Frida crashes when listing classes on Android (\ic)

[enovella]

Setup

• Frida-server v12.2.12 arm64
• Mobile: OnePlus3 arm64
• r2frida compiled with frida 12.2.12 (happened in previous versions too from 12.2.6 till now)
• Radare2 pulled from git
• Frida mode: Spawning due to security checks
• Sample: (required registration) Double obfuscation https://koodous.com/apks/b70d21d1f76d8a6537095e18d2b45131e54c7c2889946a669f7c5ea0a2f78732

Problem

The application contains several security mechanisms that must be bypassed in order to list classes using the cmd \ic. Once bypassed, r2frida works okay excepting this command that only crashes in this app.

Please let me know if you want the agent.js that I am using to reproduce the crash or DM me. If I have time and will try to investigate more. (@oleavr)

Backtrace

10-11 00:08:23.002 28474 28492 F libc    : Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7f64ff2000 in tid 28492 (Thread-36)
10-11 00:08:23.002   455   455 W         : debuggerd: handling request: pid=28474 uid=10121 gid=10121 tid=28492
10-11 00:08:23.071 29788 29788 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
10-11 00:08:23.071 29788 29788 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:7.0/NRD90M/xxxxx:user/release-keys'
10-11 00:08:23.071 29788 29788 F DEBUG   : Revision: '0'
10-11 00:08:23.071 29788 29788 F DEBUG   : ABI: 'arm64'
10-11 00:08:23.071 29788 29788 F DEBUG   : pid: 28474, tid: 28492, name: Thread-36  >>> com.target.app <<<
10-11 00:08:23.071 29788 29788 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f64ff2000
10-11 00:08:23.072 29788 29788 F DEBUG   :     x0   0000007f64ff0000  x1   0000007f65000000  x2   0000000000000080  x3   0000000000000040
10-11 00:08:23.072 29788 29788 F DEBUG   :     x4   0000007f64ff2000  x5   0000007f8cf020e0  x6   0000007f92e1d110  x7   0000000000000002
10-11 00:08:23.072 29788 29788 F DEBUG   :     x8   00000000000000e2  x9   0000000000001000  x10  0000007f65000000  x11  0000000000000003
10-11 00:08:23.072 29788 29788 F DEBUG   :     x12  0000007f92e1c7f0  x13  0000007f92e1e400  x14  0000000009855e37  x15  0000000000000007
10-11 00:08:23.072 29788 29788 F DEBUG   :     x16  0000007f7e87fbc8  x17  0000007f9731e2a8  x18  0000000000000000  x19  0000000000010000
10-11 00:08:23.072 29788 29788 F DEBUG   :     x20  0000007f64ff0000  x21  0000007f7da7dd50  x22  0000007f8cf02770  x23  0000007f64ff0000
10-11 00:08:23.072 29788 29788 F DEBUG   :     x24  0000000000010000  x25  000000000000000b  x26  0000000000000f20  x27  0000000000000870
10-11 00:08:23.072 29788 29788 F DEBUG   :     x28  0000000000000000  x29  0000007f8cf02610  x30  0000007f7da24454
10-11 00:08:23.072 29788 29788 F DEBUG   :     sp   0000007f8cf025c0  pc   0000007f7e24abcc  pstate 0000000080000000
10-11 00:08:23.074 29788 29788 F DEBUG   :
10-11 00:08:23.074 29788 29788 F DEBUG   : backtrace:
10-11 00:08:23.074 29788 29788 F DEBUG   :     #00 pc 0000000000a1abcc  /data/local/tmp/re.frida.server/frida-agent-64.so
10-11 00:08:23.074 29788 29788 F DEBUG   :     #01 pc 00000000001f4450  /data/local/tmp/re.frida.server/frida-agent-64.so

[enovella]

More information with the new feature of crash reporting:

[0x00000000]> \?V
{"version":"12.4.1"}

[0x00000000]> \ic
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus5/OnePlus5:7.0/NRD90M/13371337:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 29162, tid: 29180, name: Thread-67  >>> com.target.pay <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f6de10000
    x0   0000007f6de0e000  x1   0000007f6de1e000  x2   0000000000000080  x3   0000000000000040
    x4   0000007f6de10000  x5   0000000000000001  x6   0000000000000000  x7   00000000f6c2684d
    x8   00000000000000e2  x9   0000000000001000  x10  0000007f6de1e000  x11  0000007f8b9becd0
    x12  0000007f99a40a10  x13  0000007f7d33a3b1  x14  0000000000000000  x15  0000000000000074
    x16  0000007f8ba32b78  x17  0000007fa4d862a8  x18  0000000000000026  x19  0000000000010000
    x20  0000007f6de0e000  x21  0000007f8aa8f13c  x22  0000007f7e6fe030  x23  0000007f6de0e000
    x24  0000000000010000  x25  0000007f8bad1c6a  x26  0000007f8aa8f95c  x27  0000007f8bacd828
    x28  0000007f7e6ff4e8  x29  0000007f7e6fdfe0  x30  0000007f8a9d0b48
    sp   0000007f7e6fdf90  pc   0000007f8b375bfc  pstate 0000000080000000

backtrace:
    #00 pc 0000000000be2bfc  /data/local/tmp/re.frida.server/frida-agent-64.so
    #01 pc 000000000023db44  /data/local/tmp/re.frida.server/frida-agent-64.so

DetachReason: PROCESS_TERMINATED
Target process terminated
[0x00000000]>

[trufae]

weird. r2frida uses 12.4.0, i found some errors in 12.4.1 and further, thats why im not updating, can you check if this crash is related to frida itself? because i cant repro

[enovella]

Same behavior. It might be my hooks perhaps. But I don't really know well why this is happening. Let me know if you want to reproduce.

