search

frida / frida

Clone this repo to build Frida
https://frida.re
Other
15.33k stars 1.6k forks source link

Tested Frida Gadget on more than 60 real Android devices, Worked on (56/61) devices #2084

Open harshitshah4 opened 2 years ago

harshitshah4 commented 2 years ago

First of all thanks for the awesome tool, amazing work done.

So, we have been considering Frida Gadget for runtime interception of methods on our rooted and non-rooted android devices. The way this works is we copy frida gadget ( along with gadget config and script ) into lib// folder of apk, and inject System#loadLibrary call into App's Launcher Activity. Similar to how objection does it here: https://github.com/sensepost/objection .

We tested this solution in a sample app, and on 61 real android devices. Here are the results: The injection seems to be working fine on 56/61 devices, the one marked with asterisk ( ** ) had issues with Frida Gadget. And the others worked.

Frida Gadget version: 15.1.17

Google

Pixel 6 - v12 Pixel 6 Pro - v12 Pixel 5 - v11 Pixel 4 - v10 Pixel 4 XL - v10 Pixel 3A XL - v9 Pixel 3A - v9 Pixel 3XL - v9 Pixel 3 - v9 Pixel 2 - v9 Pixel - v8 Nexus 7 - v6 Nexus 6 - v6 ** Pixel 2 - v8 - No Log Lines - Frida Gadget didn't log any lines from our Frida Script.

Samsung

Galaxy S22 - v12 Galaxy S22 - Ultra - v12 Galaxy S21 - v11 Galaxy S21+ - v11 Galaxy S21 Ultra v11 Galaxy S20 - v10 Galaxy S20 - v11 Galaxy S20 Ultra - v10 Galaxy S20 Plus - v10 Galaxy S10 - v9 Galaxy S10+ - v9 Galaxy S10e - v9 Galaxy S9+ - v8 - App crashing - Attached Log lines in comments. Galaxy S9+ - v9 Galaxy S8+ - v9 Galaxy S8 - v7 Galaxy S8 Plus - v7 Galaxy A51 - v10 Galaxy A10 - v9 Galaxy A8 - v7.1 Galaxy Note 20 - v10 Galaxy Note 20 Ultra - v10 Galaxy Note 10 - v9 Galaxy Note 10 Plus - v9 Galaxy Note 9 - v8.1 Galaxy Note 8 - v7.1 Galaxy Tab S6 - v9 Galaxy Tab S3 - v8 Galaxy S9 - v8 - App crashing - Attached Log lines in comments. Galaxy J7 Prime - v8 - Some issue Runtime loadLibrary, - JNI Not Detected Log Line, Unspecified Format Identifier. - Attached Log lines in comments. Galaxy S7 - v6 - Infinte loop in onResume, We are hooking onResume method, and on this device it goes into infinte loop inside onResume method.

One Plus

One Plus 9 - v11 One Plus 8 - v10 One Plus 7T - v10 One Plus 7 - v9 One Plus 6T - v9

Xiaomi

Redmi Note 9 - v10 Redmi Note 7 - v9 Redmi Note 8 - v9

Vivo

Vivo Y21 - v11 Vivo V21 - v11 Vivo Y50 - v10

Motorola

Moto G9 Play - v10 Moto G7 Play - v9

Oppo

Oppo Reno 3 - v10 Oppo Reno 6 - v11

Huawei

Huawei P30 - v9

It would be awesome if you could provide support on the devices it was not working.

Attaching the log lines for the devices it was not working on in the comments.

Happy to provide any help needed.

