frida-swift-bridge
frida-swift-bridge copied to clipboard
Published
20 hours ago •
frida
frida
Frida console: typing `Swift.` crashes the app process
Observed on iOS 14.2. Just typing on the Frida console: Swift. crashes the app. It happens on any pre-installed app that belongs to iOS (Messages, App Store, ...).
If I use Twitter app from App Store (I get v9.44 for iOS 14.2) I get a tiny bit further: It crashes after executing the command Swift.available.
frida -U Messages
____
/ _ | Frida 16.0.10 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Apple iPhone (id=00008020-0001695C2EC3002E)
[Apple iPhone::Messages ]-> Swift.Process crashed: SIGABRT
***
Incident Identifier: 38CF3D02-0417-4456-9147-3B47BE1AAEEE
CrashReporter Key: 595f1e4e8d21aa3eadc5f578b8a3de5870f9ef0f
Hardware Model: iPhone11,8
Process: MobileSMS [2174]
Path: /Applications/MobileSMS.app/MobileSMS
Identifier: com.apple.MobileSMS
Version: 6000 (14.0)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.apple.MobileSMS [1038]
Date/Time: 2023-02-24 12:04:47.4189 +0100
Launch Time: 2023-02-24 12:04:24.1619 +0100
OS Version: iPhone OS 14.2 (18B92)
Release Type: User
Baseband Version: 3.01.01
Report Version: 104
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Triggered by Thread: 10
I tried to understand what is going wrong by identifying the code that makes the app crash. Therefore I checked out and built this project as described. Then tried to add console.log statements to the code to narrow down the problematic code part.
Unfortunately this Typescript project seems to be configured rather strange as there is no console.log available and I am not familiar with such projects to make it work :(
Same here, after typing Swift. frida dies.
frida -U -f com.apple.mobilesafari
____
/ _ | Frida 16.0.11 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to iOS Device (id=fe3ade8c294adf31dc08d43e3e069cffa288840a)
Spawned `com.apple.mobilesafari`. Resuming main thread!
[iOS Device::com.apple.mobilesafari ]-> Swift.Process terminated
[iOS Device::com.apple.mobilesafari ]-> Swift.
Thank you for using Frida!
This is due to using Module.unsureInitialized("CoreFoundation"), if there is no CoreFoundation loaded gum throws an error which crashes the app. This should probably be replaced with non-crashing code and at least make Swift.available return false.
Same issue happens on Android. Process terminated once typing Java or Java.available. But this only happens to one specific apk, maybe there is some anti-frida/debugger machenism included(this apk has one .so file and used o-llvm, so it's hard to follow init_proc function which o-llvmed)
Still happening to me with Frida 16.5.2 on iOS 16.7.10 rootless jailbroken with palera1n. Did anyone find a solution/workaround?
CrashReporter Key: c1496e033838aa2f9c2858c40c91e1dea93bbcc9
Hardware Model: iPhone10,6
Process: CameraTest [3557]
Path: /private/var/containers/Bundle/Application/DE121378-25CA-4C67-9AF1-EFE0AAC3147F/CameraTest.app/CameraTest
Identifier: com.spiritoflogic.CameraTest
Version: 1.0 (1)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.spiritoflogic.CameraTest [662]
Date/Time: 2024-10-05 00:22:16.4275 +0200
Launch Time: 2024-10-05 00:22:11.3436 +0200
OS Version: iPhone OS 16.7.10 (20H350)
Release Type: User
Baseband Version: 6.01.01
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGABRT)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000025ccbef81
Exception Codes: 0x0000000000000001, 0x000000025ccbef81
VM Region Info: 0x25ccbef81 is not in any region. Bytes after previous region: 119893890 Bytes before following region: 590614655
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
unused __TEXT 255a64000-255a68000 [ 16K] r--/r-- SM=COW ...ed lib __TEXT
---> GAP OF 0x2a598000 BYTES
MALLOC_NANO 280000000-2a0000000 [512.0M] rw-/rwx SM=COW
Triggered by Thread: 6
Application Specific Information:
abort() called
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0:
0 libsystem_kernel.dylib 0x1ed299030 mach_msg2_trap + 8
1 libsystem_kernel.dylib 0x1ed2aab18 mach_msg2_internal + 75
2 libsystem_kernel.dylib 0x1ed2aadb8 mach_msg_overwrite + 483
3 libsystem_kernel.dylib 0x1ed299524 mach_msg + 19
4 CoreFoundation 0x1b1ae8148 __CFRunLoopServiceMachPort + 155
5 CoreFoundation 0x1b1ae92e0 __CFRunLoopRun + 1207
6 CoreFoundation 0x1b1aedd20 CFRunLoopRunSpecific + 583
7 GraphicsServices 0x1e9bbd998 GSEventRunModal + 159
8 UIKitCore 0x1b3d8034c -[UIApplication _run] + 867
9 UIKitCore 0x1b3d7ffc4 UIApplicationMain + 311
10 SwiftUI 0x1b52a7c68 0x1b52a7bbd + 171
11 SwiftUI 0x1b5221f1c 0x1b5221e91 + 139
12 SwiftUI 0x1b520ef6c 0x1b520ef0d + 95
13 CameraTest 0x10446ec00 main + 28
14 dyld 0x104654344 start + 1860
Thread 1:
0 libsystem_kernel.dylib 0x1ed29a800 kevent + 8
1 ??? 0x1048c5320 ???
