search

FrenchYeti / interruptor

Human-friendly cross-platform system call tracing and hooking library based on Frida's Stalker
Other
328 stars 45 forks source link

R2Pay crashes on arm64 with "Bad access due to invalid address" #1

Open enovella opened 2 years ago

enovella commented 2 years ago

It seems this crash is not produced by the RASP inside R2pay:

[14:30 edu@xps radare2]  (master)>  frida --codeshare FrenchYeti/android-arm64-strace -H 127.0.0.1:27042 -f re.pwnme --no-pause
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `re.pwnme`. Resuming main thread!                               
[Remote::re.pwnme]-> [STARTING TRACE] UID=0 Thread 14474
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/walleye/walleye:11/RP1A.200720.009/6720564:user/release-keys'
Revision: 'MP1'
ABI: 'arm64'                                                                                                                                                                 
Timestamp: 2022-01-24 08:30:41-0500
pid: 14474, tid: 14474, name: re.pwnme  >>> re.pwnme <<<
uid: 10250
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1f03e036000074
    x0  0000007c520841a4  x1  0000007c36a3c658  x2  0000007bf23b3970  x3  0000000000000001
    x4  0000007bf23b70f4  x5  0000000000000000  x6  0000000000000040  x7  7f7f7f7f7f7f7f7f
    x8  0000007ee78eb000  x9  0000007c523f8000  x10 0000007b00000007  x11 0000000000000001
    x12 0000000001120197  x13 0000007c50a5e09c  x14 0000007c522bd998  x15 0000007c522bd998
    x16 0000000000000001  x17 0000000000000000  x18 0000000000000000  x19 0000007c36a3c658
    x20 2a1f03e036000074  x21 2a1f03e036000060  x22 0000007dc2411be0  x23 0000007c520841a4
    x24 0000007d32411160  x25 0000000000000004  x26 0000007ee78eb000  x27 0000007fdec4dac8
    x28 0000000000000139  x29 0000007fdec4d4b0
    lr  0000007c520841a4  sp  0000007fdec4d470  pc  0000007c36a3cae8  pst 0000000080000000
backtrace:
      #00 pc 000000000001cae8  <anonymous:7c36a20000>
      #01 pc 00000000003411a0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x341000) (art::jit::Jit::MaybeDoOnStackReplacement(art::Thread*, art::ArtMethod*, unsigned int, int, art::JValue*)+112) (BuildId: d0f321775158ed00df284edfabf672b6)
      #02 pc 00000000003411a0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x341000) (art::jit::Jit::MaybeDoOnStackReplacement(art::Thread*, art::ArtMethod*, unsigned int, int, art::JValue*)+112) (BuildId: d0f321775158ed00df284edfabf672b6)
      #03 pc 0000000000172b88  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x16a000) (void art::interpreter::ExecuteSwitchImplCpp<true, false>(art::interpreter::SwitchImplContext*)+35408) (BuildId: d0f321775158ed00df284edfabf672b6)
      #04 pc 000000000013f7d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13f000) (ExecuteSwitchImplAsm+8) (BuildId: d0f321775158ed00df284edfabf672b6)
      #05 pc 00000000001a22e8  /system/framework/framework.jar (android.app.ActivityThread.updateDefaultDensity)
      #06 pc 00000000003095d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x309000) (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.7618685802058321727)+528) (BuildId: d0f321775158ed00df284edfabf672b6)
      #07 pc 0000000000311840  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x311000) (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+200) (BuildId: d0f321775158ed00df284edfabf672b6)
      #08 pc 0000000000313b5c  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x311000) (bool art::interpreter::DoCall<true, true>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+1692) (BuildId: d0f321775158ed00df284edfabf672b6)
      #09 pc 00000000001755f8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x16a000) (void art::interpreter::ExecuteSwitchImplCpp<true, false>(art::interpreter::SwitchImplContext*)+46272) (BuildId: d0f321775158ed00df284edfabf672b6)
      #10 pc 000000000013f7d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13f000) (ExecuteSwitchImplAsm+8) (BuildId: d0f321775158ed00df284edfabf672b6)
      #11 pc 000000000019dacc  /system/framework/framework.jar (android.app.ActivityThread.handleBindApplication)
      #12 pc 00000000003095d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x309000) (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.7618685802058321727)+528) (BuildId: d0f321775158ed00df284edfabf672b6)
      #13 pc 00000000006740c0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x674000) (artQuickToInterpreterBridge+776) (BuildId: d0f321775158ed00df284edfabf672b6)
      #14 pc 000000000013cff8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13c000) (art_quick_to_interpreter_bridge+88) (BuildId: d0f321775158ed00df284edfabf672b6)
      #15 pc 0000000000133564  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x133000) (art_quick_invoke_stub+548) (BuildId: d0f321775158ed00df284edfabf672b6)
      #16 pc 00000000001a97e8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x1a9000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200) (BuildId: d0f321775158ed00df284edfabf672b6)
      #17 pc 000000000055b830  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x480000) (art::JValue art::InvokeWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+448) (BuildId: d0f321775158ed00df284edfabf672b6)
      #18 pc 000000000055bcf4  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x480000) (art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+92) (BuildId: d0f321775158ed00df284edfabf672b6)
      #19 pc 0000000000427560  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x394000) (art::JNI<true>::CallNonvirtualVoidMethodV(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, std::__va_list)+656) (BuildId: d0f321775158ed00df284edfabf672b6)
      #20 pc 000000000037ded8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x367000) (art::(anonymous namespace)::CheckJNI::CallMethodV(char const*, _JNIEnv*, _jobject*, _jclass*, _jmethodID*, std::__va_list, art::Primitive::Type, art::InvokeType)+2576) (BuildId: d0f321775158ed00df284edfabf672b6)
      #21 pc 000000000036c9e8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x367000) (art::(anonymous namespace)::CheckJNI::CallNonvirtualVoidMethod(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, ...)+144) (BuildId: d0f321775158ed00df284edfabf672b6)
      #22 pc 0000000000002b94  /dev/re.frida.helper/frida-server-64.so (offset 0x740000)
***
[Remote::re.pwnme]->                                                                                                                                                         