Edit: Added Samsung Galaxy S9+ - v8 to not working list.

harshitshah4 commented 2 years ago

Samsung Galaxy S9 - v8 - Similar behaviour with Samsung Galaxy S9+ - v8, let me know if specific logs for Samsung Galaxy S9+ is needed. Behaviour: App Crashing

Log lines: 

04-26 05:38:18.883 I/ApplicationPolicy( 4787): isApplicationExternalStorageBlacklisted:com.samsung.android.fast user:0
04-26 05:38:18.883 D/ApplicationPolicy( 4787): isApplicationExternalStorageBlacklisted: DO is not enabled on user 0. Allowed.
04-26 05:38:18.892 F/DEBUG   ( 7673): 
04-26 05:38:18.892 F/DEBUG   ( 7673): backtrace:
04-26 05:38:18.892 F/DEBUG   ( 7673):     #00 pc 00000000014b38b0  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 V/Surface ( 4262): sf_framedrop debug : 0x4f4c, game : false, logging : 0
04-26 05:38:18.892 F/DEBUG   ( 7673):     #01 pc 00000000007fe758  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #02 pc 00000000007890b8  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #03 pc 000000000078292c  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #04 pc 00000000007faf98  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #05 pc 00000000006c6938  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #06 pc 00000000006b7078  /data/app/com.example.all_in_one-TndIzgvkssa7K1OZvUc_vQ==/lib/arm64/libfrida-gadget.so (offset 0x6b5000)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #07 pc 000000000002015c  /system/bin/linker64 (__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_+236)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #08 pc 0000000000020374  /system/bin/linker64 (__dl__ZN6soinfo17call_constructorsEv+404)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #09 pc 000000000000c218  /system/bin/linker64 (__dl__Z9do_dlopenPKciPK17android_dlextinfoPKv+1464)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #10 pc 0000000000008d68  /system/bin/linker64 (__dl__Z20__android_dlopen_extPKciPK17android_dlextinfoPKv+72)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #11 pc 00000000000011ec  /system/lib64/libdl.so (android_dlopen_ext+12)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #12 pc 0000000000002550  /system/lib64/libnativeloader.so (_ZN7android17OpenNativeLibraryEP7_JNIEnviPKcP8_jobjectP8_jstringPbPNSt3__112basic_stringIcNS9_11char_traitsIcEENS9_9allocatorIcEEEE+384)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #13 pc 00000000002e8b98  /system/lib64/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8_jstringPS9_+1832)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #14 pc 0000000000004384  /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+276)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #15 pc 00000000002884c4  /system/framework/arm64/boot.oat (offset 0x1dc000) (java.lang.Runtime.nativeLoad+228)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #16 pc 000000000052da38  /system/lib64/libart.so (art_quick_invoke_static_stub+600)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #17 pc 00000000000d86c4  /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+260)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #18 pc 0000000000291720  /system/lib64/libart.so (_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+352)
04-26 05:38:18.892 F/DEBUG   ( 7673):     #19 pc 000000000028bd58  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+680)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #20 pc 0000000000516324  /system/lib64/libart.so (MterpInvokeStatic+468)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #21 pc 000000000051f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #22 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #23 pc 0000000000272804  /system/lib64/libart.so (_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+212)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #24 pc 000000000028bd38  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+648)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #25 pc 0000000000516068  /system/lib64/libart.so (MterpInvokeDirect+504)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #26 pc 000000000051f194  /system/lib64/libart.so (ExecuteMterpImpl+14484)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #27 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #28 pc 0000000000272804  /system/lib64/libart.so (_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+212)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #29 pc 000000000028bd38  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+648)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #30 pc 0000000000514cc4  /system/lib64/libart.so (MterpInvokeVirtual+612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #31 pc 000000000051f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #32 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #33 pc 0000000000272804  /system/lib64/libart.so (_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+212)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #34 pc 000000000028bd38  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+648)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #35 pc 0000000000516324  /system/lib64/libart.so (MterpInvokeStatic+468)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #36 pc 000000000051f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #37 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #38 pc 0000000000272804  /system/lib64/libart.so (_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+212)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #39 pc 000000000028bd38  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+648)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #40 pc 0000000000516324  /system/lib64/libart.so (MterpInvokeStatic+468)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #41 pc 000000000051f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #42 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #43 pc 0000000000508990  /system/lib64/libart.so (artQuickToInterpreterBridge+1472)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #44 pc 0000000000536c1c  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #45 pc 000000000052da38  /system/lib64/libart.so (art_quick_invoke_static_stub+600)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #46 pc 00000000000d86c4  /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+260)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #47 pc 00000000001382f4  /system/lib64/libart.so (_ZN3art11ClassLinker15InitializeClassEPNS_6ThreadENS_6HandleINS_6mirror5ClassEEEbb+3396)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #48 pc 00000000001212a8  /system/lib64/libart.so (_ZN3art11ClassLinker17EnsureInitializedEPNS_6ThreadENS_6HandleINS_6mirror5ClassEEEbb+168)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #49 pc 00000000003c08d4  /system/lib64/libart.so (_ZN3artL17Class_newInstanceEP7_JNIEnvP8_jobject+1188)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #50 pc 00000000001dc2ac  /system/framework/arm64/boot.oat (offset 0x1dc000) (java.lang.Object.internalClone [DEDUPED]+124)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #51 pc 000000000052d784  /system/lib64/libart.so (art_quick_invoke_stub+580)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #52 pc 00000000000d8688  /system/lib64/libart.so (_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc+200)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #53 pc 0000000000291720  /system/lib64/libart.so (_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+352)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #54 pc 000000000028bd58  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+680)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #55 pc 0000000000514cc4  /system/lib64/libart.so (MterpInvokeVirtual+612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #56 pc 000000000051f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #57 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #58 pc 0000000000272804  /system/lib64/libart.so (_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+212)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #59 pc 000000000028bd38  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+648)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #60 pc 0000000000514cc4  /system/lib64/libart.so (MterpInvokeVirtual+612)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #61 pc 000000000051f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #62 pc 000000000026bf20  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+448)
04-26 05:38:18.893 F/DEBUG   ( 7673):     #63 pc 0000000000272804  /system/lib64/libart.so
harshitshah4 commented 2 years ago