2 ??? 0x1048c47d4 ???
3 ??? 0x1048c49a8 ???
4 ??? 0x1047401a0 ???
5 ??? 0x10472427c ???
6 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
7 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 2 name: pool-spawner
Thread 2:
0 libsystem_kernel.dylib 0x1ed29987c __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x1fc82360c _pthread_cond_wait$VARIANT$armv81 + 1219
2 ??? 0x1048e6e70 ???
3 ??? 0x1048b2040 ???
4 ??? 0x1048d3ce8 ???
5 ??? 0x1048d2d7c ???
6 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
7 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 3 name: gmain
Thread 3:
0 libsystem_kernel.dylib 0x1ed29a800 kevent + 8
1 ??? 0x1048c5320 ???
2 ??? 0x1048c47d4 ???
3 ??? 0x1048c4858 ???
4 ??? 0x1048c56c0 ???
5 ??? 0x1048d2d7c ???
6 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
7 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 4 name: pool-frida
Thread 4:
0 libsystem_kernel.dylib 0x1ed29987c __psynch_cvwait + 8
1 libsystem_pthread.dylib 0x1fc823638 _pthread_cond_wait$VARIANT$armv81 + 1263
2 ??? 0x1048e6f7c ???
3 ??? 0x1048b2034 ???
4 ??? 0x1048b2098 ???
5 ??? 0x1048d3b18 ???
6 ??? 0x1048d2d7c ???
7 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
8 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 5 name: gdbus
Thread 5:
0 libsystem_kernel.dylib 0x1ed29a800 kevent + 8
1 ??? 0x1048c5320 ???
2 ??? 0x1048c47d4 ???
3 ??? 0x1048c49a8 ???
4 ??? 0x10487dd08 ???
5 ??? 0x1048d2d7c ???
6 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
7 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 6 name: gum-js-loop
Thread 6 Crashed:
0 libsystem_kernel.dylib 0x1ed29f198 __pthread_kill + 8
1 libsystem_pthread.dylib 0x1fc82e5f8 pthread_kill + 207
2 libsystem_c.dylib 0x1b893d80c __abort + 123
3 libsystem_c.dylib 0x1b88e84c4 abort + 135
4 ??? 0x104765784 ???
5 ??? 0x104792624 ???
6 ??? 0x1047938b4 ???
7 ??? 0x104798bc0 ???
8 ??? 0x104943218 ???
9 ??? 0x10494c1e4 ???
10 ??? 0x10494d234 ???
11 ??? 0x104947230 ???
12 ??? 0x104947710 ???
13 ??? 0x10494db1c ???
14 ??? 0x104947230 ???
15 ??? 0x104952b1c ???
16 ??? 0x104958754 ???
17 ??? 0x104952ca8 ???
18 ??? 0x10495ecf8 ???
19 ??? 0x104943218 ???
20 ??? 0x10494c1e4 ???
21 ??? 0x10494d0cc ???
22 ??? 0x10494d0cc ???
23 ??? 0x10494d0cc ???
24 ??? 0x10494bfc0 ???
25 ??? 0x104943218 ???
26 ??? 0x10494c1e4 ???
27 ??? 0x10494bfc0 ???
28 ??? 0x10495eb30 ???
29 ??? 0x10494d3a0 ???
30 ??? 0x10494d0cc ???
31 ??? 0x10494bfc0 ???
32 ??? 0x104798220 ???
33 ??? 0x1047982bc ???
34 ??? 0x104797ed0 ???
35 ??? 0x10478b860 ???
36 ??? 0x1048c45f0 ???
37 ??? 0x1048c47f8 ???
38 ??? 0x1048c49a8 ???
39 ??? 0x10478b784 ???
40 ??? 0x1048d2d7c ???