Thank you for using Frida!
[14:30 edu@xps radare2]  (master)>
FrenchYeti commented 2 years ago

Yes, i tested and i had same issue. I didn't start to search the cause, but r2pay results are better when tracing starts when libnative is loading or when app started

It will trace all (but not follow fork/clone/ ... yet) when app is loaded :

Java.perform(()=> {

    Interruptor
        .newAgentTracer({
            exclude: {
                syscalls: ["clock_gettime"]
            }
        })
        .start();

});

It is also possible to do that:

 Interruptor
        .newAgentTracer({
            exclude: {
                syscalls: ["clock_gettime"]
            }
        })
        .startOnLoad(/libnative-lib/g);
apkunpacker commented 2 years ago

for me

$ frida -H 127.0.0.1:1234 -f re.pwnme --codeshare FrenchYeti/android-arm64-strace --no-pause
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit                                                         . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `re.pwnme`. Resuming main thread!
[Remote::re.pwnme]-> [STARTING TRACE] UID=0 Thread 31147
[/apex/com.android.runtime/lib64/bionic/libc.so +0xa74]   SVC :: 0x42   writev (  fd = 2  undefined   , const struct iovec *vec = 0x7fde3bc1b8 , unsigned long vlen = 0x2  )    > 0x2e
[/apex/com.android.runtime/lib64/bionic/libc.so +0x614]   SVC :: 0xc6   socket (  int = 0x1 , int = 0x80802 , int = 0x0  )    > 0x3e
[/apex/com.android.runtime/lib64/bionic/libc.so +0x2f4]   SVC :: 0xcb   connect (  int = 0x3e , struct sockaddr * = 0x7fde3bc0c0 , int = 0x6e  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0xa74]   SVC :: 0x42   writev (  fd = 62  undefined   , const struct iovec *vec = 0x7fde3bc0c0 , unsigned long vlen = 0x6  )    > 0x3f
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0x39   close (  fd = 62  undefined    )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0xf94]   SVC :: 0xde   mmap (  start_addr = 0x0 , size = 0x46 , prot = PROT_READ | PROT_WRITE , flags = MAP_PRIVATE | MAP_ANONYMOUS , fd = -1 IGNORED   offset = 0x0  )    > 0x7916e39000
[/apex/com.android.runtime/lib64/bionic/libc.so +0xd4]   SVC :: 0xa7   prctl (  opt = PR_SET_VMA , unsigned long arg2 = 0x0 , unsigned long arg3 = 0x7916e39000 , unsigned long arg4 = 0x46 , unsigned long arg5 = 0x79168638da  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0x554]   SVC :: 0x87   rt_sigprocmask (  int how = 0x2 , sigset_t *set = 0x7fde3bc5a0 , sigset_t *oset = 0x0 , size_t sigsetsize = 0x8  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0xac   getpid (  )    > 0x79ab
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0xb2   gettid (  )    > 0x79ab
[/apex/com.android.runtime/lib64/bionic/libc.so +0xcd4]   SVC :: 0xae   getuid (  )    > 0x28d2
Process terminated
FrenchYeti commented 2 years ago

Ok, in my case i don't use "--no-pause"

apkunpacker commented 2 years ago

Ok, in my case i don't use "--no-pause"

may be because i removed those rootbear checks from apk manually