search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.33k stars 840 forks source link

[bug] Objection explore freezes #469

Closed centrinvest closed 1 month ago

centrinvest commented 3 years ago

Describe the bug Hello! We encountered obscure objection behavior with iOS. At first, the utility worked correctly, the application started up. Then at some point the objection explore command just started to freeze at the "Attempting to attach to process: Gadget" stage.

Tell me what could be the problem?

To Reproduce Steps to reproduce the behavior:

  1. I run any application via xcode on the device to get embedded.mobileprovision. At the same time, in the DerivedData folder, I only have one application

  2. Run objection patchipa: objection patchipa --source MobileBanking.ipa --codesign-signature 719BFDXXXXXX Using latest Github gadget version: 15.0.6 Remote FridaGadget version is v15.0.6, local is v15.0.4. Downloading... Downloading from: https://github.com/frida/frida/releases/download/15.0.6/frida-gadget-15.0.6-ios-universal.dylib.xz Downloading iOS dylib to /Users/developonecentrinvest/.objection/ios/FridaGadget.dylib.xz... Unpacking /Users/developonecentrinvest/.objection/ios/FridaGadget.dylib.xz... Cleaning up downloaded archives... Patcher will be using Gadget version: 15.0.6 No provision file specified, searching for one... Found provision file /Users/developonecentrinvest/Library/Developer/Xcode/DerivedData/MobileBanking-hgxjaybwbnlqhrgjszukifylppsk/Build/Products/Debug-iphoneos/MobileBanking.app/embedded.mobileprovision expiring in 269 days, 4:49:16.997176 Found a valid provisioning profile Mobile provision bundle identifier is: ru.invest.mobilebanking Working with app: MobileBanking.app Bundle identifier is: ru.invest.mobilebanking Codesigning 22 .dylib's with signature 719BFDXXXXXX Code signing: libswiftMapKit.dylib Code signing: libswiftPhotos.dylib Code signing: libswiftCoreImage.dylib Code signing: libswiftObjectiveC.dylib Code signing: libswiftCore.dylib Code signing: libswiftCoreGraphics.dylib Code signing: libswiftUIKit.dylib Code signing: libswiftMetal.dylib Code signing: libswiftCoreData.dylib Code signing: libswiftDispatch.dylib Code signing: libswiftos.dylib Code signing: libswiftCoreFoundation.dylib Code signing: FridaGadget.dylib Code signing: libswiftDarwin.dylib Code signing: libswiftContacts.dylib Code signing: libswiftQuartzCore.dylib Code signing: libswiftCoreAudio.dylib Code signing: libswiftAVFoundation.dylib Code signing: libswiftFoundation.dylib Code signing: libswiftCoreMedia.dylib Code signing: libswiftCoreLocation.dylib Code signing: libswiftsimd.dylib Creating new archive with patched contents... Codesigning patched IPA...

Copying final ipa from /var/folders/s7/7lptcrdx2xs38mctj_lm36b40000gn/T/MobileBanking-frida-codesigned.ipa to current directory... Cleaning up temp files...

  1. unzip MobileBanking-frida-codesigned.ipa

  2. ios-deploy --bundle Payload/MobileBanking.app/ -W -d [....] Waiting for iOS device to be connected [....] Using 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone'. ------ Install phase ------ [ 0%] Found 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone' connected through USB, beginning install [ 5%] Copying /Users/developonecentrinvest/objection/Payload/MobileBanking.app/META-INF/ to device ... [ 52%] CreatingStagingDirectory [ 57%] ExtractingPackage [ 60%] InspectingPackage [ 60%] TakingInstallLock [ 65%] PreflightingApplication [ 65%] InstallingEmbeddedProfile [ 70%] VerifyingApplication [ 75%] CreatingContainer [ 80%] InstallingApplication [ 85%] PostflightingApplication [ 90%] SandboxingApplication [ 95%] GeneratingApplicationMap [100%] Installed package Payload/MobileBanking.app/ ------ Debug phase ------ Starting debug of 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone' connected through USB... [ 0%] Looking up developer disk image [ 95%] Developer disk image mounted successfully Symbol Path: /Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols [100%] Connecting to remote debug server

