在 iOS 上使用 Frida Gadget 重新打包应用程序时出现问题
Problem with Repackaging Applications with Frida Gadget on iOS
我最近一直在 Phoenix 越狱的 iOS 9.3.6 设备上修改 Frida Gadget,并一直 运行 遇到一个问题,导致我重新打包的应用程序无法启动。
在这个例子中,我重新打包了我的 DVIA application using the patch-ipa option that comes with objection. 这个工具基本上自动重新打包了一个带有 Frida Gadget 的 ipa 文件。
我也试过按照这个link.
手动重新打包
在使用 Frida Gadget 重新打包应用程序的两种方法中,我最终遇到的应用程序在启动时崩溃了。貌似加载动态库可能有错误,但是我在网上搜了搜有没有人遇到过类似的情况,似乎找不到任何修复方法,我完全迷路了。
启动 re-packaged-with-frida-gadget DVIA(该死的易受攻击的 iOS 应用程序)并崩溃的完整控制台日志如下:
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] kernel[0] <Notice>: xpcproxy[385] Container: /private/var/mobile/Containers/Data/Application/1C3C3A02-07F0-4010-8F0C-8419BCFDF6C7 (sandbox)
Jan 4 10:03:20 [device name] com.apple.xpc.launchd[1] (UIKitApplication:com.highaltitudehacks.dvia[0xf5a5][385]) <Notice>: Service exited due to signal: Trace/BPT trap: 5
Jan 4 10:03:20 [device name] assertiond[64] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to register for exec notifications: No such process
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for <FBApplicationProcess: 0x1a3a5600; com.highaltitudehacks.dvia; pid: 385>
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Application 'UIKitApplication:com.highaltitudehacks.dvia[0xf5a5]' crashed.
Jan 4 10:03:21 [device name] SpringBoard[198] <Warning>: Application '(null)' exited for an unknown reason.
Jan 4 10:03:21 [device name] ReportCrash[386] <Error>: assertion failed: 13G37: libsystem_trace.dylib + 15927 [E82A6F2D-873A-39AD-8014-EDEB52248157]: 0x0
Jan 4 10:03:21 [device name] Unknown[386] <Error>:
Jan 4 10:03:21 [device name] ReportCrash[386] <Warning>: os_activity_diagnostic_for_pid() failed!
Jan 4 10:03:21 [device name] ReportCrash[386] <Notice>: Formulating report for corpse[385] DamnVulnerableIOSApp
Jan 4 10:03:21 [device name] ReportCrash[386] <Warning>: Saved type '109(109_DamnVulnerableIOSApp)' report (5 of max 25) at /var/mobile/Library/Logs/CrashReporter/DamnVulnerableIOSApp-2021-01-04-100321.ips
上面的崩溃报告如下:
{"bug_type":"109","os_version":"iPhone OS 9.3.6 (13G37)","build_version":"1.0","timestamp":"2021-01-04 10:03:21.21 +0800","app_name":"DamnVulnerableIOSApp","bundleID":"com.highaltitudehacks.dvia","name":"DamnVulnerableIOSApp","is_first_party":false,"app_version":"1.3","share_with_app_devs":false,"slice_uuid":"1b3a202d-cf7c-38ba-94ae-99923d388833","adam_id":0}
Incident Identifier: 99FF2E94-6F2D-4BF6-A7C9-97F6B1C75699
CrashReporter Key: 3f8c88cf4fceb4312cfc55f27818aa6f7e4e4042
Hardware Model: iPhone4,1
Process: DamnVulnerableIOSApp [385]
Path: /private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Identifier: com.highaltitudehacks.dvia
Version: 1.0 (1.3)
Code Type: ARM (Native)
Parent Process: launchd [1]
Date/Time: 2021-01-04 10:03:21.21 +0800
Launch Time: 2021-01-04 10:03:20.20 +0800
OS Version: iOS 9.3.6 (13G37)
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000000e7ffdefe
Triggered by Thread: 0
Filtered syslog:
None found
Dyld Error Message:
Dyld Message: Library not loaded: @executable_path/Frameworks/FridaGadget.dylib
Referenced from: /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Reason: no suitable image found. Did find:
/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
/private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
Dyld Version: 390.7
Binary Images:
0xae000 - 0x281fff DamnVulnerableIOSApp armv7 <1b3a202dcf7c38ba94ae99923d388833> /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
0x1fe0c000 - 0x1fe33fff dyld armv7 <146dc907cdf7350eb7cf92a77291119f> /usr/lib/dyld
Error Formulating Crash Report:
Failed while requesting activity/breadcrumb diagnostics
如果有人能指出正确的方向,那就太好了。谢谢!
iOS 无法加载 FridaGadget.dylib,错误消息为 no matching architecture in universal wrapper。
将此错误消息与几个月前 Frida 已放弃 iOS 32 位支持的知识相结合(据我所知,12.11.x 是支持 32 位的最后一个版本)机会是高,您尝试重新打包的应用程序是 32 位应用程序。
根据FridaGadget.dylib解压版本的大小可以判断是不是支持32位的版本。如果它小于 70MB,那么它就是一个 64 位版本。如果您想要完整的受支持架构列表,请使用 otoool or file command.
因此您现在有两个选择:如果可能,我建议您将 DVIA 应用程序更改为 64 位。然后最近的Frida小工具又可以用了。
或者,您可以尝试使用仍然支持 32 位的旧 Frida 小工具版本。请记住,您还必须使用旧的 Frida python 脚本,因为 Frida 14.x 似乎在 Frida 和 FridaGadget 之间使用修改后的通信协议,因此最近的 Frida 14.x 之间的通信脚本和旧 12.x Frida 小工具将无法工作。
我最近一直在 Phoenix 越狱的 iOS 9.3.6 设备上修改 Frida Gadget,并一直 运行 遇到一个问题,导致我重新打包的应用程序无法启动。
在这个例子中,我重新打包了我的 DVIA application using the patch-ipa option that comes with objection. 这个工具基本上自动重新打包了一个带有 Frida Gadget 的 ipa 文件。
我也试过按照这个link.
