Closed konsumer closed 3 months ago
Hey could you try -s 'import ios_openstore.js'
instead?
It will take me a bit to test. I was hoping updating frida would help, but that broke my jailbreak. If I can fix that, I'll test it.
Just got it all re-jailbroken on frida-server 14.0.7, and ran
objection --gadget 'com.apple.AppStore' explore -s 'ios sslpinning disable' --startup-script ios_openstore.js
And I got another probably unrelated error:
Using USB device `iOS Device`
(frida:4550): Frida-CRITICAL **: 15:08:08.663: file ../../../frida-core/lib/interfaces/session.vala: line 167: uncaught error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface βre.frida.HostSession12β on object at path /re/frida/HostSession (g-dbus-error-quark, 19)
[1] 4550 segmentation fault (core dumped) objection --gadget 'com.apple.AppStore' explore -s 'ios sslpinning disable'
Also tried with a simpler command that used to work and got same error:
objection --gadget 'com.apple.AppStore' explore
Sorry for the noise. I updated frida to 14.0.7 (objection still at 1.9.6) on desktop, and got through that issue.
I ran this:
objection --gadget 'com.apple.AppStore' explore -s 'ios sslpinning disable' -s 'import ios_openstore.js'
and got same process is not suspended
error
I also tried this, just to see if it would open a URL:
objection --gadget 'com.apple.AppStore' explore -s 'import ios_openstore.js'
and got same error
I think I made progress
I did this (evaluate
instead of import
):
objection --gadget 'com.apple.AppStore' explore -s 'ios sslpinning disable' -s 'evaluate ios_openstore.js'
And it ran without error. It still held the repl open though. I tried running it a few times, and it looks like the ssl disable isn't going through before the url request (I get ssl error, but it works if I refresh)
I tried modifying the script, and it seemed to fix that:
function openURL (url) {
var w = ObjC.classes.LSApplicationWorkspace.defaultWorkspace()
var toOpen = ObjC.classes.NSURL.URLWithString_(url)
return w.openSensitiveURL_withOptions_(toOpen, null)
}
setTimeout(() => openURL('https://apps.apple.com/us/app/pixel-starships/id321756558?mt=12'), 2000)
I ended up doing a &
(to background) then a sleep
then a kill
and it seems to work. Is there a better way to make objection exit?
If I try to script it, I get Operation not permitted
:
objection --gadget 'com.apple.AppStore' explore -s 'ios sslpinning disable' -s 'evaluate ios_openstore.js' &
sleep 10
killall -9 objection
This is error:
./mitmautomate
Using USB device `iOS Device`
Agent injected and responds ok!
Warning: Input is not a terminal (fd=0).
Running a startup command... ios sslpinning disable
(agent) Hooking common framework methods
(agent) Found NSURLSession based classes. Hooking known pinning methods.
(agent) Hooking lower level SSL methods
(agent) Hooking lower level TLS methods
(agent) Hooking BoringSSL methods
(agent) Registering job 9539898125697. Type: ios-sslpinning-disable
Running a startup command... evaluate ios_openstore.js
JavaScript capture complete. Evaluating...
_ _ _ _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_| _| _| | . | |
|___|___| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.9.6
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
Traceback (most recent call last):
File "/usr/lib/python3.8/asyncio/selector_events.py", line 259, in _add_reader
key = self._selector.get_key(fd)
File "/usr/lib/python3.8/selectors.py", line 192, in get_key
raise KeyError("{!r} is not registered".format(fileobj)) from None
KeyError: '0 is not registered'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/konsumer/.local/bin/objection", line 8, in <module>
sys.exit(cli())
File "/usr/lib/python3/dist-packages/click/core.py", line 764, in __call__
return self.main(*args, **kwargs)
File "/usr/lib/python3/dist-packages/click/core.py", line 717, in main
rv = self.invoke(ctx)
File "/usr/lib/python3/dist-packages/click/core.py", line 1137, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/lib/python3/dist-packages/click/core.py", line 956, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/lib/python3/dist-packages/click/core.py", line 555, in invoke
return callback(*args, **kwargs)
File "/home/konsumer/.local/lib/python3.8/site-packages/objection/console/cli.py", line 206, in explore
r.start_repl(quiet=quiet)
File "/home/konsumer/.local/lib/python3.8/site-packages/objection/console/repl.py", line 355, in start_repl
document = self.session.prompt(self.get_prompt_message())
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/shortcuts/prompt.py", line 1013, in prompt
return self.app.run(set_exception_handler=set_exception_handler)
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/application/application.py", line 814, in run
return loop.run_until_complete(
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/application/application.py", line 781, in run_async
return await _run_async2()
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/application/application.py", line 763, in _run_async2
result = await _run_async()
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/application/application.py", line 694, in _run_async
with self.input.raw_mode(), self.input.attach(
File "/usr/lib/python3.8/contextlib.py", line 113, in __enter__
return next(self.gen)
File "/home/konsumer/.local/lib/python3.8/site-packages/prompt_toolkit/input/vt100.py", line 161, in _attached_input
loop.add_reader(fd, callback)
File "/usr/lib/python3.8/asyncio/selector_events.py", line 332, in add_reader
return self._add_reader(fd, callback, *args)
File "/usr/lib/python3.8/asyncio/selector_events.py", line 261, in _add_reader
self._selector.register(fd, selectors.EVENT_READ,
File "/usr/lib/python3.8/selectors.py", line 359, in register
self._selector.register(key.fd, poller_events)
PermissionError: [Errno 1] Operation not permitted
Asking jobs to stop...
