Closed enovella closed 5 years ago
More information with the new feature of crash reporting:
[0x00000000]> \?V
{"version":"12.4.1"}
[0x00000000]> \ic
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus5/OnePlus5:7.0/NRD90M/13371337:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 29162, tid: 29180, name: Thread-67 >>> com.target.pay <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f6de10000
x0 0000007f6de0e000 x1 0000007f6de1e000 x2 0000000000000080 x3 0000000000000040
x4 0000007f6de10000 x5 0000000000000001 x6 0000000000000000 x7 00000000f6c2684d
x8 00000000000000e2 x9 0000000000001000 x10 0000007f6de1e000 x11 0000007f8b9becd0
x12 0000007f99a40a10 x13 0000007f7d33a3b1 x14 0000000000000000 x15 0000000000000074
x16 0000007f8ba32b78 x17 0000007fa4d862a8 x18 0000000000000026 x19 0000000000010000
x20 0000007f6de0e000 x21 0000007f8aa8f13c x22 0000007f7e6fe030 x23 0000007f6de0e000
x24 0000000000010000 x25 0000007f8bad1c6a x26 0000007f8aa8f95c x27 0000007f8bacd828
x28 0000007f7e6ff4e8 x29 0000007f7e6fdfe0 x30 0000007f8a9d0b48
sp 0000007f7e6fdf90 pc 0000007f8b375bfc pstate 0000000080000000
backtrace:
#00 pc 0000000000be2bfc /data/local/tmp/re.frida.server/frida-agent-64.so
#01 pc 000000000023db44 /data/local/tmp/re.frida.server/frida-agent-64.so
DetachReason: PROCESS_TERMINATED
Target process terminated
[0x00000000]>
weird. r2frida uses 12.4.0, i found some errors in 12.4.1 and further, thats why im not updating, can you check if this crash is related to frida itself? because i cant repro
Same behavior. It might be my hooks perhaps. But I don't really know well why this is happening. Let me know if you want to reproduce.
[0x00000000]> \?V
{"version":"12.4.0"}
[0x00000000]> \ic
DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:7.0/NRD90M/01122125:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 28385, tid: 28406, name: Thread-65 >>> com.target.application <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f5cb19000
x0 0000007f5cb17000 x1 0000007f5cb27000 x2 0000000000000080 x3 0000000000000040
x4 0000007f5cb19000 x5 0000000000000001 x6 0000000000000000 x7 000000002262def7
x8 00000000000000e2 x9 0000000000001000 x10 0000007f5cb27000 x11 0000007f7b108ce0
x12 0000007f89040b50 x13 0000007f6c894b01 x14 0000000000000000 x15 0000000000000074
x16 0000007f7b17cb78 x17 0000007f939192a8 x18 0000000000000026 x19 0000000000010000
x20 0000007f5cb17000 x21 0000007f7a1d81c0 x22 0000007f6d9fe020 x23 0000007f5cb17000
x24 0000000000010000 x25 0000007f7b21bc22 x26 0000007f7a1d89e0 x27 0000007f7b2177e0
x28 0000007f6d9ff4e8 x29 0000007f6d9fdfd0 x30 0000007f7a11a1ac
sp 0000007f6d9fdf80 pc 0000007f7aabebf4 pstate 0000000080000000
backtrace:
#00 pc 0000000000be1bf4 /data/local/tmp/re.frida.server/frida-agent-64.so
#01 pc 000000000023d1a8 /data/local/tmp/re.frida.server/frida-agent-64.so
Target process terminated
As discussed, if I run the app without r2frida but with Frida directly, i got the same crash after adding this code:
setTimeout(function() {
if (Java.available) {
Java.perform(function () {
Java.enumerateLoadedClasses({
onMatch: function (className) {
console.log(className);
},
onComplete: function () {
}
});
});
}
},25);
I do confirm that the issue is produced using only Frida and not r2frida. @oleavr : You can reproduce it with the code snippet above. FYI; there are several Frida detections in native. These are not the issue.
I think it can be related to a bug in frida when handling setTimeout. I will try to rewrite the code without using that now that we support promises and you can try again
On 20 Mar 2019, at 16:57, Eduardo Novella notifications@github.com wrote:
As discussed, if I run the app without r2frida but with Frida directly, i got the same crash after adding this code:
setTimeout(function() { Java.perform(function () { Java.enumerateLoadedClasses({ onMatch: function (className) { console.log(className); }, onComplete: function () { } }); }); },25); — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
can't reproduce :?
For me it crashes in this line Java.enumerateLoadedClasses()
. I can try this in another phone too.
Maybe a bug in Frida?
cc @oleavr
It seems so
[01:50 edu@unix apks] > frida -U -f re.mobipwn.enovella
____
/ _ | Frida 12.4.7 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at http://www.frida.re/docs/home/
Spawned `re.mobipwn.enovella`. Use %resume to let the main thread start executing!