    (lldb) command source -s 0 '/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap-lldb-prep-cmds-65a58436864dbcf0eb1700eca2226e0a6301c044' Executing commands in '/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap-lldb-prep-cmds-65a58436864dbcf0eb1700eca2226e0a6301c044'. (lldb) platform select remote-ios --sysroot '/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols' Platform: remote-ios Connected: no SDK Path: "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols" (lldb) target create "/Users/developonecentrinvest/objection/Payload/MobileBanking.app" Current executable set to '/Users/developonecentrinvest/objection/Payload/MobileBanking.app' (arm64). (lldb) script fruitstrap_device_app="/private/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64/MobileBanking.app" (lldb) script fruitstrap_connect_url="connect://127.0.0.1:52073" (lldb) script fruitstrap_output_path="" (lldb) script fruitstrap_error_path="" (lldb) target modules search-paths add /usr "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/usr" /System "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/System" "/private/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64" "/Users/developonecentrinvest/objection/Payload" "/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64" "/Users/developonecentrinvest/objection/Payload" /Developer "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/Developer" (lldb) command script import "/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.py" (lldb) command script add -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.connect_command connect (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.run_command run (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.autoexit_command autoexit (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.safequit_command safequit (lldb) connect (lldb) run success 2021-07-14 10:11:34.258650+0300 MobileBanking[5902:1834240] Frida: Listening on 127.0.0.1 TCP port 27042 (lldb)

  3. objection --debug explore [debug] Agent path is: /usr/local/lib/python3.9/site-packages/objection/agent.js [debug] Injecting agent... Using USB device iPhone [debug] Attempting to attach to process: Gadget

And that's it, at this step the objection just freezes and nothing else happens.

Expected behavior objection explore not freezes

Environment (please complete the following information):

leonjza commented 3 years ago

Can you connect the vanilla frida client?

centrinvest commented 3 years ago

Can you connect the vanilla frida client?

How can i check this?

centrinvest commented 3 years ago

Command frida --usb Gadget also freezes

leonjza commented 3 years ago

Try and use the full bundle identifier of your app instead of Gadget.

centrinvest commented 3 years ago

objection --debug -g "ru.invest.mobilebanking" explore and frida -usb "ru.invest.mobilebanking" also freezes

leonjza commented 3 years ago

Right, you will have to debug this locally. Could be some security feature of the application preventing Frida from working.

hazcod commented 3 years ago

I also have the same issue for a couple of apps. Ideas? explore works as wel as a reconnect but the app is stuck in the splash screen.

leonjza commented 3 years ago

We've run into this internally as well. For now, downgrading frida-server (or gadget by patching with the --gadget-version flag) and local frida python package to latest 14x for now should let you resume normal operation. For 15x support, watch #474.

hazcod commented 3 years ago

Interestingly I am doing this with objection v1.11.0 and Gadget 14.2.18 and the app splash screen stays.

leonjza commented 3 years ago

Right. Only other thing I can suggest now is to check your local frida package version.

❯ pip3 freeze | grep -i frida
frida==14.2.18
hazcod commented 3 years ago

@leonjza hmmmm gotcha, but stays at connecting now:

 % objection --debug -g com.ironpeak.empty explore
[debug] Agent path is: /opt/homebrew/lib/python3.9/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `iPhone`
[debug] Attempting to attach to process: `com.ironpeak.empty`
[debug] Unable to find process: `com.ironpeak.empty`, attempting spawn
[debug] PID `819` spawned, attaching...
% pip3 freeze | grep frida               
WARNING: Could not find setup.py for directory /opt/homebrew/lib/python3.9/site-packages (tried all parent directories)
frida==14.2.18
frida-tools==9.2.5
IPMegladon commented 1 month ago

Stale issue, feel free to reopen. Suspect this has likely been resolved in newer Frida versions.