Unable to hook application

[Azulath]

I am unable to hook some applications on a rooted Android device using Objection, while other applications work perfectly fine. I have tried both, letting Objection start the application and hooking the application when it's already running. Below is a console/logcat output:

Click to expand console/logcat output

    [me@mbp ~] frida -U -n "com.androidpentesting.securestorev2"
         ____
        / _  |   Frida 14.2.14 - A world-class dynamic instrumentation toolkit
       | (_| |
        > _  |   Commands:
       /_/ |_|       help      -> Displays the help system
       . . . .       object?   -> Display information about 'object'
       . . . .       exit/quit -> Exit
       . . . .
       . . . .   More info at https://frida.re/docs/home/
                                                                                    
    [SM M205FN::com.androidpentesting.securestorev2]-> exit
     
    Thank you for using Frida!
     
    [me@mbp ~] objection --gadget com.androidpentesting.securestorev2 explore
    Checking for a newer version of objection...
    Using USB device `SM M205FN`
    Agent injected and responds ok!
    Traceback (most recent call last):
      File "/Users/me/homebrew/bin/objection", line 8, in <module>
    (session detach message) process-terminated
        sys.exit(cli())
    (process crash report)
      File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 829, in __call__
     
    	*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    LineageOS Version: '15.1-20190517-NIGHTLY-mako'
    Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys'
    Revision: '0'
    ABI: 'arm'
    pid: 2989, tid: 3113, name: Thread-2  >>> com.androidpentesting.securestorev2 <<<
    signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
    Abort message: 'java_vm_ext.cc:534] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: '''
        r0 00000000  r1 00000c29  r2 00000006  r3 8a2d4f10
        r4 ac608c76  r5 00000c2b  r6 00000000  r7 0000016b
        r8 00000002  r9 00000006  sl 8a2d79c8  fp 00000001
        ip 8a2d4d20  sp 8a2d4d10  lr a8d0e8fb  pc a8d5405c  cpsr 000f0010
     
    backtrace:
        #00 pc 0005f05c  /system/bin/linker (__dl_syscall+32)
        #01 pc 000198f7  /system/bin/linker (__dl__ZL13resend_signalP7siginfob+54)
        #02 pc 00019753  /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+774)
        #03 pc 00150ccd  /data/local/tmp/re.frida.server/frida-agent-32.so
     
        return self.main(*args, **kwargs)
      File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 782, in main
        rv = self.invoke(ctx)
      File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 610, in invoke
        return callback(*args, **kwargs)
      File "/Users/me/homebrew/lib/python3.9/site-packages/objection/console/cli.py", line 156, in explore
        device_info = get_device_info()
      File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info
        package_info = api.env_android()
      File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method
        return script._rpc_request('call', js_name, args, **kwargs)
      File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
        return f(*args, **kwargs)
      File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 333, in _rpc_request
        raise result[2]
    frida.InvalidOperationError: script is destroyed
    Asking jobs to stop...
    Unloading objection agent...
    Unable to run cleanups: script is destroyed

[leonjza]

      File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info
        package_info = api.env_android()
      File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method
        return script._rpc_request('call', js_name, args, **kwargs)

From this part it looks like the call to the agents androidPackage() method might be causing the crash. There are two things you can try:

1. Run objection with the --debug flag to see if the output is more verbose. My hope is to see a stack trace from the agent.
2. Run some of the methods inside the androidPackage() method (src here) in the Frida REPL and see if you can find the method that is causing the crash.

[Azulath]

Running it with the --debug flag resulted in the following output:

Objection

[me@mbp ~/Downloads] objection --debug --gadget com.androidpentesting.securestorev2 explore
[debug] Agent path is: /Users/me/homebrew/lib/python3.9/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `SM M205FN`
[debug] Attempting to attach to process: `com.androidpentesting.securestorev2`
[debug] Unable to find process: `com.androidpentesting.securestorev2`, attempting spawn
[debug] PID `4528` spawned, attaching...
[debug] Resuming PID `4528`
Agent injected and responds ok!
Traceback (most recent call last):
  File "/Users/me/homebrew/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/me/homebrew/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/me/homebrew/lib/python3.9/site-packages/objection/console/cli.py", line 156, in explore
    device_info = get_device_info()
  File "/Users/me/homebrew/lib/python3.9/site-packages/objection/commands/device.py", line 41, in get_device_info
    package_info = api.env_android()
  File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Users/me/homebrew/lib/python3.9/site-packages/frida/core.py", line 333, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script is destroyed
Asking jobs to stop...
Unloading objection agent...
[debug] Calling unload()
Unable to run cleanups: script is destroyed

It crashes when I try to do the following:

Frida REPL

``` [SM M205FN::com.androidpentesting.securestorev2]-> Java.use("android.os.Build") Process crashed: Trace/BPT trap

---

---

LineageOS Version: '15.1-20190517-NIGHTLY-mako' Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys' Revision: '0' ABI: 'arm' pid: 4663, tid: 4900, name: Thread-2 >>> com.androidpentesting.securestorev2 <<< signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- Abort message: 'java_vm_ext.cc:534] JNI DETECTED ERROR IN APPLICATION: unknown format specifier: ''' r0 00000000 r1 00001324 r2 00000006 r3 8a1fe568 r4 ac608c76 r5 0000133f r6 00000000 r7 0000016b r8 00000002 r9 00000006 sl 8a2009c8 fp 00000001 ip 8a1fe378 sp 8a1fe368 lr a8d0e8fb pc a8d5405c cpsr 000f0010

backtrace: #00 pc 0005f05c /system/bin/linker (__dl_syscall+32) #01 pc 000198f7 /system/bin/linker (__dl__ZL13resend_signalP7siginfob+54) #02 pc 00019753 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+774) #03 pc 00150ccd /data/local/tmp/re.frida.server/frida-agent-32.so

---

[SM M205FN::com.androidpentesting.securestorev2]->

Thank you for using Frida!

</details>

[leonjza]

I suspect this might be a Frida bug / support issue for your OS. Can you call Java.use() on any other classes in the Frida REPL? I'll have to find a way to reproduce this locally (and some time) to debug. In the meantime, you can try setup the frida-java playground using these steps to try and debug what is happening.

[Azulath]

Ok thanks - I just tried Java.use("java.lang.String") and it crashes as well. I will test this on another device. Currently, I only have Lineage devices at hand but this shouldn't be an issue with LineageOS in general, should it?

[leonjza]

I've used older Lineage successfully before. You could try and downgrade your frida-server and see if there was a specific version that caused this behavior as well.

[Azulath]

I've tested it now on my OnePlus 2 running LineageOS 16 and everything works as expected. Thanks for your help 👍 (I will look further into the Nexus device later in the week...)