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> %resume
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> setTimeout(function() {
if (Java.available) {
Java.perform(function () {
Java.enumerateLoadedClasses({
onMatch: function (className) {
console.log(className);
},
onComplete: function () {
}
});
});
}
},25);
1
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> Process crashed: Bad access due to protection failure
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]->
04-05 02:41:56.867 26094 26094 F DEBUG : Revision: '0'
04-05 02:41:56.867 26094 26094 F DEBUG : ABI: 'arm64'
04-05 02:41:56.867 26094 26094 F DEBUG : pid: 26056, tid: 26075, name: Thread-2 >>> re.mobipwn.enovella <<<
04-05 02:41:56.867 26094 26094 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f7ec66000
04-05 02:41:56.867 26094 26094 F DEBUG : x0 0000007f7ec64000 x1 0000007f7ec74000 x2 0000000000000080 x3 0000000000000040
04-05 02:41:56.867 26094 26094 F DEBUG : x4 0000007f7ec66000 x5 0000000000000001 x6 0000000000000000 x7 ff7164736d686e6f
04-05 02:41:56.867 26094 26094 F DEBUG : x8 00000000000000e2 x9 0000000000001000 x10 0000007f7ec74000 x11 0000007f709a6cd0
04-05 02:41:56.867 26094 26094 F DEBUG : x12 0000007f79e3c190 x13 00000000492eb261 x14 0000000000000000 x15 0000000000000074
04-05 02:41:56.867 26094 26094 F DEBUG : x16 0000007f70a1ab78 x17 0000007f86b9b2a8 x18 0000000000000026 x19 0000000000010000
04-05 02:41:56.867 26094 26094 F DEBUG : x20 0000007f7ec64000 x21 0000007f6fa77410 x22 0000007f6347dd40 x23 0000007f7ec64000
04-05 02:41:56.867 26094 26094 F DEBUG : x24 0000000000010000 x25 0000007f70ab9c72 x26 0000007f6fa77c30 x27 0000007f70ab5830
04-05 02:41:56.867 26094 26094 F DEBUG : x28 0000007f6347f4e8 x29 0000007f6347dcf0 x30 0000007f6f9b8c88
04-05 02:41:56.867 26094 26094 F DEBUG : sp 0000007f6347dca0 pc 0000007f7035dbfc pstate 0000000080000000
04-05 02:41:56.869 26094 26094 F DEBUG :
04-05 02:41:56.869 26094 26094 F DEBUG : backtrace:
04-05 02:41:56.869 26094 26094 F DEBUG : #00 pc 0000000000be2bfc /data/local/tmp/re.frida.server/frida-agent-64.so
04-05 02:41:56.869 26094 26094 F DEBUG : #01 pc 000000000023dc84 /data/local/tmp/re.frida.server/frida-agent-64.so
04-05 02:41:57.435 15530 26095 W ActivityManager: Force finishing activity re.mobipwn.enovella/.MainActivity
Going to try to debug this annoying crash as Ole told me: if you can reproduce it with a self-compiled Frida where you edit config.mk to remove --strip, that would reveal the reason it crashes
Hey @oleavr ,
Here you go the symbolicated backtrace:
DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:7.0/NRD90M/01122125:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 30350, tid: 30369, name: Thread-2 >>> re.mobipwn.enovella <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f63732000
x0 0000007f63730000 x1 0000007f63740000 x2 0000000000000080 x3 0000000000000040
x4 0000007f63732000 x5 0000000000000001 x6 0000000000000000 x7 000000000efcdbd5
x8 00000000000000e2 x9 0000000000001000 x10 0000007f63740000 x11 0000007f709ead20
x12 0000007f79e43190 x13 000000002d862e99 x14 0000000000000000 x15 0000000000000074
x16 0000007f70a5eb78 x17 0000007f86b9b2a8 x18 0000000000000026 x19 0000000000010000
x20 0000007f63730000 x21 0000007f6faec3f8 x22 0000007f6357dd40 x23 0000007f63730000
x24 0000000000010000 x25 0000007f70aba1f2 x26 0000007f6faecc18 x27 0000007f70ab5db0
x28 0000007f6357f4e8 x29 0000007f6357dcf0 x30 0000007f6fa46c88
sp 0000007f6357dca0 pc 0000007f703d2bfc pstate 0000000080000000
backtrace:
#00 pc 0000000000bb3bfc /data/local/tmp/re.frida.server/frida-agent-64.so (__aarch64_sync_cache_range+64)
#01 pc 0000000000227c84 /data/local/tmp/re.frida.server/frida-agent-64.so (gum_clear_cache+28)
#02 pc 0000000000225150 /data/local/tmp/re.frida.server/frida-agent-64.so (gum_memory_patch_code+132)
#03 pc 00000000002cd3c8 /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN36GumV8Closure_gumjs_memory_patch_code6invokeEv+88)
#04 pc 00000000002cdc5c /data/local/tmp/re.frida.server/frida-agent-64.so (_ZL23gumjs_memory_patch_codeRKN2v820FunctionCallbackInfoINS_5ValueEEE+68)
#05 pc 00000000006ef874 /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internal25FunctionCallbackArguments4CallEPNS0_15CallHandlerInfoE+572)
#06 pc 00000000006eee94 /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internal12_GLOBAL__N_119HandleApiCallHelperILb0EEENS0_11MaybeHandleINS0_6ObjectEEEPNS0_7IsolateENS0_6HandleINS0_10HeapObjectEEESA_NS8_INS0_20FunctionTemplateInfoEEENS8_IS4_EENS0_16BuiltinArgumentsE+448)
#07 pc 00000000006ee720 /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_16BuiltinArgumentsEPNS0_7IsolateE+224)
#08 pc 00000000000541e8 <anonymous:0000007f63884000>
Target process terminated
This is "fixed" in current r2frida, right? can we move this issue to Frida?
Yeah, this is not a r2frida but Frida bug.
Setup
Problem
The application contains several security mechanisms that must be bypassed in order to list classes using the cmd
\ic
. Once bypassed,r2frida
works okay excepting this command that only crashes in this app.Please let me know if you want the
agent.js
that I am using to reproduce the crash or DM me. If I have time and will try to investigate more. (@oleavr)Backtrace