java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse

himalr commented 5 years ago

Description I'm getting an exception (see below) when trying to list class methods of the "com.android.volley.toolbox.HurlStack" class from an android app.

Please let me know if you need the name of the app in question. I'm going to redact it for now.

Expected behavior It should list the available methods of the HurlStack class.

Evidence / Logs

// Command I used
android hooking list class_methods "com.android.volley.toolbox.HurlStack"

// Output ( with --debug option)

An unexpected internal exception has occurred. If this looks like a code related error, please file a bug report!- [incoming message] ------------------                                                                                                                                                                                                                                                       script is destroyed"process-terminated"                                                                                              
- [./incoming message] ----------------
(session detach message) process-terminated                                                                                          
Python stack trace: Traceback (most recent call last):
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\objection\console\repl.py", line 371, in start_repl        self.run_command(document)
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\objection\console\repl.py", line 185, in run_command       exec_method(arguments)
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\objection\commands\android\hooking.py", line 85, in show_android_class_methods
    methods = api.android_hooking_get_class_methods(class_name)
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\frida\core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\frida\core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "c:\users\[REDACTED]\appdata\local\programs\python\python37\lib\site-packages\frida\core.py", line 327, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script is destroyed
(process crash report)

        *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sdk_gphone_x86_64/generic_x86_64:9/PSR1.180720.093/5456446:userdebug/dev-keys'
Revision: '0'
ABI: 'x86_64'
pid: 4831, tid: 4849, name: Thread-28  >>> com.[REDACTED].android <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'java_vm_ext.cc:542] JNI DETECTED ERROR IN APPLICATION: JNI GetArrayLength called with pending exception java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse;'
    rax 0000000000000000  rbx 00000000000012f1  rcx 00007aba73129b98  rdx 0000000000000006
    r8  00007ab9eb0635c0  r9  00007ab9eb0635c0  r10 00007ab9eb0635c0  r11 0000000000000246
    r12 00007ab9d967a598  r13 00007ab9d967a598  r14 00000000000012df  r15 00007ab9d96794a8
    rdi 00000000000012df  rsi 00000000000012f1
    rbp 00007ab9eb13c400  rsp 00007ab9d9679498  rip 00007aba73129b98

backtrace:
    #00 pc 0000000000026b98  /system/lib64/libc.so (offset 0x26000) (syscall+24)
    #01 pc 0000000000029775  /system/lib64/libc.so (offset 0x29000) (abort+101)
    #02 pc 0000000000000412  <anonymous:00007aba71b21000>

Environment:

Device: Android virtual device
OS: Android 9 (Google API) x86_64
Frida Version: 12.7.5
- Objection Version: 1.7.5

Additional context I was trying to bypass the certificate validation (SSL Pinning) and noticed this issue. I was able to do that using a different approach, but wanted to report this in case if it's due to some bug on the objection itself.

I'm fairly new to android development, but it looks like they removed the Apache HTTP Client ? and this app has some references to it ? but, shouldn't the app crash immediately then ? or maybe they implemented some protection ? Also, I can still list methods of other classes (not all) in the same namespace such as "com.android.volley.toolbox.ImageRequest"

Please let me know if you need any additional details. Thanks for the great tool btw.

leonjza commented 5 years ago

Could you try and run the following script using just the vanilla Frida command line tool?

Java.perform(function() {
  var clazz = Java.use("com.android.volley.toolbox.HurlStack");
  console.log(clazz.class.getDeclaredMethods());
});

Out of curiosity, what was your different approach? Does it make sense to add this to objection? :)

himalr commented 5 years ago

Thanks for the response. I used following snippet to test it.

jscode = '''
Java.perform(function() {
  var clazz = Java.use("com.android.volley.toolbox.HurlStack");
  console.log(clazz.class.getDeclaredMethods());
});
'''

process = frida.get_usb_device().attach('com.[REDACTED].android')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

It shows the following output after a while and then the app crashes.

[*] Running CTF
Traceback (most recent call last):
  File ".\bypass.py", line 57, in <module>
    script.load()
  File "C:\Users\[REDACTED]\AppData\Local\Programs\Python\Python37\lib\site-packages\frida\core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "C:\Users\[REDACTED]\AppData\Local\Programs\Python\Python37\lib\site-packages\frida\core.py", line 254, in load
    self._impl.load()
frida.TransportError: timeout was reached

However, if I use something like "com.android.volley.toolbox.ImageRequest", then I get the following output.

private com.android.volley.Response com.android.volley.toolbox.ImageRequest.doParse(com.android.volley.NetworkResponse) ...

