Unable to hook application

[Azulath]

I am unable to hook some applications on a rooted Android device using Objection, while other applications work perfectly fine. I have tried both, letting Objection start the application and hooking the application when it's already running. Below is a console/logcat output:

Click to expand console/logcat output

``` [me@mbp ~] frida -U -n "com.androidpentesting.securestorev2" ____ / _ | Frida 14.2.14 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ [SM M205FN::com.androidpentesting.securestorev2]-> exit Thank you for using Frida! [me@mbp ~] objection --gadget com.androidpentesting.securestorev2 explore Checking for a newer version of objection... Using USB device `SM M205FN` Agent injected and responds ok! Traceback (most recent call last): File "/Users/me/homebrew/bin/objection", line 8, in (session detach message) process-terminated sys.exit(cli()) (process crash report) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 829, in __call__ *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** LineageOS Version: '15.1-20190517-NIGHTLY-mako' Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys' Revision: '0' ABI: 'arm' pid: 2989, tid: 3113, name: Thread-2 >>> com.androidpentesting.securestorev2 <<< signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- Abort message: 'java_vm_ext.cc:534] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: ''' r0 00000000 r1 00000c29 r2 00000006 r3 8a2d4f10 r4 ac608c76 r5 00000c2b r6 00000000 r7 0000016b r8 00000002 r9 00000006 sl 8a2d79c8 fp 00000001 ip 8a2d4d20 sp 8a2d4d10 lr a8d0e8fb pc a8d5405c cpsr 000f0010 backtrace: #00 pc 0005f05c /system/bin/linker (__dl_syscall+32) #01 pc 000198f7 /system/bin/linker (__dl__ZL13resend_signalP7siginfob+54) #02 pc 00019753 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+774) #03 pc 00150ccd /data/local/tmp/re.frida.server/frida-agent-32.so return self.main(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 782, in main rv = self.invoke(ctx) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1259, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1066, in invoke return ctx.invoke(self.callback, **ctx.params) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 610, in invoke return callback(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/objection/console/cli.py", line 156, in explore device_info = get_device_info() File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info package_info = api.env_android() File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method return script._rpc_request('call', js_name, args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper return f(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 333, in _rpc_request raise result[2] frida.InvalidOperationError: script is destroyed Asking jobs to stop... Unloading objection agent... Unable to run cleanups: script is destroyed ```

[leonjza]

      File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info
        package_info = api.env_android()
      File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method
        return script._rpc_request('call', js_name, args, **kwargs)

From this part it looks like the call to the agents androidPackage() method might be causing the crash. There are two things you can try:

1. Run objection with the --debug flag to see if the output is more verbose. My hope is to see a stack trace from the agent.
2. Run some of the methods inside the androidPackage() method (src here) in the Frida REPL and see if you can find the method that is causing the crash.

[Azulath]

Running it with the --debug flag resulted in the following output:

Objection

``` [me@mbp ~/Downloads] objection --debug --gadget com.androidpentesting.securestorev2 explore [debug] Agent path is: /Users/me/homebrew/lib/python3.9/site-packages/objection/agent.js [debug] Injecting agent... Using USB device `SM M205FN` [debug] Attempting to attach to process: `com.androidpentesting.securestorev2` [debug] Unable to find process: `com.androidpentesting.securestorev2`, attempting spawn [debug] PID `4528` spawned, attaching... [debug] Resuming PID `4528` Agent injected and responds ok! Traceback (most recent call last): File "/Users/me/homebrew/bin/objection", line 8, in sys.exit(cli()) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 829, in __call__ return self.main(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 782, in main rv = self.invoke(ctx) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1259, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1066, in invoke return ctx.invoke(self.callback, **ctx.params) File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 610, in invoke return callback(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/objection/console/cli.py", line 156, in explore device_info = get_device_info() File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info package_info = api.env_android() File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method return script._rpc_request('call', js_name, args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper return f(*args, **kwargs) File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 333, in _rpc_request raise result[2] frida.InvalidOperationError: script is destroyed Asking jobs to stop... Unloading objection agent... [debug] Calling unload() Unable to run cleanups: script is destroyed ```

It crashes when I try to do the following:

Frida REPL

``` [SM M205FN::com.androidpentesting.securestorev2]-> Java.use("android.os.Build") Process crashed: Trace/BPT trap *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** LineageOS Version: '15.1-20190517-NIGHTLY-mako' Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys' Revision: '0' ABI: 'arm' pid: 4663, tid: 4900, name: Thread-2 >>> com.androidpentesting.securestorev2 <<< signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- Abort message: 'java_vm_ext.cc:534] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: ''' r0 00000000 r1 00001324 r2 00000006 r3 8a1fe568 r4 ac608c76 r5 0000133f r6 00000000 r7 0000016b r8 00000002 r9 00000006 sl 8a2009c8 fp 00000001 ip 8a1fe378 sp 8a1fe368 lr a8d0e8fb pc a8d5405c cpsr 000f0010 backtrace: #00 pc 0005f05c /system/bin/linker (__dl_syscall+32) #01 pc 000198f7 /system/bin/linker (__dl__ZL13resend_signalP7siginfob+54) #02 pc 00019753 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+774) #03 pc 00150ccd /data/local/tmp/re.frida.server/frida-agent-32.so *** [SM M205FN::com.androidpentesting.securestorev2]-> Thank you for using Frida! ```

[leonjza]

I suspect this might be a Frida bug / support issue for your OS. Can you call Java.use() on any other classes in the Frida REPL? I'll have to find a way to reproduce this locally (and some time) to debug. In the meantime, you can try setup the frida-java playground using these steps to try and debug what is happening.

[Azulath]

Ok thanks - I just tried Java.use("java.lang.String") and it crashes as well. I will test this on another device. Currently, I only have Lineage devices at hand but this shouldn't be an issue with LineageOS in general, should it?

[leonjza]

I've used older Lineage successfully before. You could try and downgrade your frida-server and see if there was a specific version that caused this behavior as well.

[Azulath]

I've tested it now on my OnePlus 2 running LineageOS 16 and everything works as expected. Thanks for your help 👍 (I will look further into the Nexus device later in the week...)