search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.46k stars 854 forks source link

[bug] objection explore crash, missing frida ping method #377

Closed nbeguier closed 4 years ago

nbeguier commented 4 years ago

Describe the bug objection crash during objection explore

To Reproduce Steps to reproduce the behavior:

  1. Run command objection -d patchapk --source example.apk
  2. Run command adb install example.objection.apk
  3. Launch the apk on the device
  4. Run command objection explore

Expected behavior No crash during exploration

Evidence / Logs / Screenshots With a previously patched apk (two weeks ago with objection in 1.9.1 and frida in 12.8.20). In these example, objection is in 1.9.2 and frida in 12.9.3:

# The old patched apk
$ objection --debug  explore
[debug] Agent path is: /home/me/.local/lib/python3.8/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `HUAWEI VNS L31`
[debug] Attempting to attach to process: `Gadget`
[debug] Process attached!
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.2

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.example on (HUAWEI: 7.0) [usb] #
# The patched apk with latest version
$ objection --debug  explore
[debug] Agent path is: /home/me/.local/lib/python3.8/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `HUAWEI VNS L31`
[debug] Attempting to attach to process: `Gadget`
[debug] Process attached!
- [incoming message] ------------------
{
  "columnNumber": 1,
  "description": "TypeError: cannot read property 'objc_lookUpClass' of null",
  "fileName": "/_objc.js",
  "lineNumber": 1499,
  "stack": "TypeError: cannot read property 'objc_lookUpClass' of null\n    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:59225)\n    at a (frida/node_modules/frida-objc-bridge/index.js:295)\n    at frida/node_modules/frida-objc-bridge/index.js:244\n    at src/ios/lib/helpers.ts:9\n    at o (node_modules/browser-pack/_prelude.js:1)\n    at src/generic/environment.ts:5\n    at o (node_modules/browser-pack/_prelude.js:1)\n    at src/rpc/environment.ts:1\n    at o (node_modules/browser-pack/_prelude.js:1)\n    at src/index.ts:6\n    at o (node_modules/browser-pack/_prelude.js:1)\n    [...]",
  "type": "error"
}
- [./incoming message] ----------------
Traceback (most recent call last):
  File "/home/me/.local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/home/me/.local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/home/me/.local/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/home/me/.local/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/me/.local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/me/.local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/home/me/.local/lib/python3.8/site-packages/objection/console/cli.py", line 114, in explore
    agent.inject()
  File "/home/me/.local/lib/python3.8/site-packages/objection/utils/agent.py", line 212, in inject
    if not self.exports().ping():
  File "/home/me/.local/lib/python3.8/site-packages/frida/core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/home/me/.local/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/home/me/.local/lib/python3.8/site-packages/frida/core.py", line 333, in _rpc_request
    raise result[2]
frida.core.RPCException: unable to find method 'ping'
Asking jobs to stop...
Unloading objection agent...
[debug] Calling unload()

Environment:

Application Not possible witth this one, but if you give me one i can do it :+1:

Additional context I've tried to downgrade frida and objection but it's still not working

leonjza commented 4 years ago

I think this is a regression/change in the latest Frida. Could you patch with a 12.8.x version gadget and test?

nbeguier commented 4 years ago

You hve totally right, I thought it was my local frida version used when I downgraded it, but not really.

$ objection -d patchapk -V 12.8.20  --source example.apk

It works well then :wink:

leonjza commented 4 years ago

Thanks for the feedback. I'll check what updates need to happen in the agent to prevent this soon.

leonjza commented 4 years ago

My current suspect is it's probably this line.

cc-sir commented 4 years ago

Don't use the frida-server of 12.9.4 and if you use 12.8.20,objection can work!

mastercho commented 4 years ago

same issue here, updated frida-server to 12.9.4 and objection throw a same error and make nexus 5 to reboot

leonjza commented 4 years ago

Just to confirm, I can replicate this locally. Working on a fix.

leonjza commented 4 years ago

Will be fixed in the next release later tonight.