search

NorthwaveSecurity / fridax

Fridax enables you to read variables and intercept/hook functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications.
MIT License
161 stars 21 forks source link

Can't find mono runtime #17

Open alexdetrano opened 3 years ago

alexdetrano commented 3 years ago

I'm trying to hook a Xamarin-based iOS app and am getting the following error:

~/t/s/s/f/fridax > ./fridax.js inject --device usb --scripts scripts/aot_modify_class_function_argument.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on iPhone.
? Which application do you want to inject? XXXXX
[*] Happy hacking.
[*] Attached to application (session: 74911).
[*] Injected a test script (this runs from within the injected application)!
Error: Can't find Mono runtime!
    at <anonymous> (vendors/frida-mono-api/mono-module.js:33)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/mono-api.js:2)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/index.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (scripts/aot_modify_class_function_argument.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at r (node_modules/browser-pack/_prelude.js:1)
    at <eval> (/script2.js:1246)

I've looked at https://github.com/NorthwaveSecurity/fridax/issues/1 and the issue was fixed but I'm still having the issue. I've tried poking around but am just getting started with frida. Things I've tried:

but nothing shows up. Is there anything else I can do to troubleshoot the issue? Sadly I can't share the ipa.

omareltf commented 3 years ago

I have the same problem on iOS with a different file.

I have executed grep on the Application folder and this is the result:

grep -ir "mono" Binary file System.aotdata.arm64 matches Binary file Seling.Mobile.dll matches CodeSignature/CodeResources: Mono.Security.aotdata.arm64 _CodeSignature/CodeResources: Mono.Security.dll _CodeSignature/CodeResources: Mono.Security.aotdata.arm64 _CodeSignature/CodeResources: Mono.Security.dll

Binary file APPNAME.iOS matches Binary file Mono.Security.aotdata.arm64 matches
Binary file zxing.portable.dll matches Binary file System.Core.dll matches Binary file mscorlib.dll matches Binary file Xamarin.iOS.dll matches Binary file Xamarin.Forms.Platform.iOS.dll matches Binary file Mono.Security.dll matches Binary file SQLitePCLRaw.provider.sqlite3.dll matches Binary file Firebase.Core.dll matches Binary file System.Net.Http.dll matches Binary file APPNAME.iOS.exe matches Binary file System.dll matches

Furthermore:

grep -ir "mono_thread_attach" Binary file APPNAME.iOS matches

sammyjeng commented 1 year ago

Hey @alexdetrano and @omareltf,

The above mentioned issue arises because, the Xamarin apps are compiled Ahead of Time in case of iOS and they work just like any other native app with ObjC runtime. There is no Mono runtime to begin with, hence you won't be able to find mono module/mono exports/mono runtime using Fridax.

I am pretty sure that is the case, because following this hunch has yielded results. But If someone has successfully used Fridax to hook into iOS applications and has found mono-module (very unlikely), I would love to know how they did it and get the full picture of what's going on.

What one can do to hook into Xamarin apps on iOS?

References:

  1. https://www.c-sharpcorner.com/article/how-xamarin-works-on-different-platforms/
  2. https://learn.microsoft.com/en-us/xamarin/ios/internals/architecture
  3. https://www.mono-project.com/docs/advanced/embedding/

Update: