objection icon indicating copy to clipboard operation
objection copied to clipboard

Published 20 hours ago verified publisher icon sensepost

[bug] Objection explore freezes

Open centrinvest opened this issue 3 years ago • 11 comments

Describe the bug Hello! We encountered obscure objection behavior with iOS. At first, the utility worked correctly, the application started up. Then at some point the objection explore command just started to freeze at the "Attempting to attach to process: Gadget" stage.

Tell me what could be the problem?

To Reproduce Steps to reproduce the behavior:

  1. I run any application via xcode on the device to get embedded.mobileprovision. At the same time, in the DerivedData folder, I only have one application

  2. Run objection patchipa: objection patchipa --source MobileBanking.ipa --codesign-signature 719BFDXXXXXX Using latest Github gadget version: 15.0.6 Remote FridaGadget version is v15.0.6, local is v15.0.4. Downloading... Downloading from: https://github.com/frida/frida/releases/download/15.0.6/frida-gadget-15.0.6-ios-universal.dylib.xz Downloading iOS dylib to /Users/developonecentrinvest/.objection/ios/FridaGadget.dylib.xz... Unpacking /Users/developonecentrinvest/.objection/ios/FridaGadget.dylib.xz... Cleaning up downloaded archives... Patcher will be using Gadget version: 15.0.6 No provision file specified, searching for one... Found provision file /Users/developonecentrinvest/Library/Developer/Xcode/DerivedData/MobileBanking-hgxjaybwbnlqhrgjszukifylppsk/Build/Products/Debug-iphoneos/MobileBanking.app/embedded.mobileprovision expiring in 269 days, 4:49:16.997176 Found a valid provisioning profile Mobile provision bundle identifier is: ru.invest.mobilebanking Working with app: MobileBanking.app Bundle identifier is: ru.invest.mobilebanking Codesigning 22 .dylib's with signature 719BFDXXXXXX Code signing: libswiftMapKit.dylib Code signing: libswiftPhotos.dylib Code signing: libswiftCoreImage.dylib Code signing: libswiftObjectiveC.dylib Code signing: libswiftCore.dylib Code signing: libswiftCoreGraphics.dylib Code signing: libswiftUIKit.dylib Code signing: libswiftMetal.dylib Code signing: libswiftCoreData.dylib Code signing: libswiftDispatch.dylib Code signing: libswiftos.dylib Code signing: libswiftCoreFoundation.dylib Code signing: FridaGadget.dylib Code signing: libswiftDarwin.dylib Code signing: libswiftContacts.dylib Code signing: libswiftQuartzCore.dylib Code signing: libswiftCoreAudio.dylib Code signing: libswiftAVFoundation.dylib Code signing: libswiftFoundation.dylib Code signing: libswiftCoreMedia.dylib Code signing: libswiftCoreLocation.dylib Code signing: libswiftsimd.dylib Creating new archive with patched contents... Codesigning patched IPA...

Copying final ipa from /var/folders/s7/7lptcrdx2xs38mctj_lm36b40000gn/T/MobileBanking-frida-codesigned.ipa to current directory... Cleaning up temp files...

  1. unzip MobileBanking-frida-codesigned.ipa

  2. ios-deploy --bundle Payload/MobileBanking.app/ -W -d [....] Waiting for iOS device to be connected [....] Using 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone'. ------ Install phase ------ [ 0%] Found 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone' connected through USB, beginning install [ 5%] Copying /Users/developonecentrinvest/objection/Payload/MobileBanking.app/META-INF/ to device ... [ 52%] CreatingStagingDirectory [ 57%] ExtractingPackage [ 60%] InspectingPackage [ 60%] TakingInstallLock [ 65%] PreflightingApplication [ 65%] InstallingEmbeddedProfile [ 70%] VerifyingApplication [ 75%] CreatingContainer [ 80%] InstallingApplication [ 85%] PostflightingApplication [ 90%] SandboxingApplication [ 95%] GeneratingApplicationMap [100%] Installed package Payload/MobileBanking.app/ ------ Debug phase ------ Starting debug of 65a58436864dbcf0eb1700eca2226e0a6301c044 (D101AP, iPhone 7, iphoneos, arm64, 14.4, 18D52) a.k.a. 'iPhone' connected through USB... [ 0%] Looking up developer disk image [ 95%] Developer disk image mounted successfully Symbol Path: /Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols [100%] Connecting to remote debug server

