Frida hook doesn't work in iOSCrackMe example

[iVoider]

I'm using latest r2frida (5.7.8) version. I've noticed that polling condition in the init_frida function never handles. self.cmd(&format!("ps 1 @ {}", alloc))?.trim() always returns "/xFF".

Also I've found that newer r2frida requires to use hex value for ":db" command. So we need to change Frida command to something like that to suspend app.

 let script_data = format!(
            ": Interceptor.attach(ptr('0x{:x}'),function(){});:db 0x{:x}",
            addr, func, addr
  );

But this won't help to trigger hook. ESILSolver works just fine, tho there is another scripting logic.

[iVoider]

Seems like in newer iOS versions, memory is being protected by vm_protect. Frida can bypass this, but no Radare. Here you can find working code with this issue fixed and some other adjustments for iOS. https://github.com/iVoider/radius

[aemmitt-ns]

thanks for bringing this to my attention! I have sort of fixed it! at least the frida iOS example works, though it can no longer suspend the target while radius2 runs. which sucks. I need to find a new way to do this, maybe something more similar to how esilsolve does it.

In the meantime let me know how it works. I see you added some more fixes besides those frida-specific ones. I will look at that mask issue in registers. ill probably make that a wrapping shift and subtract.

[iVoider]

Thanks a lot!

About suspending: it's a pity that r2 can't break in multithread programs. So probably the only way to do this with mobile device is to connect lldb. Tho it's possible to read stopped app memory with r2, calling Interactive function like mmap / mremap from Frida script. Or vm_protect(task, page_align(patch_addr), vm_page_size, false, VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY) to patch memory protection at runtime.

I will look at that mask issue in registers. ill probably make that a wrapping shift and subtract.

Yes, I'm receiving PC value overflow in almost every app out of example with main branch radius. I think there is a problem class of pointer auth and this problem related to it. Moreover, launching arm64e binaries leads to instant invalid instruction. Tho calling external arm64e works, but often ends with retab to invalid address. Quick intro if you are interested and have time.

It'll be also cool to treat adresses like shifts from main adress and something like agnostic ASLR solution evaluation, e.g generating input that leads to some unconstrained function call at any program launch.

I'll try to implement these features on myself, tho I'm too stupid for this task and let you know results.

[aemmitt-ns]

yeah the PAC stuff is a problem, i started implementing ESIL for arm64e instructions to simply clear the PAC bits but i was trying to make it generic and apparently there is some variability in how many bits PAC uses. I am not sure how i will handle it. also some x86 processors just ignore the top bits too. so maybe ill just have a nodefault option to always clear the top 28 bits or something.

the ASLR agnostic idea is cool. ill have to think more on how to do something like that most naturally in radius2.

I'll try to implement these features on myself, tho I'm too stupid for this task and let you know results.

You have read some of my most horrible code, so you must know that i am much more stupid.