[0x00000000]> \?V
{"version":"12.4.0"}

[0x00000000]> \ic
DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:7.0/NRD90M/01122125:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 28385, tid: 28406, name: Thread-65  >>> com.target.application <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f5cb19000
    x0   0000007f5cb17000  x1   0000007f5cb27000  x2   0000000000000080  x3   0000000000000040
    x4   0000007f5cb19000  x5   0000000000000001  x6   0000000000000000  x7   000000002262def7
    x8   00000000000000e2  x9   0000000000001000  x10  0000007f5cb27000  x11  0000007f7b108ce0
    x12  0000007f89040b50  x13  0000007f6c894b01  x14  0000000000000000  x15  0000000000000074
    x16  0000007f7b17cb78  x17  0000007f939192a8  x18  0000000000000026  x19  0000000000010000
    x20  0000007f5cb17000  x21  0000007f7a1d81c0  x22  0000007f6d9fe020  x23  0000007f5cb17000
    x24  0000000000010000  x25  0000007f7b21bc22  x26  0000007f7a1d89e0  x27  0000007f7b2177e0
    x28  0000007f6d9ff4e8  x29  0000007f6d9fdfd0  x30  0000007f7a11a1ac
    sp   0000007f6d9fdf80  pc   0000007f7aabebf4  pstate 0000000080000000

backtrace:
    #00 pc 0000000000be1bf4  /data/local/tmp/re.frida.server/frida-agent-64.so
    #01 pc 000000000023d1a8  /data/local/tmp/re.frida.server/frida-agent-64.so

Target process terminated

[enovella]

As discussed, if I run the app without r2frida but with Frida directly, i got the same crash after adding this code:

setTimeout(function() {
    if (Java.available) {
        Java.perform(function () {
            Java.enumerateLoadedClasses({
                onMatch: function (className) {
                    console.log(className);
                },
                onComplete: function () {
                }
            });
        });
    }
},25);

I do confirm that the issue is produced using only Frida and not r2frida. @oleavr : You can reproduce it with the code snippet above. FYI; there are several Frida detections in native. These are not the issue.

[trufae]

I think it can be related to a bug in frida when handling setTimeout. I will try to rewrite the code without using that now that we support promises and you can try again

…

On 20 Mar 2019, at 16:57, Eduardo Novella ***@***.***> wrote: As discussed, if I run the app without r2frida but with Frida directly, i got the same crash after adding this code: setTimeout(function() { Java.perform(function () { Java.enumerateLoadedClasses({ onMatch: function (className) { console.log(className); }, onComplete: function () { } }); }); },25); — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[trufae]

can't reproduce :?

[enovella]

For me it crashes in this line Java.enumerateLoadedClasses(). I can try this in another phone too.

[trufae]

Maybe a bug in Frida?

[trufae]

cc @oleavr

[enovella]

It seems so

[enovella]

[01:50 edu@unix apks] >  frida -U -f re.mobipwn.enovella
     ____
    / _  |   Frida 12.4.7 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at http://www.frida.re/docs/home/
Spawned `re.mobipwn.enovella`. Use %resume to let the main thread start executing!
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> %resume                                                                                                                                          
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> setTimeout(function() { 
    if (Java.available) { 
        Java.perform(function () { 
            Java.enumerateLoadedClasses({ 
                onMatch: function (className) { 
                    console.log(className); 
                }, 
                onComplete: function () { 
                } 
            }); 
        }); 
    } 
},25);                                                                                                                                                                                          
1
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]-> Process crashed: Bad access due to protection failure
[OnePlus ONEPLUS A3003::re.mobipwn.enovella]->

