objection copied to clipboard
[bug] App crashing on startup | no errors while patching | IOS
Describe the bug The application is just crashing on startup.
To Reproduce Steps to reproduce the behavior:
- Patched the application using Objection: objection patchipa --source UnCrackable-Level1.ipa --codesign-signature xxx
Using latest Github gadget version: 16.1.11
Patcher will be using Gadget version: 16.1.11
No provision file specified, searching for one...
Found provision file /Users/vivek/Library/Developer/Xcode/DerivedData/fsopzdssdrpjedcrjhhktacrxxvvxdk/Build/Products/Debug-iphoneos/fsop.app/embedded.mobileprovision expiring in 4 days, 13:32:01.464373
Found a valid provisioning profile
Mobile provision bundle identifier is: com.hackerboi.fsop
Working with app: UnCrackable Level 1.app
Bundle identifier is: sg.vp.UnCrackable1
Creating Frameworks directory for FridaGadget...
Codesigning 1 .dylib's with signature xxx
Code signing: FridaGadget.dylib
Creating new archive with patched contents...
Codesigning patched IPA...
Copying final ipa from /var/folders/x8/66h0m1r95y1g5k3m6r1x15n40000gn/T/UnCrackable-Level1-frida-codesigned.ipa to current directory...
Cleaning up temp files...
- Upload it to the device: ideviceinstaller -i UnCrackable-Level1-frida-codesigned.ipa
WARNING: could not locate Payload/UnCrackable Level 1.app/SC_Info/UnCrackable Level 1.sinf in archive!
Copying 'UnCrackable-Level1-frida-codesigned.ipa' to device... DONE.
Installing 'com.hackerboi.fsop'
Install: CreatingStagingDirectory (5%)
Install: ExtractingPackage (15%)
Install: InspectingPackage (20%)
Install: PreflightingApplication (30%)
Install: VerifyingApplication (40%)
Install: CreatingContainer (50%)
Install: InstallingApplication (60%)
Install: PostflightingApplication (70%)
Install: SandboxingApplication (80%)
Install: GeneratingApplicationMap (90%)
Install: InstallComplete (100%)
Install: Complete
- syslogs while opening the application: idevicesyslog | grep -i Uncrackable
0: <string: 0xc18e439a0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
"Program" => <string: 0xc18e9d800> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:09:24 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1959] ==> container
Jan 25 20:09:24 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1959) deny(1) sysctl-read kern.bootargs
Jan 25 20:09:24 kernel(AppleMobileFileIntegrity)[0] <Notice>: AMFI: constraint violation /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/Frameworks/FridaGadget.dylib has entitlements but is not a main binary
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n BundleId = \134"com.hackerboi.fsop\134";\134n BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n ExistsInLSDatabase = 1;\134n InUseLevel = 5;\134n PluginBundleIds = (\134n );\134n SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":5,"expected type":"Generic"}}
Jan 25 20:09:24 kernel[0] <Notice>: UnCrackable Level 1[1959] Corpse allowed 1 of 5
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n BundleId = \134"com.hackerboi.fsop\134";\134n BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n ExistsInLSDatabase = 1;\134n InUseLevel = 0;\134n PluginBundleIds = (\134n );\134n SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":0,"expected type":"Generic"}}
Jan 25 20:09:24 ReportCrash[134] <Notice>: Formulating fatal 309 report for corpse[1959] UnCrackable Level 1
Jan 25 20:09:24 ReportCrash[134] <Notice>: loadStoreInfo [platform 2] com.hackerboi.fsop from file:///private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable%20Level%201.app/
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: creating type 309 as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/.UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: Saved type '309(<private>)' report (1 of max 25) at /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper[208] <Notice>: xpc log creation type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 ReportCrash(OSAnalytics)[134] <Notice>: client log create type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
0: <string: 0xc18afd220> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
"Program" => <string: 0xc18acb2f0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:33:07 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1961] ==> container
Jan 25 20:33:07 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1961) deny(1) sysctl-read kern.bootargs
Jan 25 20:33:07 kernel[0] <Error>: memorystatus: Ignore assertion driven idle priority. Process not previously controlled UnCrackable Level 1:1961
Environment (please complete the following information):
- Device: Iphone 14
- OS: 17.2
- Frida Version: 16.0.8
- Objection Version: 16.1.11
Application Uncrackable level 1 from OWASP
As far I have done the searched GPT gave me 2 possible reasons by looking at the error:
Sandbox Violation: The app is trying to read the kern.bootargs system control variable, which is not allowed in the app's sandbox environment. This is causing the app to crash. To fix this, you would need to remove or modify the code that is trying to read this variable.
AMFI Constraint Violation: The FridaGadget.dylib framework has entitlements but is not a main binary. This is causing the Apple Mobile File Integrity (AMFI) to block the app. To fix this, you would need to ensure that the FridaGadget.dylib framework is correctly embedded in the app and that it has the necessary entitlements.
frida only working with jb