search

WithSecureLabs / android-keystore-audit

Other
404 stars 104 forks source link

Up-to-date frida #6

Open 0xElessar opened 4 years ago

0xElessar commented 4 years ago

Thank you for providing such great tooling. Extremely helpful.

However, 2 scripts do not work correctly on Android 9 and newer Frida version (>12.6).

https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js

after running the bypass() command, Frida >= 12.6 throws the following error message:

exception catched!Error: Wrapper is disposed; perhaps it was borrowed from a hook instead of calling Java.retain() to make a long-lived wrapper?

Unhandled exception in event loop:
  File "c:\python38\lib\asyncio\proactor_events.py", line 768, in _loop_self_reading
    f.result()  # may raise
  File "c:\python38\lib\asyncio\windows_events.py", line 808, in _poll
    value = callback(transferred, key, ov)
  File "c:\python38\lib\asyncio\windows_events.py", line 457, in finish_recv
    raise ConnectionResetError(*exc.args)

Exception [WinError 995] The I/O operation has been aborted because of either a thread exit or an application request
Press ENTER to continue...

Do you know how to modify the execute() function to be compatible with newer Frida version, please?

Similarly, the showKeyguard() function of the script https://github.com/FSecureLABS/android-keystore-audit/blob/master/frida-scripts/keyguard-credential-intent.js crashes when executed on newer Frida versions:

showKeyguard()

Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sargo/sargo:9/PQ3B.190801.002/5674421:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm64'
pid: 25273, tid: 25292, name: Thread-2  >>> [APPNAME] <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'java_vm_ext.cc:542] JNI DETECTED ERROR IN APPLICATION: use of invalid jobject 0x7ff5eaeae4'
    x0  0000000000000000  x1  00000000000062cc  x2  0000000000000006  x3  0000000000000000
    x4  6461706b616572ff  x5  0000000000000080  x6  0000000000000080  x7  8000000000000000
    x8  0000000000000083  x9  0000000000000001  x10 0000000000000002  x11 00000075951bc140
    x12 0000000018000004  x13 0000000000000058  x14 ffffffffffffffff  x15 0029543fc8f56283
    x16 00000074fca77188  x17 00000075925e2cd0  x18 00000074f78ec01a  x19 0000000000000006
    x20 00000000000062b9  x21 00000074f78ebb80  x22 00000074fcaeae90  x23 00000074fcaec0f0
    x24 000000750f9cc7e0  x25 00000074fcaec000  x26 0000000046508001  x27 ffffffffffffffff
    x28 00000074fcaea000  x29 00000074f78eb8d0
    sp  00000074f78eb850  lr  00000074fa971d84  pc  00000074fa971d9c

backtrace:
    #00 pc 0000000001dc1d9c  /system/app/Chrome/Chrome.apk (offset 0xf2e000)

It would be great, if you could update the scripts.

Thank you again for great research and scripts.

CDuPlooy commented 3 years ago

Hi there, we spoke over email. I'll have a look as soon as I get a chance, sorry I know this ticket has been open for almost a year.

Since your also using a Pixel 3a, I'll downgrade my device to Android 9 over the weekend and see if I get the same errors with the same Frida server version. Thanks for reporting the issue and all the information :)

0xElessar commented 3 years ago

Great. Thank you very much, @CDuPlooy!

CDuPlooy commented 3 years ago

Hi @0xElessar thanks again for reporting this. The issue is that the script saves a reference to something that it expects to later still be alive but the GC sweeps the object. Hence the error message points to Java.retain. I'll submit create a branch with my fix shortly.

I've gotten confirmation from @0xElessar that the changes work for the fingerprint bypass script. There are still other instances of this problem