search

nowsecure / r2frida

Radare2 and Frida better together.
MIT License
1.18k stars 121 forks source link

Problem with Android ARM #78

Closed tanis2000 closed 6 years ago

tanis2000 commented 6 years ago

I managed to get r2frida working on my macOS box but it looks like there's something wrong when attaching to a process on the Android device (ARM 32 bit).

Running something like r2 frida://0658d32xxxxxxx/xxx.domain.myapp actually seems to do something as it's attaching to the frida-server on the device but I end up with an r2 instance that is a t 0x00000000 and has all registers at zero and it looks like it's not even talking to the remote process.

Is there any way to debug what's going wrong?

Cheers!

trufae commented 6 years ago

Thats expected. Frida is not a debugger

On 17 Nov 2017, at 06:32, Valerio Santinelli notifications@github.com wrote:

I managed to get r2frida working on my macOS box but it looks like there's something wrong when attaching to a process on the Android device (ARM 32 bit).

Running something like r2 frida://0658d32xxxxxxx/xxx.domain.myapp actually seems to do something as it's attaching to the frida-server on the device but I end up with an r2 instance that is a t 0x00000000 and has all registers at zero and it looks like it's not even talking to the remote process.

Is there any way to debug what's going wrong?

Cheers!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

tanis2000 commented 6 years ago

Agreed that Frida itself isn't a debugger. But shouldn't it be used by r2frida to let the radare debugger interact with the host frida server running on the device? Otherwise what's the point of r2frida? :-P

trufae commented 6 years ago

when you attach to a process in r2frida you are (by default) only wrapping the IO, this is reading and writing memory from the target process. you have remote commands accessible via =! (or the \ alias), which may allow you to do some extra stuff, there's some early debugging support via the debug.io plugin, but frida is not a debugger, so dont expect to be able to place breakpoints, step into, and things like that.

r2frida provides some basic primitives to do similar things using the \dr command to list registers of all the threads, or set runtime breakpoints using the \db command , which basically injects an infinite loop in a specific memory address, and more.

The first thing you must do after loading r2frida is running this command: '.\i' so you import the arch/bits configuration from the target into the local r2. but the d commands will not talk with frida because cfg.debug is false when using r2frida, and because the debug.io plugin is not selected.

See the other \?~^d commands to understand what you can do with the "debugger":

screen shot 2017-11-24 at 20 01 47

and remember that you have all the \i* subcommands to list classes, methods, addresses of symbols, etc

tanis2000 commented 6 years ago

Thanks a lot for the explanation. It did shed some lights over what can be accomplished with r2frida and what the limits are. Cheers!