search

KJCracks / Clutch

Fast iOS executable dumper
3.7k stars 647 forks source link

How to resolve the "Symbol not found" issue? #132

Open Thireus opened 8 years ago

Thireus commented 8 years ago

Hi,

I'm trying to decrypt Twitter, but some Framework binaries fail to decrypt because some symbols are not found. As a result, the decrypted IPA can't be launched (fails with "TFNUI: mremap_encrypted() => -1, errno=1"). I was wondering if there's a way to specify these missing symbols somehow so that clutch can decrypt the binaries.

Here's the log dump:

# clutch -d com.atebits.Tweetie2
Zipping Twitter.app
ASLR slide: 0x1000a0000
Dumping <Twitter> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ASLR slide: 0x1000c8000
Dumping <ShareExtension> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ASLR slide: 0x10006c000
Dumping <Twitter WatchKit Extension> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Dumping <TFSScribe> arm64
Successfully dumped framework!
Success! Child exited with status 0
Dumping <AgileBits> arm64
Dumping <TwitterMotionGraphics> arm64
Error: Failed to dlopen /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore dlopen(/private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore, 1): Symbol not found: _OBJC_CLASS_$_TFSAPIMultipartFormData
  Referenced from: /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore
  Expected in: flat namespace
 in /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore

Success! Child exited with status 65280
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TwitterLoggingService> arm64
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TFSFeatureSwitches> arm64
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TwitterNetworkLayer> arm64
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TFSLocalizedResources> arm64
Dumping <TFNDesignableViews> arm64
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TZStackView> arm64
Dumping <TFSUtilities> arm64
Dumping <TwitterExtensionKit> arm64
Dumping <TwitterWatchServicesKit> arm64
Successfully dumped framework!
Success! Child exited with status 0
Successfully dumped framework!
Success! Child exited with status 0
Successfully dumped framework!
Success! Child exited with status 0
Successfully dumped framework!
Success! Child exited with status 0
Successfully dumped framework!
Success! Child exited with status 0
Dumping <TwitterWatchUI> arm64
Successfully dumped framework!
Success! Child exited with status 0
Successfully dumped framework!
Success! Child exited with status 0
Error: Failed to dlopen /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI dlopen(/private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI, 1): Symbol not found: _OBJC_CLASS_$_Crashlytics
  Referenced from: /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI
  Expected in: flat namespace
 in /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI

Success! Child exited with status 65280
Zipping AgileBits.framework
Zipping T1Twitter.framework
2016-06-11 04:47:31.980 clutch[9563:24397] just setting up my twttr
2016-06-11 04:47:31.995 clutch[9563:24397] T1AppDelegate load
Dumping <T1Twitter> arm64
Zipping TFNDesignableViews.framework
Zipping TFNUI.framework
Zipping TFSFeatureSwitches.framework
Zipping TFSLocalizedResources.framework
Zipping TFSScribe.framework
Zipping TFSTwitterCore.framework
Zipping TFSUtilities.framework
Zipping TZStackView.framework
Zipping TwitterExtensionKit.framework
Zipping TwitterLoggingService.framework
Zipping TwitterMotionGraphics.framework
Zipping TwitterNetworkLayer.framework
Zipping TwitterWatchServicesKit.framework
Zipping TwitterWatchUI.framework
Zipping ShareExtension.appex
Zipping Twitter WatchKit Extension.appex
Successfully dumped framework!
Success! Child exited with status 0
DONE: /private/var/mobile/Documents/Dumped/com.atebits.Tweetie2-iOS8.0-(Clutch-2.0.2).ipa

The two issues are:

Error: Failed to dlopen /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore dlopen(/private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore, 1): Symbol not found: _OBJC_CLASS_$_TFSAPIMultipartFormData
  Referenced from: /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore
  Expected in: flat namespace
 in /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFSTwitterCore.framework/TFSTwitterCore

and

Error: Failed to dlopen /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI dlopen(/private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI, 1): Symbol not found: _OBJC_CLASS_$_Crashlytics
  Referenced from: /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI
  Expected in: flat namespace
 in /private/var/mobile/Containers/Bundle/Application/0A596D15-B8F2-445E-869F-672C60362FE0/Twitter.app/Frameworks/TFNUI.framework/TFNUI

Thanks.

Tatsh commented 8 years ago

Same error here. I wonder if it is corrupted load commands. If they are ignored and stripped out, the app will still fail to start.

Seems like TFSTwitterCore and TFNUI have dependencies, so they cannot be loaded standalone. This might be a bug on Twitter's part as frameworks are not supposed to require dependencies, but since this is Twitter's frameworks altogether, I am not surprised.

Clutch really should fail and delete the zip. It is acting like it was a successful dump.

ttwj commented 8 years ago

I made some slight fixes that should halt the cracking process if the framework dump encountered some errors. To properly solve this issue, I think we'll dlopen all frameworks in the child dumper before dumping each framework

taoeffect commented 8 years ago

Very curious to see this issue solved as well.

taoeffect commented 8 years ago

Have you considered integrating this project with Bountysource? I would be happy to post a bounty to see this resolved, and am also curious as to whether anyone has been able to successfully dump a recent version of Twitter for iOS.

taoeffect commented 8 years ago

Would be willing to pay $100 in Bitcoin for a successful decrypted .ipa dump of the latest version of iOS Twitter if you can do it by September 13th, 2016, plus an extra $10 if it's done by fixing this issue with a PR, and an extra $10 if done by the 10th.

After September 13th, happy to just leave a $20 bounty for closing this issue.

Tatsh commented 8 years ago

Bountysource is dead. Please stop referring to paying money to solve this bug.

taoeffect commented 8 years ago

Bountysource is dead.

How so? Seems to be quite alive from what I see.