search

frida / frida-core

Frida core library intended for static linking into bindings
https://frida.re
Other
610 stars 193 forks source link

Frida 10.3.0 leads APPs crash on Android 5.1 x86 emulator #137

Open ecular opened 7 years ago

ecular commented 7 years ago

Hi there

I got a apk file from here and installed it into my Android emulator(5.1 x86) which is downloaded from Google via Android Virtual Device Manager.

When I ran the cmd: frida-trace -i "open" -U com.example.seccon2015.rock_paper_scissors it prompted me "Failed to start tracing: script is destroyed" and the app on my emulator crashed.

After checking logcat, I got the following log: F/libc ( 3686): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x2d in tid 3686 (_paper_scissors) W/linker ( 3686): frida-agent-32.so has text relocations. This is wasting memory and prevents security hardening. Please fix. I/DEBUG ( 1145): I/DEBUG ( 1145): Build fingerprint: 'Android/sdk_google_phone_x86/generic_x86:5.1.1/LMY48X/4174727:userdebug/test-keys' I/DEBUG ( 1145): Revision: '0' I/DEBUG ( 1145): ABI: 'x86' I/DEBUG ( 1145): pid: 3686, tid: 3686, name: _paper_scissors >>> com.example.seccon2015.rock_paper_scissors <<< I/DEBUG ( 1145): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2d I/DEBUG ( 1145): eax ffffffff ebx b74a798c ecx 00000003 edx bfaa74e8 I/DEBUG ( 1145): esi ffffffff edi b422aec4 I/DEBUG ( 1145): xcs 00000073 xds 0000007b xes 0000007b xfs 00000007 xss 0000007b I/DEBUG ( 1145): eip b749c858 ebp 00000000 esp bfaa7530 flags 00210286 I/DEBUG ( 1145): I/DEBUG ( 1145): backtrace: I/DEBUG ( 1145): #00 pc 0001b858 /system/lib/libutils.so (android::Looper::pollInner(int)+200) I/DEBUG ( 1145): #01 pc 0001bc57 /system/lib/libutils.so (android::Looper::pollOnce(int, int, int, void*)+55) I/DEBUG ( 1145): #02 pc 000c86c7 /system/lib/libandroid_runtime.so (android::NativeMessageQueue::pollOnce(_JNIEnv, int)+71) I/DEBUG ( 1145): #03 pc 000c872a /system/lib/libandroid_runtime.so I/DEBUG ( 1145): #04 pc 000db8ae /data/dalvik-cache/x86/system@framework@boot.oat I/DEBUG ( 1145): I/DEBUG ( 1145): Tombstone written to: /data/tombstones/tombstone_03 W/InputDispatcher( 1504): channel 'a303513 com.example.seccon2015.rock_paper_scissors/com.example.seccon2015.rock_paper_scissors.MainActivity (server)' ~ Consumer closed input channel or an error occurred. events=0x9 E/InputDispatcher( 1504): channel 'a303513 com.example.seccon2015.rock_paper_scissors/com.example.seccon2015.rock_paper_scissors.MainActivity (server)' ~ Channel is unrecoverably broken and will be disposed! W/libprocessgroup( 1504): failed to open /acct/uid_10058/pid_3686/cgroup.procs: No such file or directory I/ActivityManager( 1504): Process com.example.seccon2015.rock_paper_scissors (pid 3686) has died I/WindowState( 1504): WIN DEATH: Window{a303513 u0 com.example.seccon2015.rock_paper_scissors/com.example.seccon2015.rock_paper_scissors.MainActivity} W/InputDispatcher( 1504): Attempted to unregister already unregistered input channel 'a303513 com.example.seccon2015.rock_paper_scissors/com.example.seccon2015.rock_paper_scissors.MainActivity (server)' W/ActivityManager( 1504): Force removing ActivityRecord{3ca65a08 u0 com.example.seccon2015.rock_paper_scissors/.MainActivity t8}: app died, no saved state I/Zygote ( 1152): Process 3686 exited due to signal (11) W/SurfaceFlinger( 1139): couldn't log to binary event log: overflow. I/OpenGLRenderer( 1504): Initialized EGL, version 1.4 D/EGL_emulation( 1504): eglCreateContext: 0xa2be14c0: maj 2 min 0 rcv 2 D/EGL_emulation( 1504): eglMakeCurrent: 0xa2be14c0: ver 2 0 D/EGL_emulation( 1504): eglMakeCurrent: 0xa2be14c0: ver 2 0 D/EGL_emulation( 2291): eglMakeCurrent: 0xb4385580: ver 2 0 I/Choreographer( 1504): Skipped 31 frames! The application may be doing too much work on its main thread.

And it the same for com.android.gallery.

Please have a check. Thank you.

ecular commented 7 years ago

But it works well on ARM emulators(Android 4.4 and Android 5.1)

max01203 commented 7 years ago

Hi, Did you try to run it without hook to check if it works in X86?

ecular commented 7 years ago

@max01203 Yes, It works well in x86 Android without hook.

securityMB commented 7 years ago

I am just bumping the post. I have the same problem on Android x86 emulator. Tested on Android 5.0-7.0. No matter what application I'm trying to hook to, I always get the error: I/DEBUG ( 1175): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2d

The fault address is always 0x2d. Frida version is 10.6.11.

I'd love to debug this a little but have really no idea where to start. I'd love it if you could give me some pointers.