search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.42k stars 852 forks source link

[bug] flex is not showing #567

Closed 0xElessar closed 3 weeks ago

0xElessar commented 2 years ago

Hello Leon,

thanks again for the great tool. I think I did what you described in the plugin section. I have compiled the dynamic library using files and FLEX Classes folder. Unfortunately, the FLEX plugin does not show on the screen, I tried 3 different apps, the same ... nothing happens:

objection -g com.highaltitudehacks.DVIAswiftv2 explore -P plugins
Using USB device `iPhone`
Agent injected and responds ok!
Loaded plugin: api
Loaded plugin: stetho
Loaded plugin: mettle
Loaded plugin: flex

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.11.0

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
....highaltitudehacks.DVIAswiftv2 on (iPhone: 13.7) [usb] # plugin flex load
Asking flex to load...
Flex should be up!

Could you suggest what I can do to debug it further and find what fails, please?

Environment (please complete the following information):

thanks

0xElessar commented 2 years ago

A bit more info.

Manually loading module gives this error:

[iPhone::TestSwift1 ]-> const libFlexModule = Module.load('/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dylib');
Error: unable to find module '/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dylib'
    at value (frida/runtime/core.js:339)
    at value (frida/runtime/core.js:229)
    at <eval> (<input>:1)
    at eval (native)

The file definitely exists, because invalid path, gives different error:

[iPhone::TestSwift1 ]-> const libFlexModule = Module.load('/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dyliba');
Error: dlopen(/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dyliba, 0x0001): dlopen(): file not found: /var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dyliba
    at value (frida/runtime/core.js:229)
    at <eval> (<input>:1)
    at eval (native)

Output of the command file:

/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dylib: Mach-O 64-bit arm64 dynamically linked shared library, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|NO_REEXPORTED_DYLIBS>

0xElessar commented 2 years ago

OK, some progress:

[iPhone::TestSwift1 ]-> const libFlexModule = Module.load('/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dylib');
Error: unable to find module '/var/mobile/Containers/Data/Application/EF1496F1-8063-46CF-9E08-9AE45F57B766/Documents/libFlex.arm64.dylib'
    at value (frida/runtime/core.js:339)
    at value (frida/runtime/core.js:229)
    at <eval> (<input>:1)
    at eval (native)

the same library copied to Framework folder in the install folder:

libFlexModule = Module.load('/private/var/containers/Bundle/Application/F1AB5922-9262-4F6F-A055-FC5F2260DE08/TestSwift1.app/Frameworks/libFlex.arm64.dylib');

{
    "base": "0x10d770000",
    "name": "libFlex.arm64.dylib",
    "path": "/private/var/containers/Bundle/Application/F1AB5922-9262-4F6F-A055-FC5F2260DE08/TestSwift1.app/Frameworks/libFlex.arm64.dylib",
    "size": 1376256
}

works perfectly.

Unfortunately, running:

libFlexModule = Module.load('/private/var/containers/Bundle/Application/F1AB5922-9262-4F6F-A055-FC5F2260DE08/TestSwift1.app/Frameworks/libFlex.arm64.dylib');
libFlexPtr = libFlexModule.findExportByName("OBJC_CLASS_$_libFlex");
libFlex = new ObjC.Object(libFlexPtr);
libFlex.alloc().init().flexUp();

crashes the FLEX and the app:

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Triggered by Thread:  8

[...]

Thread 8 name:  gum-js-loop
Thread 8 Crashed:
0   libsystem_kernel.dylib              0x00000001a8895d88 __pthread_kill + 8
1   libsystem_pthread.dylib             0x00000001a87ae1e8 pthread_kill$VARIANT$mp + 136
2   libsystem_c.dylib                   0x00000001a87019b0 __abort + 112
3   libsystem_c.dylib                   0x00000001a8701940 __abort + 0
4   libsystem_c.dylib                   0x00000001a87018d0 abort + 0
5   libc++abi.dylib                     0x00000001a885be10 demangling_unexpected_handler() + 0
6   libobjc.A.dylib                     0x00000001a87c2e80 _objc_terminate() + 124
7   libc++abi.dylib                     0x00000001a886914c std::__terminate(void (*)()) + 16
8   libc++abi.dylib                     0x00000001a886bbd8 __cxa_get_exception_ptr + 0
9   libc++abi.dylib                     0x00000001a886bb98 __cxxabiv1::exception_cleanup_func(_Unwind_Reason_Code, _Unwind_Exception*) + 0
10  libobjc.A.dylib                     0x00000001a87c2cf8 _objc_exception_destructor(void*) + 0
11  CoreFoundation                      0x00000001a89a36ec +[_CFXNotificationTokenRegistration keyCallbacks] + 0
12  Foundation                          0x00000001a8de916c -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:] + 128
13  libFlex.arm64.dylib                 0x0000000105dd1820 -[FLEXManager explorerWindow] + 180
14  libFlex.arm64.dylib                 0x0000000105dd19cc -[FLEXManager showExplorer] + 44
15  libFlex.arm64.dylib                 0x0000000105d7d748 -[libFlex flexUp] + 64
16  FridaAgent                          0x0000000104764044 0x1046ac000 + 753732
17  FridaAgent                          0x0000000104760ccc 0x1046ac000 + 740556
18  FridaAgent                          0x0000000104846384 0x1046ac000 + 1680260

I remember I was getting similar crashes when I tried to display FLEX in my custom app in the wrong place for example: "ViewController". When I put the FLEX display code in the Scene module, that worked perfectly:

- (void)sceneDidBecomeActive:(UIScene *)scene {
    [[FLEXManager sharedManager] showExplorer];
}

I will try the same technique in another app, we will see whether that matters.

0xElessar commented 2 years ago

@leonjza hopefully, you can find some time to look at that. This is really awesome feature, but it is extremely unreliable currently as you can see :(

0xElessar commented 2 years ago

No luck. The same crash on iOS 13, 14 and different apps even basic ones in ObjC.

When you have a moment, @leonjza , could you tell us what version of FLEX you have been successful to run? Maybe here is the problem.

0xElessar commented 2 years ago

Solved. The crashes were caused due to running in not main thread :(

running this (as you run in the plugin code!):

libFlexModule = Module.load('/private/var/containers/Bundle/Application/F1AB5922-9262-4F6F-A055-FC5F2260DE08/TestSwift1.app/Frameworks/libFlex.arm64.dylib');
libFlexPtr = libFlexModule.findExportByName("OBJC_CLASS_$_libFlex");
libFlex = new ObjC.Object(libFlexPtr);
libFlex.alloc().init().flexUp();
 });

loaded finally FLEX on my custom app.

IPMegladon commented 3 weeks ago

Closing issue as stale, feel free to reopen.