So maybe I should report this to frida instead ?

I'm not sure whether my approach will be useful for this script or not. the app has a helpful function, which I assume for debugging purpose, that returns an unsecured "SSLSocketFactory". I just pass that to the "setDefaultSSLSocketFactory" function.

leonjza commented 5 years ago

So maybe I should report this to frida instead ?

As a last test, try and just connect the Frida cli with something like frida -U com.[REDACTED].android (making sure the app is resumed and not paused) and pasting Java.perform(function() { var clazz = Java.use("com.android.volley.toolbox.HurlStack"); }); straight into the REPL.

From the original report I suspect the use() part is failing for you. If you get similar errors in the Frida REPL then it makes more sense to debug the Frida component.

I'm not sure whether my approach will be useful for this script or not. the app has a helpful function, which I assume for debugging purpose, that returns an unsecured "SSLSocketFactory". I just pass that to the "setDefaultSSLSocketFactory" function.

Fair enough!

himalr commented 5 years ago

Can I just open an issue there and reference this issue ?

Here's the output of that command.

Process crashed: Trace/BPT trap
****** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sdk_gphone_x86_64/generic_x86_64:9/PSR1.180720.093/5456446:userdebug/dev-keys'
Revision: '0'
ABI: 'x86_64'
pid: 6243, tid: 6555, name: Thread-18  >>> com.[REDACTED].android <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'java_vm_ext.cc:542] JNI DETECTED ERROR IN APPLICATION: JNI GetArrayLength called with pending exception java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse;'
    rax 0000000000000000  rbx 000000000000199b  rcx 00007b1c04f27b98  rdx 0000000000000006
    r8  00007b1b668aebc0  r9  00007b1b668aebc0  r10 00007b1b668aebc0  r11 0000000000000246
    r12 00007b1b626d2598  r13 00007b1b626d2598  r14 0000000000001863  r15 00007b1b626d1148
    rdi 0000000000001863  rsi 000000000000199b
    rbp 00007b1b788b9800  rsp 00007b1b626d1138  rip 00007b1c04f27b98

backtrace:
    #00 pc 0000000000026b98  /system/lib64/libc.so (offset 0x26000) (syscall+24)
    #01 pc 0000000000029775  /system/lib64/libc.so (offset 0x29000) (abort+101)
    #02 pc 000000000000021b  <anonymous:00007b1c05abe000>
***

Here's the relevant stack trace I got from logcat.

