Apps freezes with crypto enabled

[cergo666]

I start any application

frida -l iosciper.js -f com.apple.Maps -U

with a script and if the “crypto” section of the config is enabled, the application hangs (apparently one of the encryption functions is triggered at that moment). There are no errors, the application closes after some time.

frida 16.3.3, iOS 15.3.1, iPhone SE2

[chadacious]

More specifically in my use case, it hangs on these lines with readPointer()

model.cRef = this.params[11].readPointer();

and

let outLen = pointerToInt(this.params[5].readPointer());

I used this function to read the pointer to see what was up:

function safeReadPointer(source, address) {
        try {
            // Check if address is valid
            if (address.isNull() || !Memory.valid(address)) {
                console.warn(`[${source}->${address}] Invalid or inaccessible address: ${address}`);
                return null;
            }
            console.log(`[${source}->${address}] Reading pointer at ${address}`);

            // Temporarily make the memory readable
            Memory.protect(address, Process.pointerSize, 'r--');
            console.log(`[${source}->${address}] Memory protection changed to r-- at ${address}`);
            let value = address.readPointer();
            console.log(`[${source}->${address}] Read pointer value: ${value}`);
            // Restore original memory protection if needed (not always possible to know the original protection)
            Memory.protect(address, Process.pointerSize, '---');
            return value;
        } catch (error) {
            console.error(`[${source}->${address}] Failed to read pointer at ${address}: ${error.message}`);
            return null;
        }
    }

And I logged out the params right before calling it and I get stuff like this:

 CCCryptorCreateWithMode params:  0x0,0xb,0x0,0x0,0x0,0x280c92420,0x10,0x0,0x0,0x0,0x80f0641a0,0x280c92460
CCCryptorCreateWithMode params:  0x1,0xb,0x0,0x0,0x0,0x280c92420,0x10,0x0,0x0,0x0,0x80f0641a8,0x280c92460
CCCryptorCreateWithMode params:  0x0,0x1,0x0,0x0,0x0,0x280c924c0,0x10,0x0,0x1ff3889711a95be6,0x39f81c36cce5033b,0x80f0641b0,0x0
[CCCryptorCreateWithMode->0x0] Invalid or inaccessible address: 0x0
CCCryptorCreateWithMode params:  0x0,0xb,0x0,0x0,0x0,0x280c92430,0x10,0x0,0x0,0x0,0x80f0646e0,0x10a4a400c
CCCryptorCreateWithMode params:  0x1,0xb,0x0,0x0,0x0,0x280c92430,0x10,0x0,0x0,0x0,0x80f0646e8,0x10a4a400c
CCCryptorCreateWithMode params:  0x0,0x1,0x0,0x0,0x0,0x280c92590,0x10,0x0,0x1ff3889711a95be6,0x39f81c36cce5033b,0x80f0646f0,0x0
[CCCryptorCreateWithMode->0x0] Invalid or inaccessible address: 0x0

CCCryptorUpdate params:  0x80e051000,0x10ab83832,0x10,0x16faab508,0x10,0x0
[CCCryptorUpdate->0x0] Invalid or inaccessible address: 0x0

so it appears that sometimes it gets a pointer to 0x0 and it causes the app to hang. Unfortunately, I don't get any of the details I'm looking for so will need to do some more study to find out why I get 0x0 and why there isn't any data when there is a pointer in that parameter (as you can see from the logs above, often there is a pointer there but this script seems to abort in those cases anyway).

[eyJhb]

It's the same issue as the one listed here https://github.com/jitcor/frida-ios-cipher/issues/1 (where I posted a potential solution, which is to patch everything).

[david8557]

It's the same issue as the one listed here #1 (where I posted a potential solution, which is to patch everything).

Sadly this doesn't fix the issue, app I test is Tinder, app just freeze when enable crypto hook. I already add this fix function print_arg(addr,len=240) { try { if(addr==null)return "\n"; if(addr==0x0)return "\n"; return "\n"+(hexdump(addr,{length:len})) + "\n"; } catch (e) { if(e instanceof Error){ console.error("print_arg error:",e.stack); } return addr + "\n"; } }