41 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
42 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 7:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 8:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 9:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 10 name: com.apple.uikit.eventfetch-thread
Thread 10:
0 libsystem_kernel.dylib 0x1ed299030 mach_msg2_trap + 8
1 libsystem_kernel.dylib 0x1ed2aab18 mach_msg2_internal + 75
2 libsystem_kernel.dylib 0x1ed2aadb8 mach_msg_overwrite + 483
3 libsystem_kernel.dylib 0x1ed299524 mach_msg + 19
4 CoreFoundation 0x1b1ae8148 __CFRunLoopServiceMachPort + 155
5 CoreFoundation 0x1b1ae92e0 __CFRunLoopRun + 1207
6 CoreFoundation 0x1b1aedd20 CFRunLoopRunSpecific + 583
7 Foundation 0x1abe3cef8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 207
8 Foundation 0x1abe3cdf4 -[NSRunLoop(NSRunLoop) runUntilDate:] + 59
9 UIKitCore 0x1b3ea2818 -[UIEventFetcher threadMain] + 403
10 Foundation 0x1abe54a5c __NSThread__start__ + 703
11 libsystem_pthread.dylib 0x1fc8240ec _pthread_start + 115
12 libsystem_pthread.dylib 0x1fc82272c thread_start + 7
Thread 11:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 12:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 13:
0 libsystem_pthread.dylib 0x1fc822718 start_wqthread + 0
Thread 6 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000
x4: 0x0000000000000000 x5: 0x0000000000989680 x6: 0x0000000000000800 x7: 0x0000000000000b00
x8: 0x000000016bcdf000 x9: 0x116fbe6982dc3c15 x10: 0x0000000000000b48 x11: 0x8000000000000000
x12: 0x0000000690064a30 x13: 0x000000087e058000 x14: 0x0000000000003fff x15: 0x00000000000000f5
x16: 0x0000000000000148 x17: 0x000000010461f00c x18: 0x0000000000000000 x19: 0x0000000000000006
x20: 0x0000000000000d03 x21: 0x000000016bcdf0e0 x22: 0x0000000690061090 x23: 0xffffffffffffffff
x24: 0x0000000000000006 x25: 0x000000068c1ef380 x26: 0x000000068c330660 x27: 0x0000000000000003
x28: 0x0000000000000000 fp: 0x000000016bcdbc80 lr: 0x00000001fc82e5f8
sp: 0x000000016bcdbc60 pc: 0x00000001ed29f198 cpsr: 0x40000000
far: 0x0000000000000000 esr: 0x56000080 Address size fault
Binary Images:
0x104640000 - 0x1046bffff dyld arm64 <199941a595ee30548e54ae6387a9fa9a> /cores/usr/lib/dyld
0x104464000 - 0x1044e3fff CameraTest arm64 <a5c3475e1f3c39c38c680ac6dbf9eef5> /private/var/containers/Bundle/Application/DE121378-25CA-4C67-9AF1-EFE0AAC3147F/CameraTest.app/CameraTest
0x1045e4000 - 0x1045ebfff systemhook.dylib arm64 <b14375b3e14134dcaaaeb9a3a380e862> /cores/binpack/usr/lib/systemhook.dylib
0x105aac000 - 0x105ab7fff libobjc-trampolines.dylib arm64 <1ab75847bb2d36f9999a72dd61f86b85> /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib
0x1ed298000 - 0x1ed2cdff7 libsystem_kernel.dylib arm64 <2e54c705197430d2b37181fd168f8d76> /usr/lib/system/libsystem_kernel.dylib
0x1b1a74000 - 0x1b1e42fff CoreFoundation arm64 <55b9ba284c5c3fe79c474983337d6e83> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0x1e9bbc000 - 0x1e9bc4fff GraphicsServices arm64 <bd39268bdd513b91a12da4a75a6e2308> /System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices
0x1b3a0f000 - 0x1b5123fff UIKitCore arm64 <1242978a2c2c37818d6c9777edce2804> /System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore
0x1b5124000 - 0x1b673bfff SwiftUI arm64 <25e5bd9fd5e830ca8531a17b580749b7> /System/Library/Frameworks/SwiftUI.framework/SwiftUI
0x0 - 0xffffffffffffffff ??? unknown-arch <00000000000000000000000000000000> ???
0x1fc821000 - 0x1fc831fff libsystem_pthread.dylib arm64 <78c98f1859853be3bc4bf2a3a34ae906> /usr/lib/system/libsystem_pthread.dylib
0x1b88cc000 - 0x1b8945fff libsystem_c.dylib arm64 <03790d8154d237b0ad532615960b3c22> /usr/lib/system/libsystem_c.dylib
0x1abdfe000 - 0x1ac646fff Foundation arm64 <dce5e5872a0d34cf824523e1b12936a9> /System/Library/Frameworks/Foundation.framework/Foundation
EOF