10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558] Aborting thread:
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558] "Thread-36" prio=10 tid=13 Native
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   | group="" sCount=0 dsCount=0 flags=0 obj=0x135c0000 self=0x7b1b802f0000
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   | sysTid=5506 nice=-10 cgrp=default sched=0/0 handle=0x7b1b626c94f0
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   | state=R schedstat=( 168766190 2224187 141 ) utm=12 stm=4 core=1 HZ=100
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   | stack=0x7b1b625ce000-0x7b1b625d0000 stackSize=1009KB
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   | held mutexes= "abort lock"
10-10 05:21:39.223  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #00 pc 0000000000403e33  /system/lib64/libart.so (offset a9000) (art::DumpNativeStack(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, int, BacktraceMap*, char const*, art::ArtMethod*, void*, bool)+227)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #29 pc 000000000013eb38  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #30 pc 00000000001ac6be  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #31 pc 00000000001ac966  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #32 pc 00000000001acad5  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #33 pc 0000000000227f88  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #34 pc 00000000001b77c9  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #35 pc 0000000000092bab  /system/lib64/libc.so (offset 7f000) (__pthread_start(void*)+27)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   native: #36 pc 000000000002af2d  /system/lib64/libc.so (offset 2a000) (__start_thread+61)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   (no managed stack frames)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558] Pending exception java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse;
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.reflect.Executable.getMethodReturnTypeInternal() (Executable.java:-2)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.reflect.Method.getReturnType() (Method.java:148)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.reflect.Method[] java.lang.Class.getDeclaredMethods() (Class.java:1880)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558] Caused by: java.lang.ClassNotFoundException: Didn't find class "org.apache.http.HttpResponse" on path: DexPathList[[zip file "/data/app/com.[REDACTED].android-fjMTUPUFNaR7sFFtU4WaZA==/base.apk"],nativeLibraryDirectories=[/data/app/com.[REDACTED].android-fjMTUPUFNaR7sFFtU4WaZA==/lib/x86_64, /system/lib64]]
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class dalvik.system.BaseDexClassLoader.findClass(java.lang.String) (BaseDexClassLoader.java:134)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String, boolean) (ClassLoader.java:379)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String) (ClassLoader.java:312)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.reflect.Executable.getMethodReturnTypeInternal() (Executable.java:-2)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.Class java.lang.reflect.Method.getReturnType() (Method.java:148)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558]   at java.lang.reflect.Method[] java.lang.Class.getDeclaredMethods() (Class.java:1880)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:558] 
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566] JNI DETECTED ERROR IN APPLICATION: JNI GetArrayLength called with pending exception java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse;
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.reflect.Executable.getMethodReturnTypeInternal() (Executable.java:-2)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.reflect.Method.getReturnType() (Method.java:148)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.reflect.Method[] java.lang.Class.getDeclaredMethods() (Class.java:1880)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566] Caused by: java.lang.ClassNotFoundException: Didn't find class "org.apache.http.HttpResponse" on path: DexPathList[[zip file "/data/app/com.[REDACTED].android-fjMTUPUFNaR7sFFtU4WaZA==/base.apk"],nativeLibraryDirectories=[/data/app/com.[REDACTED].android-fjMTUPUFNaR7sFFtU4WaZA==/lib/x86_64, /system/lib64]]
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class dalvik.system.BaseDexClassLoader.findClass(java.lang.String) (BaseDexClassLoader.java:134)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String, boolean) (ClassLoader.java:379)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String) (ClassLoader.java:312)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.reflect.Executable.getMethodReturnTypeInternal() (Executable.java:-2)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.Class java.lang.reflect.Method.getReturnType() (Method.java:148)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]   at java.lang.reflect.Method[] java.lang.Class.getDeclaredMethods() (Class.java:1880)
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566] 
10-10 05:21:39.224  5185  5506 F [REDACTED].androi: runtime.cc:566]     in call to GetArrayLength
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #15 pc 000000000027a8ed  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #16 pc 000000000026a6e4  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #17 pc 000000000027a875  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #18 pc 000000000027bd96  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #19 pc 000000000027b168  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #20 pc 000000000027a8ed  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #21 pc 000000000024995f  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #22 pc 0000000000249ae1  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #23 pc 00000000002498dd  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #24 pc 000000000022f140  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #25 pc 000000000022edf1  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #26 pc 000000000013eb38  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #27 pc 00000000001ac6be  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #28 pc 00000000001ac966  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #29 pc 00000000001acad5  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #30 pc 0000000000227f88  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #31 pc 00000000001b77c9  /data/local/tmp/re.frida.server/frida-agent-64.so (???)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #32 pc 0000000000092bab  /system/lib64/libc.so (offset 7f000) (__pthread_start(void*)+27)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   native: #33 pc 000000000002af2d  /system/lib64/libc.so (offset 2a000) (__start_thread+61)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]   (no managed stack frames)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566] 
--------- beginning of crash
10-10 05:21:39.228  5185  5506 F libc    : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 5506 (Thread-36), pid 5185 ([REDACTED].android)
10-10 05:21:39.225  5185  5506 F [REDACTED].androi: runtime.cc:566]

leonjza commented 5 years ago

Can I just open an issue there and reference this issue ?

Absolutely!

ghost commented 5 years ago

Error frida.TransportError: timeout was reached is thrown when you execute long running operation in main thread. Therefore you should execute the operation in a asynchronous manner, through setTimeout():

jscode = '''
Java.perform(function() {
  var clazz = Java.use("com.android.volley.toolbox.HurlStack");

  setTimeout(function() {
    // Nested Java.perform().
    Java.perform(function() {
      console.log(clazz.class.getDeclaredMethods()); // long running operation
    });  
  }, 0);
});
'''

process = frida.get_usb_device().attach('com.[REDACTED].android')
script = process.create_script(jscode)
script.on('message', on_message)
print('[*] Running CTF')
script.load()
sys.stdin.read()

It seems that org.apache.http.HttpResponse class was name-mangled(obfuscated) like org.apache.http.abc by ProGuard. What about to disassemble your apk through jadx? If it is right, you can find the mangled class name.

himalr commented 5 years ago

@srcdes Unfortunately, I still got the same stack trace with that command.

I don't think it's name mangled, because I can see them listed as follows,

import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.ProtocolVersion;

sensepost / objection

java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/HttpResponse #280