Samsung Galaxy J7 Prime - v8.1 - Behaviour - App is frozen at start screen, and crashes after some time

Log lines:

04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: '�'
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]     in call to ExceptionClear
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]     from java.lang.String java.lang.Runtime.nativeLoad(java.lang.String, java.lang.ClassLoader, java.lang.String)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534] "main" prio=5 tid=1 Runnable
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   | group="main" sCount=0 dsCount=0 flags=0 obj=0x7398a718 self=0xea6fb000
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   | sysTid=3693 nice=-10 cgrp=default sched=0/0 handle=0xee9a74b8
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   | state=R schedstat=( 0 0 0 ) utm=37 stm=13 core=7 HZ=100
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   | stack=0xff129000-0xff12b000 stackSize=8MB
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   | held mutexes= "mutator lock"(shared held)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #00 pc 0023ddcf  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #01 pc 002d34db  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #02 pc 002cfa57  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #03 pc 001a087f  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #04 pc 001a0bf7  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #05 pc 00026433  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #06 pc 00026375  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #07 pc 0002496d  /system/lib/libart.so (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   native: #08 pc 0000026f   (???)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.Runtime.nativeLoad(Native method)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.Runtime.doLoad(Runtime.java:1099)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   - locked <0x09c2b4df> (a java.lang.Runtime)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.Runtime.loadLibrary0(Runtime.java:1014)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   - locked <0x09c2b4df> (a java.lang.Runtime)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.System.loadLibrary(System.java:1657)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at com.browserstack.browserstackmockframework.utils.Util.loadGadgetLibrary(Util.java:9)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at com.example.all_in_one.MainActivity.<clinit>(MainActivity.java:-1)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.Class.newInstance(Native method)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.Instrumentation.newActivity(Instrumentation.java:1182)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2840)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3059)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.ActivityThread.-wrap11(ActivityThread.java:-1)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1724)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.os.Handler.dispatchMessage(Handler.java:106)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.os.Looper.loop(Looper.java:164)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at android.app.ActivityThread.main(ActivityThread.java:7000)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at java.lang.reflect.Method.invoke(Native method)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:441)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534]   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1408)
04-26 05:49:50.209 F/zygote  ( 3693): java_vm_ext.cc:534] 
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:542] Runtime aborting...
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:542] 
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:550] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: '�'
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:550]     in call to ExceptionClear
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:550]     from java.lang.String java.lang.Runtime.nativeLoad(java.lang.String, java.lang.ClassLoader, java.lang.String)
04-26 05:49:50.209 F/zygote  ( 3693): runtime.cc:550] "main" prio=5 tid=1 Runnable
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   | group="main" sCount=0 dsCount=0 flags=0 obj=0x7398a718 self=0xea6fb000
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   | sysTid=3693 nice=-10 cgrp=default sched=0/0 handle=0xee9a74b8
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   | state=R schedstat=( 0 0 0 ) utm=37 stm=13 core=7 HZ=100
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   | stack=0xff129000-0xff12b000 stackSize=8MB
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   | held mutexes= "mutator lock"(shared held)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #00 pc 0023ddcf  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #01 pc 002d34db  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #02 pc 002cfa57  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #03 pc 001a087f  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #04 pc 001a0bf7  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #05 pc 00026433  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #06 pc 00026375  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #07 pc 0002496d  /system/lib/libart.so (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   native: #08 pc 0000026f   (???)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.Runtime.nativeLoad(Native method)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.Runtime.doLoad(Runtime.java:1099)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   - locked <0x09c2b4df> (a java.lang.Runtime)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.Runtime.loadLibrary0(Runtime.java:1014)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   - locked <0x09c2b4df> (a java.lang.Runtime)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.System.loadLibrary(System.java:1657)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at com.browserstack.browserstackmockframework.utils.Util.loadGadgetLibrary(Util.java:9)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at com.example.all_in_one.MainActivity.<clinit>(MainActivity.java:-1)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.Class.newInstance(Native method)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.Instrumentation.newActivity(Instrumentation.java:1182)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2840)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3059)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.ActivityThread.-wrap11(ActivityThread.java:-1)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1724)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.os.Handler.dispatchMessage(Handler.java:106)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.os.Looper.loop(Looper.java:164)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at android.app.ActivityThread.main(ActivityThread.java:7000)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at java.lang.reflect.Method.invoke(Native method)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:441)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550]   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1408)
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550] 
04-26 05:49:50.210 F/zygote  ( 3693): runtime.cc:550] 
04-26 05:49:50.225 V/Surface ( 2625): sf_framedrop debug : 0x4f4c, game : false, logging : 0
harshitshah4 commented 2 years ago

