Error: unable to intercept function at 0xf326afc7; please file a bug

[ghost]

For the crackme-level2.apk(OWASP MSTG) exercise I'm trying to retrieve arguments that are passed through a function that I can see via the assembly code level of an APK. I'm referring to the memory address of the function however I'm being shot back with this error?

Error: unable to intercept function at 0xf326afc7; please file a bug at frida/runtime/core.js:502 at [anon] (/repl3.js:43) at frida/node_modules/frida-java/lib/vm.js:42 at M (frida/node_modules/frida-java/index.js:347) at frida/node_modules/frida-java/index.js:299 at frida/node_modules/frida-java/lib/vm.js:42 at frida/node_modules/frida-java/index.js:279 at [anon] (/repl3.js:49) at frida/runtime/core.js:57 [...]

The actual code im using via JS:

Interceptor.attach(ptr(0xf326afc7), {
            onEnter: function(args) {
                send(args[0].toInt32());
            }
    }); 

I've also tried:

Interceptor.attach(strncmp, {
                    onEnter: function (args) {
                       if(args[2].toInt32() == 23 && Memory.readUtf8String(args[0],23) == "01234567890123456789012") {
                            console.log("[*] Secret string at " + args[1] + ": " + Memory.readUtf8String(args[1],23));
                       }
                    }
        });  

Any help would be much appreciated!

[oleavr]

Did you try console.log(Instruction.parse(ptr('0x1234')).toString()); to make sure that the expected instruction is at the given address?

By the way, noticed this:

ptr(0xf326afc7)

Here you're constructing a NativePointer value from a JavaScript number. Instead I would recommend:

ptr('0xf326afc7')

This is because JS numbers are backed by double, which means you might get bitten by rounding errors. Not really a problem in 32-bit processes, but very dangerous for 64-bit: dangerous in the sense that you might spend a lot of time debugging before you realize that the NativePointer value didn't get initialized with the value you think it should.

[AsenOsen]

Could it be somehow connected with #790 ?

[1wxyz]

I believe the problem is more than just the ptr.

frida-trace -D device_id pid_in_device -i "strncmp" Instrumenting functions...
strncmp: Loaded handler at "/home/user/handlers/libc.so/strncmp.js" Error: Skipping "strncmp": unable to intercept function at 0xeb053819; please file a bug Started tracing 1 function. Press Ctrl+C to stop.

It has no issue on arm64 native library. apk reference: https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_02/UnCrackable-Level2.apk

Using frida 12.6.14

[ValeryD62]

I guess the problem is related ARM platform. The same command "frida-trace -U -f xx.xxx.xxxxx -i open -i sscanf -i strncmp" works fine on x86 and skips interception of the function with message "Warning: Skipping "strncmp": unable to intercept function at 0xade5ba93; please file a bug" on the ARM.

[starplanet]

Is there a conclusion to this question? Only using strncmp of attach libc will report this error. I tested it on the sample app I compiled myself, there is no problem with 64-bit arm, but there is a problem with 32-bit. Test environment: frida: 15.1.17, android: 10.

hook code

       const strncmp_ptr = Module.findExportByName('libc.so', 'strncmp')
    console.log("strncmp addr", strncmp_ptr)
    if (null == strncmp_ptr) {
      return
    }

    console.log("print instruct before attach")
    let temp_ptr = strncmp_ptr
    let size = 0
    for (let i = 0; i < 10; i++) {
      let inst = Instruction.parse(temp_ptr)
      console.log(inst.toString())
      temp_ptr = inst.next
    }

    Interceptor.attach(strncmp_ptr, {
      onEnter: function(args) {
        const size = args[2].toInt32()
        console.log('call strncmp ' + args[0].readCString(size) + ',' + args[1].readCString(size))
      },
      onLeave: function(retval) {
      }
    })

output

strncmp addr 0xefe974b1
print instruct before attach
cbz r2, #0xefe974c6
ldrb ip, [r1], #1
ldrb r3, [r0]
cmp r3, ip
bne #0xefe974ca
cbz r3, #0xefe974c6
subs r2, #1
add.w r0, r0, #1
bne #0xefe974b2
movs r0, #0
Error: unable to intercept function at 0xefe974b1; please file a bug
    at value (frida/runtime/core.js:364)
    at anti_strcmp (agent/anti.ts:182)
    at main (agent/index.ts:32)
    at call (native)
    at onNextTick (node_modules/timers-browserify/main.js:64)
    at apply (native)
    at <anonymous> (node_modules/process/browser.js:153)
    at drainQueue (node_modules/process/browser.js:123)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:45)

[brunoaduarte]

Have you found a fix for the issue? Frida 16.2.5 and the problem persists. Cannot intercept strncmpfrom libc.so.

Interceptor.attach(Module.getExportByName('libc.so', "strncmp"), {
    onEnter(args) {
        const str1 = args[0].readCString();
        const str2 = args[1].readCString();
        const num = args[2].toInt32();
        console.log(`strncmp called with str1: ${str1}, str2: ${str2}, num: ${num}`);
    },
    onLeave(retval) {
        console.log(`strncmp returned: ${retval.toInt32()}`);
    }
});

Instruction at address is correct:

cbz r2, #0xf3e757ec

error intercepting strncmp: unable to intercept function at 0xf3e757d7; please file a bug | offset: 0x667d7
Error: unable to intercept function at 0xf2fec7d5; please file a bug
    at value (frida/runtime/core.js:408)
    at <anonymous> (./intercept_libc.so.js:65)
    at apply (native)
    at <anonymous> (frida/runtime/core.js:51)

                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             noreturn int __stdcall strncmp(char * __s1, char * __s2,
                               assume LRset = 0x0
                               assume TMode = 0x1
             int               r0:4           <RETURN>
             char *            r0:4           __s1
             char *            r1:4           __s2
             size_t            r2:4           __n
                             strncmp                                         XREF[3]:     Entry Point(*), 
                                                                                          strncmp:00096760(T), 
                                                                                          strncmp:00096768(c), 0009b250(*)  
        000767d6 4a b1           cbz        __n,LAB_000767ec
                             LAB_000767d8                                    XREF[1]:     000767ea(j)  
        000767d8 11 f8 01 cb     ldrb.w     r12,[__s2],#0x1
        000767dc 03 78           ldrb       r3,[__s1,#0x0]
        000767de 63 45           cmp        r3,r12
        000767e0 06 d1           bne        LAB_000767f0
        000767e2 1b b1           cbz        r3,LAB_000767ec
        000767e4 01 3a           subs       __n,#0x1
        000767e6 00 f1 01 00     add.w      __s1,__s1,#0x1
        000767ea f5 d1           bne        LAB_000767d8
                             LAB_000767ec                                    XREF[2]:     000767d6(j), 000767e2(j)  
        000767ec 00 20           movs       __s1,#0x0
        000767ee 70 47           bx         lr
                             LAB_000767f0                                    XREF[1]:     000767e0(j)  
        000767f0 a3 eb 0c 00     sub.w      __s1,r3,r12
        000767f4 70 47           bx         lr

int strncmp(char *__s1,char *__s2,size_t __n)

{
  uint uVar1;

  if (__n != 0) {
    do {
      uVar1 = (uint)(byte)*__s1;
      if (uVar1 != (byte)*__s2) {
        return uVar1 - (byte)*__s2;
      }
      if (uVar1 == 0) {
        return 0;
      }
      __n = __n - 1;
      __s1 = (char *)((byte *)__s1 + 1);
      __s2 = (char *)((byte *)__s2 + 1);
    } while (__n != 0);
  }
  return 0;
}

@oleavr @starplanet