPhone 6) That takes my guess to a code signature issue of some sort, but I have tried everything deemed possible with what I can, cannot sign and how what and with what bundle ID or wildcard etc.

I have use theos before for jailbroken devices and understand how that works. I have also researched and successfully injected a dylib into a binary with optool previously. I know and love theos' simplicity so I came here to see if this would be a much better option.

I created a whole new blank(only changes made were bitcode to off and only have armv7 compiled) XCode project called 'injectMe' and exported/archived it to an IPA to test on.

I also created a completely new Theos tweak project name 'injectYou'. I made no changes to the project whatsoever.

Also went to my developer portal and followed instructions to make a limited BundleID cert. (According to the patchscript info) (All of this also tested on a wildcard cert as well, same outcome!)

'make' to compile/sign the tweak "/Users/justin/Documents/injectMeApp/injectyou/theos/makefiles/targets/Darwin/iphone.mk:41: Deploying to iOS 3.0 while building for 6.0 will generate armv7-only binaries. Making all for tweak injectYou... Preprocessing Tweak.xm... Compiling Tweak.xm... Compiling fishhook/fishhook.c... Preprocessing iSpy.class.xm... Compiling iSpy.class.xm... Preprocessing iSpy.instance.xm... Compiling iSpy.instance.xm... Preprocessing iSpy.msgSend.common.xm... Compiling iSpy.msgSend.common.xm... Preprocessing iSpy.msgSend.whitelist.xm... Compiling iSpy.msgSend.whitelist.xm... Preprocessing iSpy.msgSend.xm... Compiling iSpy.msgSend.xm... Preprocessing iSpy.msgSend_stret.xm... Compiling iSpy.msgSendstret.xm... Preprocessing typestring.xm... Compiling typestring.xm... Preprocessing iSpy.logwriter.xm... Compiling iSpy.logwriter.xm... Preprocessing iSpy.SSLPinning.xm... Compiling iSpy.SSLPinning.xm... Linking tweak injectYou... Stripping injectYou... Signing injectYou... iPhone Developer: ambiguous (matches "iPhone Developer: * \ (**)" and "iPhone Developer: *_@.com (**)" in /Users/***/Library/Keychains/login.keychain)"

That was simply a keychain error at first, fixed that.

Now the second time 'make'. No errors! "/Users/justin/Documents/injectMeApp/injectyou/theos/makefiles/targets/Darwin/iphone.mk:41: Deploying to iOS 3.0 while building for 6.0 will generate armv7-only binaries. Making all for tweak injectYou... Preprocessing Tweak.xm... Compiling Tweak.xm... Linking tweak injectYou... Stripping injectYou... Signing injectYou..."

Then I ran the patch script. Again, no errors! (Except no extensions, as I don't have any.)

"./patchapp.sh patch ../injectMe.ipa ../_.mobileprovision [+] Unpacking the .ipa file (/Users/__/Documents/injectMeApp/injectyou/../injectMe.ipa)... [+] Copying .dylib dependences into ".patchapp.cache/Payload/injectMe.app" [+] Codesigning .dylib dependencies with certificate "iPhone Developer: _* * (****_)" .patchapp.cache/Payload/injectMe.app/injectYou.dylib .patchapp.cache/Payload/injectMe.app/CydiaSubstrate .patchapp.cache/Payload/injectMe.app/ap.dylib .patchapp.cache/Payload/injectMe.app/cy.dylib .patchapp.cache/Payload/injectMe.app/readlin.dylib .patchapp.cache/Payload/injectMe.app/ncur.dylib .patchapp.cache/Payload/injectMe.app/cycript obj/injectYou.dylib [+] Patching ".patchapp.cache/Payload/injectMe.app/injectMe" to load "injectYou.dylib" [+] Generating entitlements.xml for distribution ID "alis"="iPhone Distribution: ***, LLC" [+] Codesigning Plugins and Frameworks with certificate "iPhone Developer: _* \ (****)" ls: .patchapp.cache/Payload/injectMe.app/PlugIns/com./com.: No such file or directory ls: .patchapp.cache/Payload/injectMe.app/PlugIns/com.: No such file or directory ls: .patchapp.cache/Payload/injectMe.app/Frameworks/_: No such file or directory [+] Codesigning the patched .app bundle with certificate "iPhone Developer: _* * (**)" injectMe.app: replacing existing signature [+] Repacking the .ipa [+] Wrote "injectMe-patched.ipa" [+] Great success!"

Also installed the mobile provision onto the device correctly (tested by signing the non-patched app, installed correctly and ran without any crashes)

Installed the patched ipa to my device it will ALWAYS crash on load, no matter what. Seems to happen to every app I have tried to patch so far, be it AppStore clutched app or an XCode archived app.

"Dec 18 17:41:02 Device kernel[0] : xpcproxy[747] Container: /private/var/mobile/Containers/Data/Application/0930A84D-E968-444D-AAA2-D0CD26026907 (sandbox) Dec 18 17:41:02 Device assertiond[67] : Unable to obtain a task name port right for pid 747: (os/kern) failure (5) Dec 18 17:41:02 Device SpringBoard[58] : Unable to register for exec notifications: No such process Dec 18 17:41:02 Device SpringBoard[58] : Unable to obtain a task name port right for pid 747: (os/kern) failure (5) Dec 18 17:41:02 Device SpringBoard[58] : Unable to obtain a task name port right for <FBApplicationProcess: 0x142b38f20; com.adhoc.injectMe; pid: 747> Dec 18 17:41:02 Device SpringBoard[58] : Application 'UIKitApplication:com.adhoc.injectMe[0xe2e]' crashed. Dec 18 17:41:02 Device com.apple.xpc.launchd1 : Service exited due to signal: Trace/BPT trap: 5 Dec 18 17:41:02 Device SpringBoard[58] : CGContextSaveGState: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : CGContextTranslateCTM: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : CGContextRestoreGState: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : CGContextSaveGState: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : CGContextTranslateCTM: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : CGContextRestoreGState: invalid context 0x0. If you want to see the backtrace, please set CG_CONTEXT_SHOW_BACKTRACE environmental variable. Dec 18 17:41:02 Device SpringBoard[58] : Application '(null)' exited for an unknown reason. Dec 18 17:41:02 Device ReportCrash[748] : Formulating report for corpse[747] injectMe Dec 18 17:41:02 Device ReportCrash[748] : saved type '109_injectMe' report (11 of max 25) as /var/mobile/Library/Logs/CrashReporter/injectMe_2015-12-18-174102_Device.ips Dec 18 17:41:03 Device searchd[164] : ====^^^^ DuetExpert missing data, count -> people:0 applicationDeepLinks:0 applications:8 requests:46 missingAllDataRequests:0"

Other information: iPhone 6 iOS 9.1 My apple account is an admin of another enterprise account, although not owner I also noticed that the patch script told me to create com.adhoc.injectMe-patched yet the final "patched" ipa only had a "com.adhoc.injectMe" bundleID. I changed the original unpatched ipa bundle ID to com.adhoc.injectMe-patched. No luck. As well as tried both a limited mobileprovion to com.adhoc.injectMe-patched, com.adhoc.injectMe, and even a wildcard mobileprovision.

Thank you so much for your time and help

BishopFox / theos-jailed

Injected Application Crashes on Load #7