手动重新打包在使用 Frida Gadget 重新打包应用程序的两种方法中,我最终遇到的应用程序在启动时崩溃了。貌似加载动态库可能有错误,但是我在网上搜了搜有没有人遇到过类似的情况,似乎找不到任何修复方法,我完全迷路了。
启动 re-packaged-with-frida-gadget DVIA(该死的易受攻击的 iOS 应用程序)并崩溃的完整控制台日志如下:
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] SpringBoard[198] <Error>: SecTrustEvaluate [leaf IssuerCommonName SubjectCommonName]
Jan 4 10:03:20 [device name] kernel[0] <Notice>: xpcproxy[385] Container: /private/var/mobile/Containers/Data/Application/1C3C3A02-07F0-4010-8F0C-8419BCFDF6C7 (sandbox)
Jan 4 10:03:20 [device name] com.apple.xpc.launchd[1] (UIKitApplication:com.highaltitudehacks.dvia[0xf5a5][385]) <Notice>: Service exited due to signal: Trace/BPT trap: 5
Jan 4 10:03:20 [device name] assertiond[64] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to register for exec notifications: No such process
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for <FBApplicationProcess: 0x1a3a5600; com.highaltitudehacks.dvia; pid: 385>
Jan 4 10:03:20 [device name] SpringBoard[198] <Warning>: Application 'UIKitApplication:com.highaltitudehacks.dvia[0xf5a5]' crashed.
Jan 4 10:03:21 [device name] SpringBoard[198] <Warning>: Application '(null)' exited for an unknown reason.
Jan 4 10:03:21 [device name] ReportCrash[386] <Error>: assertion failed: 13G37: libsystem_trace.dylib + 15927 [E82A6F2D-873A-39AD-8014-EDEB52248157]: 0x0
Jan 4 10:03:21 [device name] Unknown[386] <Error>:
Jan 4 10:03:21 [device name] ReportCrash[386] <Warning>: os_activity_diagnostic_for_pid() failed!
Jan 4 10:03:21 [device name] ReportCrash[386] <Notice>: Formulating report for corpse[385] DamnVulnerableIOSApp
Jan 4 10:03:21 [device name] ReportCrash[386] <Warning>: Saved type '109(109_DamnVulnerableIOSApp)' report (5 of max 25) at /var/mobile/Library/Logs/CrashReporter/DamnVulnerableIOSApp-2021-01-04-100321.ips
上面的崩溃报告如下:
{"bug_type":"109","os_version":"iPhone OS 9.3.6 (13G37)","build_version":"1.0","timestamp":"2021-01-04 10:03:21.21 +0800","app_name":"DamnVulnerableIOSApp","bundleID":"com.highaltitudehacks.dvia","name":"DamnVulnerableIOSApp","is_first_party":false,"app_version":"1.3","share_with_app_devs":false,"slice_uuid":"1b3a202d-cf7c-38ba-94ae-99923d388833","adam_id":0}
Incident Identifier: 99FF2E94-6F2D-4BF6-A7C9-97F6B1C75699
CrashReporter Key: 3f8c88cf4fceb4312cfc55f27818aa6f7e4e4042
Hardware Model: iPhone4,1
Process: DamnVulnerableIOSApp [385]
Path: /private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Identifier: com.highaltitudehacks.dvia
Version: 1.0 (1.3)
Code Type: ARM (Native)
Parent Process: launchd [1]
Date/Time: 2021-01-04 10:03:21.21 +0800
Launch Time: 2021-01-04 10:03:20.20 +0800
OS Version: iOS 9.3.6 (13G37)
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000000e7ffdefe
Triggered by Thread: 0
Filtered syslog:
None found
Dyld Error Message:
Dyld Message: Library not loaded: @executable_path/Frameworks/FridaGadget.dylib
Referenced from: /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Reason: no suitable image found. Did find:
/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
/private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
Dyld Version: 390.7
Binary Images:
0xae000 - 0x281fff DamnVulnerableIOSApp armv7 <1b3a202dcf7c38ba94ae99923d388833> /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
0x1fe0c000 - 0x1fe33fff dyld armv7 <146dc907cdf7350eb7cf92a77291119f> /usr/lib/dyld
Error Formulating Crash Report:
Failed while requesting activity/breadcrumb diagnostics
如果有人能指出正确的方向,那就太好了。谢谢!
iOS 无法加载 FridaGadget.dylib,错误消息为 no matching architecture in universal wrapper。
将此错误消息与几个月前 Frida 已放弃 iOS 32 位支持的知识相结合(据我所知,12.11.x 是支持 32 位的最后一个版本)机会是高,您尝试重新打包的应用程序是 32 位应用程序。
根据FridaGadget.dylib解压版本的大小可以判断是不是支持32位的版本。如果它小于 70MB,那么它就是一个 64 位版本。如果您想要完整的受支持架构列表,请使用 otoool or file command.
因此您现在有两个选择:如果可能,我建议您将 DVIA 应用程序更改为 64 位。然后最近的Frida小工具又可以用了。
或者,您可以尝试使用仍然支持 32 位的旧 Frida 小工具版本。请记住,您还必须使用旧的 Frida python 脚本,因为 Frida 14.x 似乎在 Frida 和 FridaGadget 之间使用修改后的通信协议,因此最近的 Frida 14.x 之间的通信脚本和旧 12.x Frida 小工具将无法工作。