search

sensepost / objection

📱 objection - runtime mobile exploration
GNU General Public License v3.0
7.41k stars 850 forks source link

[bug] App crashing on startup | no errors while patching | IOS #661

Open VivekChoudhary128 opened 8 months ago

VivekChoudhary128 commented 8 months ago

Describe the bug The application is just crashing on startup.

To Reproduce Steps to reproduce the behavior:

  1. Patched the application using Objection: objection patchipa --source UnCrackable-Level1.ipa --codesign-signature xxx
Using latest Github gadget version: 16.1.11
Patcher will be using Gadget version: 16.1.11
No provision file specified, searching for one...
Found provision file /Users/vivek/Library/Developer/Xcode/DerivedData/fsopzdssdrpjedcrjhhktacrxxvvxdk/Build/Products/Debug-iphoneos/fsop.app/embedded.mobileprovision expiring in 4 days, 13:32:01.464373
Found a valid provisioning profile
Mobile provision bundle identifier is: com.hackerboi.fsop
Working with app: UnCrackable Level 1.app
Bundle identifier is: sg.vp.UnCrackable1
Creating Frameworks directory for FridaGadget...
Codesigning 1 .dylib's with signature xxx
Code signing: FridaGadget.dylib
Creating new archive with patched contents...
Codesigning patched IPA...

Copying final ipa from /var/folders/x8/66h0m1r95y1g5k3m6r1x15n40000gn/T/UnCrackable-Level1-frida-codesigned.ipa to current directory...
Cleaning up temp files...
  1. Upload it to the device: ideviceinstaller -i UnCrackable-Level1-frida-codesigned.ipa 
WARNING: could not locate Payload/UnCrackable Level 1.app/SC_Info/UnCrackable Level 1.sinf in archive!
Copying 'UnCrackable-Level1-frida-codesigned.ipa' to device... DONE.
Installing 'com.hackerboi.fsop'
Install: CreatingStagingDirectory (5%)
Install: ExtractingPackage (15%)
Install: InspectingPackage (20%)
Install: PreflightingApplication (30%)
Install: VerifyingApplication (40%)
Install: CreatingContainer (50%)
Install: InstallingApplication (60%)
Install: PostflightingApplication (70%)
Install: SandboxingApplication (80%)
Install: GeneratingApplicationMap (90%)
Install: InstallComplete (100%)
Install: Complete
  1. syslogs while opening the application: idevicesyslog | grep -i Uncrackable 
        0: <string: 0xc18e439a0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
"Program" => <string: 0xc18e9d800> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:09:24 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1959] ==> container
Jan 25 20:09:24 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1959) deny(1) sysctl-read kern.bootargs
Jan 25 20:09:24 kernel(AppleMobileFileIntegrity)[0] <Notice>: AMFI: constraint violation /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/Frameworks/FridaGadget.dylib has entitlements but is not a main binary
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n    BundleId = \134"com.hackerboi.fsop\134";\134n    BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n    Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n    ExistsInLSDatabase = 1;\134n    InUseLevel = 5;\134n    PluginBundleIds =     (\134n    );\134n    SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":5,"expected type":"Generic"}}
Jan 25 20:09:24 kernel[0] <Notice>: UnCrackable Level 1[1959] Corpse allowed 1 of 5
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n    BundleId = \134"com.hackerboi.fsop\134";\134n    BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n    Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n    ExistsInLSDatabase = 1;\134n    InUseLevel = 0;\134n    PluginBundleIds =     (\134n    );\134n    SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":0,"expected type":"Generic"}}
Jan 25 20:09:24 ReportCrash[134] <Notice>: Formulating fatal 309 report for corpse[1959] UnCrackable Level 1
Jan 25 20:09:24 ReportCrash[134] <Notice>: loadStoreInfo [platform 2] com.hackerboi.fsop from file:///private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable%20Level%201.app/
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: creating type 309 as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/.UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: Saved type '309(<private>)' report (1 of max 25) at /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper[208] <Notice>: xpc log creation type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 ReportCrash(OSAnalytics)[134] <Notice>: client log create type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
    0: <string: 0xc18afd220> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
"Program" => <string: 0xc18acb2f0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:33:07 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1961] ==> container
Jan 25 20:33:07 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1961) deny(1) sysctl-read kern.bootargs
Jan 25 20:33:07 kernel[0] <Error>: memorystatus: Ignore assertion driven idle priority. Process not previously controlled UnCrackable Level 1:1961
^C
Exiting...

Environment (please complete the following information):

Application Uncrackable level 1 from OWASP

As far I have done the searched GPT gave me 2 possible reasons by looking at the error:

Sandbox Violation: The app is trying to read the kern.bootargs system control variable, which is not allowed in the app's sandbox environment. This is causing the app to crash. To fix this, you would need to remove or modify the code that is trying to read this variable.
AMFI Constraint Violation: The FridaGadget.dylib framework has entitlements but is not a main binary. This is causing the Apple Mobile File Integrity (AMFI) to block the app. To fix this, you would need to ensure that the FridaGadget.dylib framework is correctly embedded in the app and that it has the necessary entitlements.
thinkdev1 commented 4 months ago

frida only working with jb