Closed enovella closed 5 years ago
enovella
commented
5 years ago Wondering if this line solves the issue: https://github.com/nowsecure/r2frida/pull/187/commits/a4cff87f2be42c73c92b1e581241c5c80375d404#diff-a0d25e59c3c0f11e1cb00c07c0018473L277
enovella
commented
5 years ago [03:11 edu@xps radare2] > r2 frida://spawn/usb//org.nowsecure.cybertruck
-- git blind --hard
[0x00000000]> \init
e dbg.backend =io
e anal.autoname=true
e cmd.fcn.new=aan
.=!i*
.=!ie*
.=!il*
m /r2f io 0
s entry0
.=!ii*
.=!iE*
.=!dr*
.=!is*
[0x00000000]> .\init
r_reg_set_profile_string: Parse error @ line 1 (Invalid register type)
r_reg_set_profile_string: Parse error @ line 1 (Invalid register type)
profile.c:221:25: runtime error: member access within null pointer of type 'struct RRegArena'
ASAN:DEADLYSIGNAL
=================================================================
==16556==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fce9dc9f08f bp 0x7ffc1a541360 sp 0x7ffc1a541190 T0)
==16556==The signal is caused by a READ memory access.
==16556==Hint: address points to the zero page.
#0 0x7fce9dc9f08e in r_reg_set_profile_string /tmp/radare2/libr/reg/profile.c:221
#1 0x7fce9fd33a85 in r_anal_set_reg_profile /tmp/radare2/libr/anal/anal.c:303
#2 0x7fce9fd335f5 in r_anal_use /tmp/radare2/libr/anal/anal.c:280
#3 0x7fcea3efb543 in cb_analarch /tmp/radare2/libr/core/cconfig.c:320
#4 0x7fcea91899d0 in r_config_set /tmp/radare2/libr/config/config.c:458
#5 0x7fcea3eff298 in cb_asmarch /tmp/radare2/libr/core/cconfig.c:568
#6 0x7fcea91899d0 in r_config_set /tmp/radare2/libr/config/config.c:458
#7 0x7fcea918ad72 in __evalString /tmp/radare2/libr/config/config.c:582
#8 0x7fcea918b1a2 in r_config_eval /tmp/radare2/libr/config/config.c:626
#9 0x7fcea3d7c1fa in cmd_eval /tmp/radare2/libr/core/cmd_eval.c:602
#10 0x7fcea3ff8a9e in r_cmd_call /tmp/radare2/libr/core/cmd_api.c:244
#11 0x7fcea3ed82d2 in r_core_cmd_subst_i /tmp/radare2/libr/core/cmd.c:3549
#12 0x7fcea3ecc718 in r_core_cmd_subst /tmp/radare2/libr/core/cmd.c:2428
#13 0x7fcea3ee176a in r_core_cmd /tmp/radare2/libr/core/cmd.c:4384
#14 0x7fcea3ee28d7 in r_core_cmd0 /tmp/radare2/libr/core/cmd.c:4549
#15 0x7fcea3ec2a06 in cmd_interpret /tmp/radare2/libr/core/cmd.c:1231
#16 0x7fcea3ff8a9e in r_cmd_call /tmp/radare2/libr/core/cmd_api.c:244
#17 0x7fcea3ed82d2 in r_core_cmd_subst_i /tmp/radare2/libr/core/cmd.c:3549
#18 0x7fcea3ecc718 in r_core_cmd_subst /tmp/radare2/libr/core/cmd.c:2428
#19 0x7fcea3ee176a in r_core_cmd /tmp/radare2/libr/core/cmd.c:4384
#20 0x7fcea3ee28d7 in r_core_cmd0 /tmp/radare2/libr/core/cmd.c:4549
#21 0x7fcea3ec2a06 in cmd_interpret /tmp/radare2/libr/core/cmd.c:1231
#22 0x7fcea3ff8a9e in r_cmd_call /tmp/radare2/libr/core/cmd_api.c:244
#23 0x7fcea3ed82d2 in r_core_cmd_subst_i /tmp/radare2/libr/core/cmd.c:3549
#24 0x7fcea3ecc718 in r_core_cmd_subst /tmp/radare2/libr/core/cmd.c:2428
#25 0x7fcea3ee176a in r_core_cmd /tmp/radare2/libr/core/cmd.c:4384
#26 0x7fcea3cbd9ba in r_core_prompt_exec /tmp/radare2/libr/core/core.c:3096
#27 0x7fceab1114e8 in r_main_radare2 /tmp/radare2/libr/main/radare2.c:1497
#28 0x55a9a57a5782 in main /tmp/radare2/binr/radare2/radare2.c:95
#29 0x7fcea9fa6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#30 0x55a9a57a52c9 in _start (/tmp/radare2/binr/radare2/radare2+0x12c9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/radare2/libr/reg/profile.c:221 in r_reg_set_profile_string
==16556==ABORTING
Frida version
[0x00000000]> \?V
{"version":"12.6.8"}FYI -- it crashes only on AVD x86
[03:33 edu@xps radare2] > r2 frida://spawn/usb//org.nowsecure.cybertruck
-- We feed trolls
[0x00000000]> \i~arch
arch arm
[0x00000000]> .\init
Mounted io on /r2f at 0x0
unable to find module containing 0x0
unable to find module containing 0x0
unable to find module containing 0x0
[0x00000000]> DetachReason: FRIDA_SESSION_DETACH_REASON_DEVICE_LOST
[0x00000000]>
[0x00000000]> q
error: Script is destroyed
[03:33 edu@xps radare2] > r2 frida://spawn/usb//org.nowsecure.cybertruck
-- -bash: r2: command not found
[0x00000000]> .\init
r_reg_set_profile_string: Parse error @ line 1 (Invalid register type)
r_reg_set_profile_string: Parse error @ line 1 (Invalid register type)
Segmentation fault (core dumped)
trufae
commented
5 years ago I think i fixed all those crashes yesterday
On 30 Aug 2019, at 03:35, Eduardo Novella notifications@github.com wrote:
FYI -- it crashes only on AVD x86
[03:33 edu@xps radare2] > r2 frida://spawn/usb//org.nowsecure.cybertruck -- We feed trolls [0x00000000]> \i~arch arch arm [0x00000000]> .\init Mounted io on /r2f at 0x0 unable to find module containing 0x0 unable to find module containing 0x0 unable to find module containing 0x0 [0x00000000]> DetachReason: FRIDA_SESSION_DETACH_REASON_DEVICE_LOST [0x00000000]> [0x00000000]> q error: Script is destroyed [03:33 edu@xps radare2] > r2 frida://spawn/usb//org.nowsecure.cybertruck -- -bash: r2: command not found [0x00000000]> .\init r_reg_set_profile_string: Parse error @ line 1 (Invalid register type) r_reg_set_profile_string: Parse error @ line 1 (Invalid register type) Segmentation fault (core dumped) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
enovella
commented
5 years ago
Sample APK
https://github.com/nowsecure/cybertruckchallenge19/tree/master/apk
Crash