JasmineYong
commented
1 month ago dopamine为2.0.11最新版本
Open JasmineYong opened 1 month ago
JasmineYong
commented
1 month ago dopamine为2.0.11最新版本
ChiChou
commented
1 month ago 直接用 main,#141 已经修掉
JasmineYong
commented
1 month ago 直接用main,#141已经修改掉
大佬,用main砸出来也是显示未脱壳,是什么原因呢
jasmineyoung@jasmine:~$ sudo DEBUG=1 bagbak 小红书 --raw -f [sudo] jasmineyoung 的密码: remote root /private/var/containers/Bundle/Application/0626478C-53EF-4DD4-911C-06356BF924BD/discover.app copy to . [info] pulling app bundle from device, please be patient [info] downloaded 1414 files and 439 folders [info] app bundle downloaded mach-o info discover.app/Frameworks/A.framework/A { path: 'discover.app/Frameworks/A.framework/A', type: 6, encryptInfo: { offset: 16384, size: 16384, id: 0 }, encCmdOffset: 2824 } mach-o info discover.app/Frameworks/KasaSDK.framework/KasaSDK { path: 'discover.app/Frameworks/KasaSDK.framework/KasaSDK', type: 6, encryptInfo: { offset: 16384, size: 5816320, id: 0 }, encCmdOffset: 3080 } mach-o info discover.app/Frameworks/TXFFmpeg.framework/TXFFmpeg { path: 'discover.app/Frameworks/TXFFmpeg.framework/TXFFmpeg', type: 6, encryptInfo: { offset: 16384, size: 3145728, id: 0 }, encCmdOffset: 1560 } mach-o info discover.app/Frameworks/TXSoundTouch.framework/TXSoundTouch { path: 'discover.app/Frameworks/TXSoundTouch.framework/TXSoundTouch', type: 6, encryptInfo: { offset: 16384, size: 32768, id: 0 }, encCmdOffset: 1408 } mach-o info discover.app/Frameworks/Tquic.framework/Tquic { path: 'discover.app/Frameworks/Tquic.framework/Tquic', type: 6, encryptInfo: { offset: 16384, size: 2048000, id: 0 }, encCmdOffset: 2672 } mach-o info discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension { path: 'discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension', type: 2, encryptInfo: { offset: 385024, size: 4096, id: 1 }, encCmdOffset: 3240 } mach-o info discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension { path: 'discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension', type: 2, encryptInfo: { offset: 282624, size: 4096, id: 1 }, encCmdOffset: 2840 } mach-o info discover.app/PlugIns/ShareExtension.appex/ShareExtension { path: 'discover.app/PlugIns/ShareExtension.appex/ShareExtension', type: 2, encryptInfo: { offset: 28672, size: 4096, id: 1 }, encCmdOffset: 2680 } mach-o info discover.app/PlugIns/Siri.appex/Siri { path: 'discover.app/PlugIns/Siri.appex/Siri', type: 2, encryptInfo: { offset: 16384, size: 4096, id: 1 }, encCmdOffset: 2280 } mach-o info discover.app/PlugIns/TodayExtension.appex/TodayExtension { path: 'discover.app/PlugIns/TodayExtension.appex/TodayExtension', type: 2, encryptInfo: { offset: 36864, size: 4096, id: 1 }, encCmdOffset: 2920 } mach-o info discover.app/PlugIns/WidgetExtension.appex/WidgetExtension { path: 'discover.app/PlugIns/WidgetExtension.appex/WidgetExtension', type: 2, encryptInfo: { offset: 569344, size: 4096, id: 1 }, encCmdOffset: 4016 } mach-o info discover.app/discover { path: 'discover.app/discover', type: 2, encryptInfo: { offset: 856064, size: 4096, id: 1 }, encCmdOffset: 5552 } encrypted binaries Map(7) { 'com.xingin.discover' => { dylibs: [ [Array], [Array], [Array], [Array], [Array], [Array] ], executable: 'discover' }, 'com.xingin.discover.BroadcastUploadExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension' }, 'com.xingin.discover.NotificationServiceExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension' }, 'com.xingin.discover.ShareExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/ShareExtension.appex/ShareExtension' }, 'com.xingin.discover.Siri' => { dylibs: [ [Array] ], executable: 'PlugIns/Siri.appex/Siri' }, 'com.xingin.discover.TodayExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/TodayExtension.appex/TodayExtension' }, 'com.xingin.discover.Widget' => { dylibs: [ [Array] ], executable: 'PlugIns/WidgetExtension.appex/WidgetExtension' } } pid => 5530 main executable => discover.app/discover Failed to attach to pid 5530, skipping... Warning: Unable to dump Frameworks/A.framework/A Frameworks/KasaSDK.framework/KasaSDK