Memory.scan gives access violation on Android x64

[TheDauntless]

When running the following script on an x64 Flutter app, I get an access violation error:

Process.enumerateModules({
	onMatch: function(module){
		if(module.name == "libflutter.so"){
			console.log("Base address: " + module.base)
			console.log(JSON.stringify(module));


			var pattern = "ff 03 05 d1"

			var results = Memory.scanSync(module.base, module.size, pattern);
			

			console.log('Memory.scanSync() result:\n' +
				JSON.stringify(results));
		}
	}, 
	onComplete: function(){}
});

Error:

[SM-G950F::xxx.flutter_app]-> Base address: 0x7df3ecf000
{"name":"libflutter.so","base":"0x7df3ecf000","size":8556544,"path":"/data/app/xxx.flutter_app-8YVLMSjJtOtiVmP3N6NQ6g==/lib/arm64/libflutter.so"}
Error: access violation accessing 0x7df4144000
at /hook2.js:12
at [anon] (native)
at frida/runtime/core.js:738
at findPattern (/hook2.js:20)
at frida/node_modules/frida-java-bridge/lib/vm.js:11
at frida/node_modules/frida-java-bridge/index.js:389
at frida/node_modules/frida-java-bridge/index.js:375
at we (frida/node_modules/frida-java-bridge/lib/class-factory.js:598)
at frida/node_modules/frida-java-bridge/lib/class-factory.js:581
[...]

Frida-server version: Frida 12.8.20 (latest)

I have the same behavior on a different phone.

Demo app:
demo.zip

[T3rm1]

I was following the tutorial on https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/ and when it comes to memory scanning I get an access violation.

How to reproduce:
Go into frida cli, then:

var m = Process.findModuleByName("libflutter.so")
var pattern = "2d e9 f0 4f a3 b0 82 46 50 20 10 70"
Memory.scanSync(m.base, m.size, pattern)

Error: access violation accessing 0x7f64fa3000

Note, that it is also a flutter application.

Please try to fix this.

EDIT: Just tried it on a non flutter app. Same problem! access violation

[T3rm1]

@TheDauntless I just figured out that it is your tutorial. What version of Frida were you using back then?

[TheDauntless]

@T3rm1 That blogpost is only for ARMv7 (32 bit) devices though. I'm writing an update for ARM64, but you can do it based on offset for now. You can use binwalk to find the correct offset. This is the pattern for ARM64:

binwalk -R "\xff\x03\x05\xd1\xfc\x6b\x0f\xa9\xf9\x63\x10\xa9\xf7\x5b\x11\xa9\xf5\x53\x12\xa9\xf3\x7b\x13\xa9\x08\x0a\x80\x5
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
5612780       0x55A4EC        Raw signature (\xff\x03\x05\xd1\xfc\x6b\x0f\xa9\xf9

[oleavr]

@T3rm1 Could you please try building Frida from git? This should be working properly now, so would be good to get it confirmed before the upcoming release.

[T3rm1]

@oleavr I tried building it on macos but I get compile errors. Unfortunately I don't have the time and knowledge to fix these. I can only try it once you have a new release.

[T3rm1]

@oleavr Maybe consider pushing a hotfix. Not even Interceptor.attach works. No matter which app. I would be surprised if it is only me. It seems that these two core functions don't work at all with the latest release from March 30th.

[strazzere]

@oleavr any idea what the commit was which would have fixed the issue? I'm running into similar things, but it's hard to know the cause and I'm not finding any commits...

[oleavr]

@strazzere Can't recall what that was. But one pitfall that comes to mind is that this will fail on execute-only ranges – to deal with those the user may call Memory.protect() to make them readable before scanning them. The other common pitfall is race-conditions, where another thread unmaps the range while it's being scanned.

[strazzere]

Makes sense, I've been seeing issues lately with aarch64 binaries and the scanSync causing issues due to hitting non-readable regions. Often it causes a panic, even when trying to do the Memory.protect() call with something like;

signal 11 (SIGSEGV), code 2 (SEGV_ACCERR)

Though again, it's difficult to figure out the exact cause and reasoning behind these. I'll keep digging.

[strazzere]

By the way, unsure if this was the original cause for the error experienced by OP, but in my case on Android 10 - I was running into a new Android ALSR issue. I've described it and linked the details in this thread https://twitter.com/timstrazz/status/1309374702230450176 - and how I subverted it in the linker.

[oleavr]

Process.enumerateModules({
onMatch: function(module){

This is using deprecated API. Use Process.enumerateModules() instead, which returns an array of Module objects. (Which you can iterate using e.g. .forEach().)

var results = Memory.scanSync(module.base, module.size, pattern);

This is a bad idea as base + size may span pages with different page protections. Instead use .enumerateRanges() on each Module object that you got from Process.enumerateModules(), and scan the ranges that are readable. (Optionally using Memory.protect() to temporarily flip any execute-only regions to read-execute while scanning them.)