(lldb) command source -s 0 '/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap-lldb-prep-cmds-65a58436864dbcf0eb1700eca2226e0a6301c044' Executing commands in '/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap-lldb-prep-cmds-65a58436864dbcf0eb1700eca2226e0a6301c044'. (lldb) platform select remote-ios --sysroot '/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols' Platform: remote-ios Connected: no SDK Path: "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols" (lldb) target create "/Users/developonecentrinvest/objection/Payload/MobileBanking.app" Current executable set to '/Users/developonecentrinvest/objection/Payload/MobileBanking.app' (arm64). (lldb) script fruitstrap_device_app="/private/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64/MobileBanking.app" (lldb) script fruitstrap_connect_url="connect://127.0.0.1:52073" (lldb) script fruitstrap_output_path="" (lldb) script fruitstrap_error_path="" (lldb) target modules search-paths add /usr "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/usr" /System "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/System" "/private/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64" "/Users/developonecentrinvest/objection/Payload" "/var/containers/Bundle/Application/F3C548AA-06A1-4E31-B9CA-7DF51F024C64" "/Users/developonecentrinvest/objection/Payload" /Developer "/Users/developonecentrinvest/Library/Developer/Xcode/iOS DeviceSupport/14.4 (18D52)/Symbols/Developer" (lldb) command script import "/tmp/191169CD-6766-457B-B1F4-ABB16AB6C5B9/fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.py" (lldb) command script add -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.connect_command connect (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.run_command run (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.autoexit_command autoexit (lldb) command script add -s asynchronous -f fruitstrap_65a58436864dbcf0eb1700eca2226e0a6301c044.safequit_command safequit (lldb) connect (lldb) run success 2021-07-14 10:11:34.258650+0300 MobileBanking[5902:1834240] Frida: Listening on 127.0.0.1 TCP port 27042 (lldb)

  1. objection --debug explore [debug] Agent path is: /usr/local/lib/python3.9/site-packages/objection/agent.js [debug] Injecting agent... Using USB device iPhone [debug] Attempting to attach to process: Gadget

And that's it, at this step the objection just freezes and nothing else happens.

Expected behavior objection explore not freezes

Environment (please complete the following information):

  • Device: iPhone 7
  • OS: iOS 14.4
  • Frida Version 14.2.18
  • Objection Version 1.11.0

centrinvest avatar Jul 14 '21 07:07 centrinvest

Can you connect the vanilla frida client?

leonjza avatar Jul 14 '21 07:07 leonjza

Can you connect the vanilla frida client?

How can i check this?

centrinvest avatar Jul 14 '21 08:07 centrinvest

Command frida --usb Gadget also freezes

centrinvest avatar Jul 14 '21 08:07 centrinvest

Try and use the full bundle identifier of your app instead of Gadget.

leonjza avatar Jul 14 '21 09:07 leonjza

objection --debug -g "ru.invest.mobilebanking" explore and frida -usb "ru.invest.mobilebanking" also freezes

centrinvest avatar Jul 14 '21 09:07 centrinvest

Right, you will have to debug this locally. Could be some security feature of the application preventing Frida from working.

leonjza avatar Jul 14 '21 09:07 leonjza

I also have the same issue for a couple of apps. Ideas? explore works as wel as a reconnect but the app is stuck in the splash screen.

hazcod avatar Jul 26 '21 09:07 hazcod

We've run into this internally as well. For now, downgrading frida-server (or gadget by patching with the --gadget-version flag) and local frida python package to latest 14x for now should let you resume normal operation. For 15x support, watch #474.

leonjza avatar Jul 26 '21 10:07 leonjza

Interestingly I am doing this with objection v1.11.0 and Gadget 14.2.18 and the app splash screen stays.

hazcod avatar Jul 26 '21 10:07 hazcod

Right. Only other thing I can suggest now is to check your local frida package version.

❯ pip3 freeze | grep -i frida
frida==14.2.18

leonjza avatar Jul 26 '21 10:07 leonjza

@leonjza hmmmm gotcha, but stays at connecting now:

 % objection --debug -g com.ironpeak.empty explore
[debug] Agent path is: /opt/homebrew/lib/python3.9/site-packages/objection/agent.js
[debug] Injecting agent...
Using USB device `iPhone`
[debug] Attempting to attach to process: `com.ironpeak.empty`
[debug] Unable to find process: `com.ironpeak.empty`, attempting spawn
[debug] PID `819` spawned, attaching...

% pip3 freeze | grep frida               
WARNING: Could not find setup.py for directory /opt/homebrew/lib/python3.9/site-packages (tried all parent directories)
frida==14.2.18
frida-tools==9.2.5

hazcod avatar Jul 26 '21 11:07 hazcod