Frameworks/TXFFmpeg.framework/TXFFmpeg Frameworks/TXSoundTouch.framework/TXSoundTouch Frameworks/Tquic.framework/Tquic discover pid => 5531 main executable => discover.app/PlugIns/ShareExtension.appex/ShareExtension msg { type: 'send', payload: { event: 'begin', name: 'PlugIns/ShareExtension.appex/ShareExtension', fatOffset: 0 } } null [decrypt] PlugIns/ShareExtension.appex/ShareExtension patch >> discover.app/PlugIns/ShareExtension.appex/ShareExtension [script log] info module => ShareExtension 0x100354000 49152 [script log] info encrypted => 28672 4096 msg { type: 'send', payload: { event: 'trunk', fileOffset: 28672, name: 'PlugIns/ShareExtension.appex/ShareExtension' } } <Buffer 80 c2 00 91 61 1a 40 f9 02 01 80 52 fd 7b 41 a9 f4 4f c2 a8 ff 01 00 14 f4 4f be a9 fd 7b 01 a9 fd 43 00 91 f3 03 00 aa 00 18 40 f9 01 01 80 52 fb 01 ... 4046 more bytes> msg { type: 'send', payload: { event: 'trunk', fileOffset: 2688, name: 'PlugIns/ShareExtension.appex/ShareExtension' } } <Buffer 00 00 00 00 00 00 00 00 00 00 00 00> msg { type: 'send', payload: { event: 'end', name: 'PlugIns/ShareExtension.appex/ShareExtension' } } null result => ok session detached application-requested null pid => 5532 main executable => discover.app/PlugIns/Siri.appex/Siri msg { type: 'send', payload: { event: 'begin', name: 'PlugIns/Siri.appex/Siri', fatOffset: 0 } } null [decrypt] PlugIns/Siri.appex/Siri patch >> discover.app/PlugIns/Siri.appex/Siri [script log] info module => Siri 0x100b18000 32768 [script log] info encrypted => 16384 4096 msg { type: 'send', payload: { event: 'trunk', fileOffset: 16384, name: 'PlugIns/Siri.appex/Siri' } } <Buffer c0 03 5f d6 f6 57 bd a9 f4 4f 01 a9 fd 7b 02 a9 fd 83 00 91 e0 03 03 aa f4 03 02 aa 43 00 00 94 f3 03 00 aa e0 03 14 aa 73 00 00 94 fd 03 1d aa 41 00 ... 4046 more bytes> msg { type: 'send', payload: { event: 'trunk', fileOffset: 2288, name: 'PlugIns/Siri.appex/Siri' } } <Buffer 00 00 00 00 00 00 00 00 00 00 00 00> msg { type: 'send', payload: { event: 'end', name: 'PlugIns/Siri.appex/Siri' } } null result => ok session detached application-requested null pid => 5533 main executable => discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension msg { type: 'send', payload: { event: 'begin', name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension', fatOffset: 0 } } null [decrypt] PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension patch >> discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension [script log] info module => BroadcastUploadExtension 0x104bcc000 491520 [script log] info encrypted => 385024 4096 msg { type: 'send', payload: { event: 'trunk', fileOffset: 385024, name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension' } } <Buffer e8 00 00 90 08 21 15 91 14 79 74 f8 03 00 00 14 f4 00 00 90 94 02 1a 91 e0 03 14 aa bc 09 00 94 40 06 00 b4 48 01 00 d0 15 e1 47 f9 e0 03 13 aa df 08 ... 4046 more bytes> msg { type: 'send', payload: { event: 'trunk', fileOffset: 3248, name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension' } } <Buffer 00 00 00 00 00 00 00 00 00 00 00 00> msg { type: 'send', payload: { event: 'end', name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension' } } null result => ok session detached application-requested null pid => 5534 main executable => discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension msg { type: 'send', payload: { event: 'begin', name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension', fatOffset: 0 } } null [decrypt] PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension patch >> discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension [script log] info module => NotificationServiceExtension 0x102794000 409600 [script log] info encrypted => 282624 4096 msg { type: 'send', payload: { event: 'trunk', fileOffset: 282624, name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension' } } <Buffer 28 20 40 f9 69 06 40 f9 29 19 40 b9 15 01 09 8b a0 fe df c8 40 03 00 b5 e0 03 13 aa bd 01 00 94 b4 fe 5f c8 d4 00 00 b5 a0 fe 08 c8 a8 ff ff 35 28 00 ... 