For Google Pixel 2 - v8 - Behaviour - App opens up and works fine, but methods are not getting intercepted, or can't find any log lines from frida script.

I couldn't find any log line relating to frida, attaching the complete log for reference: Pixel2.log

For Galaxy S7 - v6 - Behaviour - We are hooking multiple methods in our frida script, but the onResume method goes into infinte loop, and keeps calling our implementation, and crashes after some time, if we comment our hook for onResume, then it starts working fine, and other hooks works fine.

chadacious commented 2 years ago

On the Galaxy S7 - v6, I wasn't able to frida-ps without starting frida-server in disabled preload mode (i.e. frida-server -P &). However, running frida-ps lists the processes, but then freezes/crashes the device.

Are you able to run frida-ps on an S7 without crashing? Did you use the -P flag on frida-server? I'm curious if you have made any progress with it.

harshitshah4 commented 2 years ago

I was able to solve the issue on Galaxy J7 Prime - v8 by setting the debuggable flag as false in AndroidManifest.xml file of the apk, not sure why this worked. @oleavr

harshitshah4 commented 2 years ago

Hey @chadacious I haven't made any progress on Samsung Galaxy S7 - v6, I am running Frida by injecting Gadget into apk, and the device is controlled remotely, but if it helps debugging this problem, I can install frida server on the cpu connected to the device and try running it. Let me know.

chadacious commented 2 years ago

I'm a bit new to working with frida, but I'm learning success or failure depends largely on the ROM installed on the S7 device. My device is on Android 6.0 which may be the problem.

harshitshah4 commented 2 years ago

Yeah that's my understanding too.

sh4dowb commented 1 year ago

I'm having issues with S22 ultra (android 12, no root), how did you debug the frida errors? on logcat there's no lines containing frida also, Xiaomi Mi 9, Mi 9T, Mi 10 (v12) works well