search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.46k stars 854 forks source link

App says it has to be reinstalled and getting exception in objection #397

Closed rkba closed 4 years ago

rkba commented 4 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Just do objection --debug --gadget "*****" explore

The app ... is missing required components and must be reinstalled from the Google Play Store.

Similar issues see "Application"

Expected behavior A clear and concise description of what you expected to happen.

Evidence / Logs / Screenshots Any output from objection, such as stack traces or errors that occurred. Be sure to run objection with the --debug flag so that errors from the agent are verbose enough to debug. For example:

[debug] Agent path is: /usr/local/lib/python3.8/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `SM ****`
[debug] Attempting to attach to process: `****`
[debug] Unable to find process: `****`, attempting spawn
[debug] PID `18316` spawned, attaching...
[debug] Resuming PID `18316`
Agent injected and responds ok!
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 11, in <module>
    load_entry_point('objection==1.9.5', 'console_scripts', 'objection')()
  File "/usr/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/objection/console/cli.py", line 156, in explore
    device_info = get_device_info()
  File "/usr/local/lib/python3.8/site-packages/objection/commands/device.py", line 41, in get_device_info
    package_info = api.env_android()
  File "/usr/local/lib64/python3.8/site-packages/frida/core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/usr/local/lib64/python3.8/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/usr/local/lib64/python3.8/site-packages/frida/core.py", line 316, in _rpc_request
    self.post(message)
  File "/usr/local/lib64/python3.8/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/usr/local/lib64/python3.8/site-packages/frida/core.py", line 267, in post
    self._impl.post(raw_message, **kwargs)
frida.TransportError: the connection is closed
Asking jobs to stop...
Unloading objection agent...
[debug] Calling unload()

Environment (please complete the following information):

Application I can find some split config in the data dir of the app, so maybe it is related to #358? Does objection crash, if it tries to use a split APK.

rkba commented 4 years ago

Even when using patch-apk this fails with this exception:

Unable to determine the launchable activity using aapt, trying to manually parse the AndroidManifest for activity aliases...
Cannot manually parse the AndroidManifest.xml when --skip-resources is set, remove this and try again.
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 371, in patchapk
    patch_android_apk(**locals())
  File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 200, in patch_android_apk
    patcher.inject_load_library(target_class=target_class)
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 782, in inject_load_library
    target_class if target_class else self._get_launchable_activity())
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 341, in _get_launchable_activity
    manifest = self._get_android_manifest()
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 287, in _get_android_manifest
    raise Exception('Cannot --skip-resources when trying to manually parse the AndroidManifest.xml')
Exception: Cannot --skip-resources when trying to manually parse the AndroidManifest.xml

Full log: https://gist.github.com/rkba/7aa3c157e7ea6bedb23fc46e618e3dce

Is this some kind of anti-reverse-engineering tool being used here or a bug in ojection or so for parsing the AndroidManifest.xml?

leonjza commented 4 years ago

frida.TransportError: the connection is closed

These are usually pretty hard to debug straight out of objection. I would suggest you remove the complexity objection adds here and give raw Frida a try first. Attaching Frida and performing some simple instrumentation should be enough to see what's happening. It could very well be that there is some anti-frida that you need to bypass.

Unable to determine the launchable activity using aapt, trying to manually parse the AndroidManifest for activity aliases... Cannot manually parse the AndroidManifest.xml when --skip-resources is set, remove this and try again.

The --skip-resources flag wont decode the AndroidManifest, so because aapt cant find a launchable activity it will try and parse the AndroidManifiest. However, with skip-resources, this is not decoded so it can't do that. I suggest you manually unpack the APK, check which class in the manifest you want to patch and specify that with the --target-class flag on the Android patcher command.