4046 more bytes> msg { type: 'send', payload: { event: 'trunk', fileOffset: 2848, name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension' } } <Buffer 00 00 00 00 00 00 00 00 00 00 00 00> msg { type: 'send', payload: { event: 'end', name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension' } } null result => ok session detached application-requested null pid => 5535 main executable => discover.app/PlugIns/TodayExtension.appex/TodayExtension Failed to attach to pid 5535, skipping... Warning: Unable to dump PlugIns/TodayExtension.appex/TodayExtension pid => 5542 main executable => discover.app/PlugIns/WidgetExtension.appex/WidgetExtension msg { type: 'send', payload: { event: 'begin', name: 'PlugIns/WidgetExtension.appex/WidgetExtension', fatOffset: 0 } } null [decrypt] PlugIns/WidgetExtension.appex/WidgetExtension patch >> discover.app/PlugIns/WidgetExtension.appex/WidgetExtension [script log] info module => WidgetExtension 0x1025dc000 704512 [script log] info encrypted => 569344 4096 msg { type: 'send', payload: { event: 'trunk', fileOffset: 569344, name: 'PlugIns/WidgetExtension.appex/WidgetExtension' } } <Buffer 10 aa 44 f9 00 02 1f d6 10 01 00 b0 10 ae 44 f9 00 02 1f d6 10 01 00 b0 10 b2 44 f9 00 02 1f d6 10 01 00 b0 10 ba 44 f9 00 02 1f d6 10 01 00 b0 10 be ... 4046 more bytes> msg { type: 'send', payload: { event: 'trunk', fileOffset: 4024, name: 'PlugIns/WidgetExtension.appex/WidgetExtension' } } <Buffer 00 00 00 00 00 00 00 00 00 00 00 00> msg { type: 'send', payload: { event: 'end', name: 'PlugIns/WidgetExtension.appex/WidgetExtension' } } null result => ok session detached application-requested null Saved to discover.app
JasmineYong
commented
1 month ago mac上显示无法转储
Vincent-520
commented
1 month ago 和你问题相同,砸壳期间一切显示正常,但其实并未解密
miticollo
commented
1 month ago Describe the bug
After spawning, frida can't attach to it. The following line fails:
https://github.com/ChiChou/bagbak/blob/bab0de94ab0479424fff63899b365229244c1cdc/index.js#L158
and
https://github.com/ChiChou/bagbak/blob/bab0de94ab0479424fff63899b365229244c1cdc/index.js#L160
throws the following exception:
[Error: Module not found at "/usr/lib/libSystem.B.dylib"]To Reproduce
$ export SSH_USERNAME='mobile'
$ export SSH_PASSWORD='alpine'
$ export SSH_PORT=22
$ export DEBUG_SCP=1
$ npx -- bagbak --abort-on-error -U -d 'com.spotify.client'Desktop:
com.spotify.client, AppStore linkbagbak version: 3.3.1 (commit bab0de9 from origin/main)ChiChou
commented
1 month ago @miticollo thanks a lot for the detail. It looks like Frida doesn’t work on that environment, can you try attaching anything with its native python command?
miticollo
commented
1 month ago Attaching works. Indeed, my frida-ios-dump fork works and correctly decrypt the app (only main executable not plugins). But it implicitly uses spawn from Frida Python API. In particular it extends ConsoleApplication class like all frida-tools do.
ChiChou
commented
1 month ago @miticollo It's definitely a frida bug.
On Apple Silicon macOS, install WhatsApp from Mac App Store and frida WhatsApp you see the same error. I've spent some hours on it but still have no clue why it only happens to certain targets
miticollo
commented
1 month ago Thank you for your report! But I don't understand one thing. Why doesn't it happen using Python? bagbak spawns the mainExecutable correctly then attaching fails. My fork spawns the mainExecutable using Frida Python API then attaching doesn't fail. Both projects use Frida API to perform attach (one for NodeJS and the other for Python). Maybe I could be wrong but it is possible that when bagbak spawns the mainExecutable using XPC msg something goes wrong? Spawning app and then attaching on it using Frida API NodeJS work?
ChiChou
commented
1 month ago But I don't understand one thing. Why doesn't it happen using Python?
The test case I mentioned on macOS is the original Frida Python cli
miticollo
commented
1 month ago You are right! After sending my previous message I realized it.
Anyway I tried to downgrade frida-server on iOS up to 16.0.11 but nothing.