04-05 02:41:56.867 26094 26094 F DEBUG   : Revision: '0'
04-05 02:41:56.867 26094 26094 F DEBUG   : ABI: 'arm64'
04-05 02:41:56.867 26094 26094 F DEBUG   : pid: 26056, tid: 26075, name: Thread-2  >>> re.mobipwn.enovella <<<
04-05 02:41:56.867 26094 26094 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f7ec66000
04-05 02:41:56.867 26094 26094 F DEBUG   :     x0   0000007f7ec64000  x1   0000007f7ec74000  x2   0000000000000080  x3   0000000000000040
04-05 02:41:56.867 26094 26094 F DEBUG   :     x4   0000007f7ec66000  x5   0000000000000001  x6   0000000000000000  x7   ff7164736d686e6f
04-05 02:41:56.867 26094 26094 F DEBUG   :     x8   00000000000000e2  x9   0000000000001000  x10  0000007f7ec74000  x11  0000007f709a6cd0
04-05 02:41:56.867 26094 26094 F DEBUG   :     x12  0000007f79e3c190  x13  00000000492eb261  x14  0000000000000000  x15  0000000000000074
04-05 02:41:56.867 26094 26094 F DEBUG   :     x16  0000007f70a1ab78  x17  0000007f86b9b2a8  x18  0000000000000026  x19  0000000000010000
04-05 02:41:56.867 26094 26094 F DEBUG   :     x20  0000007f7ec64000  x21  0000007f6fa77410  x22  0000007f6347dd40  x23  0000007f7ec64000
04-05 02:41:56.867 26094 26094 F DEBUG   :     x24  0000000000010000  x25  0000007f70ab9c72  x26  0000007f6fa77c30  x27  0000007f70ab5830
04-05 02:41:56.867 26094 26094 F DEBUG   :     x28  0000007f6347f4e8  x29  0000007f6347dcf0  x30  0000007f6f9b8c88
04-05 02:41:56.867 26094 26094 F DEBUG   :     sp   0000007f6347dca0  pc   0000007f7035dbfc  pstate 0000000080000000
04-05 02:41:56.869 26094 26094 F DEBUG   : 
04-05 02:41:56.869 26094 26094 F DEBUG   : backtrace:
04-05 02:41:56.869 26094 26094 F DEBUG   :     #00 pc 0000000000be2bfc  /data/local/tmp/re.frida.server/frida-agent-64.so
04-05 02:41:56.869 26094 26094 F DEBUG   :     #01 pc 000000000023dc84  /data/local/tmp/re.frida.server/frida-agent-64.so
04-05 02:41:57.435 15530 26095 W ActivityManager:   Force finishing activity re.mobipwn.enovella/.MainActivity

Going to try to debug this annoying crash as Ole told me: if you can reproduce it with a self-compiled Frida where you edit config.mk to remove --strip, that would reveal the reason it crashes

[enovella]

Hey @oleavr ,

Here you go the symbolicated backtrace:

DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'OnePlus/OnePlus3/OnePlus3:7.0/NRD90M/01122125:user/release-keys'
Revision: '0'
ABI: 'arm64'
pid: 30350, tid: 30369, name: Thread-2  >>> re.mobipwn.enovella <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f63732000
    x0   0000007f63730000  x1   0000007f63740000  x2   0000000000000080  x3   0000000000000040
    x4   0000007f63732000  x5   0000000000000001  x6   0000000000000000  x7   000000000efcdbd5
    x8   00000000000000e2  x9   0000000000001000  x10  0000007f63740000  x11  0000007f709ead20
    x12  0000007f79e43190  x13  000000002d862e99  x14  0000000000000000  x15  0000000000000074
    x16  0000007f70a5eb78  x17  0000007f86b9b2a8  x18  0000000000000026  x19  0000000000010000
    x20  0000007f63730000  x21  0000007f6faec3f8  x22  0000007f6357dd40  x23  0000007f63730000
    x24  0000000000010000  x25  0000007f70aba1f2  x26  0000007f6faecc18  x27  0000007f70ab5db0
    x28  0000007f6357f4e8  x29  0000007f6357dcf0  x30  0000007f6fa46c88
    sp   0000007f6357dca0  pc   0000007f703d2bfc  pstate 0000000080000000

backtrace:
    #00 pc 0000000000bb3bfc  /data/local/tmp/re.frida.server/frida-agent-64.so (__aarch64_sync_cache_range+64)
    #01 pc 0000000000227c84  /data/local/tmp/re.frida.server/frida-agent-64.so (gum_clear_cache+28)
    #02 pc 0000000000225150  /data/local/tmp/re.frida.server/frida-agent-64.so (gum_memory_patch_code+132)
    #03 pc 00000000002cd3c8  /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN36GumV8Closure_gumjs_memory_patch_code6invokeEv+88)
    #04 pc 00000000002cdc5c  /data/local/tmp/re.frida.server/frida-agent-64.so (_ZL23gumjs_memory_patch_codeRKN2v820FunctionCallbackInfoINS_5ValueEEE+68)
    #05 pc 00000000006ef874  /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internal25FunctionCallbackArguments4CallEPNS0_15CallHandlerInfoE+572)
    #06 pc 00000000006eee94  /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internal12_GLOBAL__N_119HandleApiCallHelperILb0EEENS0_11MaybeHandleINS0_6ObjectEEEPNS0_7IsolateENS0_6HandleINS0_10HeapObjectEEESA_NS8_INS0_20FunctionTemplateInfoEEENS8_IS4_EENS0_16BuiltinArgumentsE+448)
    #07 pc 00000000006ee720  /data/local/tmp/re.frida.server/frida-agent-64.so (_ZN2v88internalL26Builtin_Impl_HandleApiCallENS0_16BuiltinArgumentsEPNS0_7IsolateE+224)
    #08 pc 00000000000541e8  <anonymous:0000007f63884000>

Target process terminated

[trufae]

This is "fixed" in current r2frida, right? can we move this issue to Frida?

[enovella]

Yeah, this is not a r2frida but Frida bug.