Unloading objection agent...
objection: no process found
Also, piping "exit\n"
into objection seems to do same thing where it spirals into an exception loop.
@konsumer do you succeeded to solve the issue?
@leonjza can you assist i stuck here?
iOS version: 13.6 Device: jb iPhone X
mao@maozika:~/ios$ frida -U -l bypass.js -f <> explore --no-pause
/ _ | Frida 14.2.13 - A world-class dynamic instrumentation toolkit
| (_| |
| Commands: // |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://www.frida.re/docs/home/ Spawning
reducted explore
...
Injecting... Spawnedreducted explore
. Resuming main thread!
[iOS Device::com.uscc.myaccount]-> Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner self.run() File "/usr/lib/python3.6/threading.py", line 864, in run self._target(*self._args, *self._kwargs) File "/home/mao/.local/lib/python3.6/site-packages/frida_tools/application.py", line 639, in _run work() File "/home/mao/.local/lib/python3.6/site-packages/frida_tools/repl.py", line 462, inself._reactor.schedule(lambda: self._resume()) File "/home/mao/.local/lib/python3.6/site-packages/frida_tools/application.py", line 255, in _resume self._device.resume(self._spawned_pid) File "/home/mao/.local/lib/python3.6/site-packages/frida/core.py", line 26, in wrapper return f( args, kwargs) File "/home/mao/.local/lib/python3.6/site-packages/frida/core.py", line 148, in resume self._impl.resume(self._pid_of(target)) frida.InvalidOperationError: process is not suspended**
Thank you in advance.
I got the same.
$ objection -g app.identifier.here explore
Using USB device `iPhone`
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.9/bin/objection", line 33, in <module>
sys.exit(load_entry_point('objection==1.11.0', 'console_scripts', 'objection')())
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/objection/console/cli.py", line 114, in explore
agent.inject()
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/objection/utils/agent.py", line 209, in inject
self.device.resume(self.spawned_pid)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/frida/core.py", line 148, in resume
self._impl.resume(self._pid_of(target))
frida.InvalidOperationError: process is not suspended
The app open and closes immediately. Tested on macOS 10.14.6, iOS 14.2. Happens on every app.
It works fine if using the process id (PID) instead of name or identifier.
It works fine if using the process id (PID) instead of name or identifier.
I think my issue is different from what you are talking about.
I can start it fine with identifier, my issue is specifically with trying to spin up initial scripts. The app-store example needs to be started by name (not an already running PID) to do sslpinning disable, anyway.
Yes. Sorry for using your issue, but it could be related. Obviously there is an issue with using name or identifier. I found the same problem in some other issues.
Anyone solved this issue?
Spawned `com.test`. Use %resume to let the main thread start executing!
[iPhone::com.test]-> %resume
[iPhone::com.test]-> Exception in thread Thread-1:
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 917, in _bootstrap_inner
self.run()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 865, in run
self._target(*self._args, **self._kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida_tools/application.py", line 639, in _run
work()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida_tools/repl.py", line 464, in <lambda>
self._reactor.schedule(lambda: self._resume())
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida_tools/application.py", line 255, in _resume
self._device.resume(self._spawned_pid)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/frida/core.py", line 148, in resume
self._impl.resume(self._pid_of(target))
frida.InvalidOperationError: process is not suspended
β I solved this problem and realized Jailbreak version doesn't support with frida so i did downgrade the Jailbreak version.
Stale issue, feel free to reopen.
Describe the bug I am trying to run
ios sslpinning disable
and open a url on device (via a javascript) I want it to run in other scripts, so I can automate the process, so it should fire ssl disable, open url, then exit.To Reproduce Steps to reproduce the behavior:
First I have a script
ios_openstore.js
:If I run
It works, but it's not automatic (it keeps a repl open)
First thing I tried was echo commands into it:
I get a whole bunch of these errors, and it doesn't work (as above):
Next I tried using
--startup-script
:I get this error:
Next I tried using
api
hoping I could pipe the commands in using curl (then kill the objection process when finished):So it looks like main prob is
process is not suspended
in a few cases.Expected behavior
I expect there to be a way to run a script after
ios sslpinning disable
then exit.Evidence / Logs / Screenshots
output:
Environment (please complete the following information):