系统版本:16.2 bagbak:3.3.1
jasmineyoung@jasmine:~/bagbak$ DEBUG=1 ./bin/bagbak.js com.tencent.mqq --raw -f remote root /private/var/containers/Bundle/Application/17912746-5938-4E67-B3B8-6E73652A727B/QQ.app copy to . [info] pulling app bundle from device, please be patient [info] downloaded 12862 files and 734 folders [info] app bundle downloaded mach-o info QQ.app/Frameworks/QQStartup.framework/QQStartup { path: 'QQ.app/Frameworks/QQStartup.framework/QQStartup', type: 6, encryptInfo: { offset: 16384, size: 23674880, id: 0 }, encCmdOffset: 3488 } mach-o info QQ.app/Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin { path: 'QQ.app/Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin', type: 6, encryptInfo: { offset: 16384, size: 16941056, id: 0 }, encCmdOffset: 3504 } mach-o info QQ.app/Frameworks/TXSoundTouch.framework/TXSoundTouch { path: 'QQ.app/Frameworks/TXSoundTouch.framework/TXSoundTouch', type: 6, encryptInfo: { offset: 16384, size: 16384, id: 0 }, encCmdOffset: 1328 } mach-o info QQ.app/Frameworks/UE4.framework/UE4 { path: 'QQ.app/Frameworks/UE4.framework/UE4', type: 6, encryptInfo: { offset: 16384, size: 50577408, id: 0 }, encCmdOffset: 3104 } mach-o info QQ.app/Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK { path: 'QQ.app/Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK', type: 6, encryptInfo: { offset: 16384, size: 22609920, id: 0 }, encCmdOffset: 3408 } mach-o info QQ.app/Frameworks/andromeda.framework/andromeda { path: 'QQ.app/Frameworks/andromeda.framework/andromeda', type: 6, encryptInfo: { offset: 16384, size: 1966080, id: 0 }, encCmdOffset: 2520 } mach-o info QQ.app/Frameworks/ilink.framework/ilink { path: 'QQ.app/Frameworks/ilink.framework/ilink', type: 6, encryptInfo: { offset: 16384, size: 8060928, id: 0 }, encCmdOffset: 2912 } mach-o info QQ.app/PlugIns/QQBroadCast.appex/QQBroadCast { path: 'QQ.app/PlugIns/QQBroadCast.appex/QQBroadCast', type: 2, encryptInfo: { offset: 176128, size: 4096, id: 1 }, encCmdOffset: 2912 } mach-o info QQ.app/PlugIns/QQNotificationContent.appex/QQNotificationContent { path: 'QQ.app/PlugIns/QQNotificationContent.appex/QQNotificationContent', type: 2, encryptInfo: { offset: 65536, size: 4096, id: 1 }, encCmdOffset: 3072 } mach-o info QQ.app/PlugIns/QQNotificationService.appex/QQNotificationService { path: 'QQ.app/PlugIns/QQNotificationService.appex/QQNotificationService', type: 2, encryptInfo: { offset: 122880, size: 4096, id: 1 }, encCmdOffset: 3232 } mach-o info QQ.app/PlugIns/QQShare.appex/QQShare { path: 'QQ.app/PlugIns/QQShare.appex/QQShare', type: 2, encryptInfo: { offset: 131072, size: 4096, id: 1 }, encCmdOffset: 2992 } mach-o info QQ.app/PlugIns/QQWidgetExtension.appex/QQWidgetExtension { path: 'QQ.app/PlugIns/QQWidgetExtension.appex/QQWidgetExtension', type: 2, encryptInfo: { offset: 274432, size: 4096, id: 1 }, encCmdOffset: 2736 } mach-o info QQ.app/QQ { path: 'QQ.app/QQ', type: 2, encryptInfo: { offset: 218886144, size: 4096, id: 1 }, encCmdOffset: 5472 } encrypted binaries Map(6) { 'com.tencent.mqq' => { dylibs: [ [Array], [Array], [Array], [Array], [Array], [Array], [Array], [Array] ], executable: 'QQ' }, 'com.tencent.mqq.BroadCast' => { dylibs: [ [Array] ], executable: 'PlugIns/QQBroadCast.appex/QQBroadCast' }, 'com.tencent.mqq.notificationContent' => { dylibs: [ [Array] ], executable: 'PlugIns/QQNotificationContent.appex/QQNotificationContent' }, 'com.tencent.mqq.notificationService' => { dylibs: [ [Array] ], executable: 'PlugIns/QQNotificationService.appex/QQNotificationService' }, 'com.tencent.mqq.ShareExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/QQShare.appex/QQShare' }, 'com.tencent.mqq.qqwidgetapp' => { dylibs: [ [Array] ], executable: 'PlugIns/QQWidgetExtension.appex/QQWidgetExtension' } } pid => 2065 main executable => QQ.app/QQ Failed to attach to pid 2065, skipping... Warning: Unable to dump Frameworks/QQStartup.framework/QQStartup Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin Frameworks/TXSoundTouch.framework/TXSoundTouch Frameworks/UE4.framework/UE4 Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK Frameworks/andromeda.framework/andromeda Frameworks/ilink.framework/ilink QQ node:internal/process/promises:289 triggerUncaughtException(err, true / fromPromise /); ^
Error: pids is null at implementation (/script1.js:116) at call (native) at f (:1) { fileName: '/script1.js', lineNumber: 116 }
Node.js v20.11.1