Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] App crashing on startup | no errors while patching | IOS #661

Open
VivekChoudhary128 opened this issue Jan 25, 2024 · 2 comments
Open
Labels
freshissue Default label for new, untriaged issues.

Comments

@VivekChoudhary128
Copy link

Describe the bug
The application is just crashing on startup.

To Reproduce
Steps to reproduce the behavior:

  1. Patched the application using Objection: objection patchipa --source UnCrackable-Level1.ipa --codesign-signature xxx
Using latest Github gadget version: 16.1.11
Patcher will be using Gadget version: 16.1.11
No provision file specified, searching for one...
Found provision file /Users/vivek/Library/Developer/Xcode/DerivedData/fsopzdssdrpjedcrjhhktacrxxvvxdk/Build/Products/Debug-iphoneos/fsop.app/embedded.mobileprovision expiring in 4 days, 13:32:01.464373
Found a valid provisioning profile
Mobile provision bundle identifier is: com.hackerboi.fsop
Working with app: UnCrackable Level 1.app
Bundle identifier is: sg.vp.UnCrackable1
Creating Frameworks directory for FridaGadget...
Codesigning 1 .dylib's with signature xxx
Code signing: FridaGadget.dylib
Creating new archive with patched contents...
Codesigning patched IPA...

Copying final ipa from /var/folders/x8/66h0m1r95y1g5k3m6r1x15n40000gn/T/UnCrackable-Level1-frida-codesigned.ipa to current directory...
Cleaning up temp files...


  1. Upload it to the device: ideviceinstaller -i UnCrackable-Level1-frida-codesigned.ipa
WARNING: could not locate Payload/UnCrackable Level 1.app/SC_Info/UnCrackable Level 1.sinf in archive!
Copying 'UnCrackable-Level1-frida-codesigned.ipa' to device... DONE.
Installing 'com.hackerboi.fsop'
Install: CreatingStagingDirectory (5%)
Install: ExtractingPackage (15%)
Install: InspectingPackage (20%)
Install: PreflightingApplication (30%)
Install: VerifyingApplication (40%)
Install: CreatingContainer (50%)
Install: InstallingApplication (60%)
Install: PostflightingApplication (70%)
Install: SandboxingApplication (80%)
Install: GeneratingApplicationMap (90%)
Install: InstallComplete (100%)
Install: Complete
  1. syslogs while opening the application: idevicesyslog | grep -i Uncrackable
		0: <string: 0xc18e439a0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
	"Program" => <string: 0xc18e9d800> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:09:24 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1959] ==> container
Jan 25 20:09:24 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1959) deny(1) sysctl-read kern.bootargs
Jan 25 20:09:24 kernel(AppleMobileFileIntegrity)[0] <Notice>: AMFI: constraint violation /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/Frameworks/FridaGadget.dylib has entitlements but is not a main binary
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n    BundleId = \134"com.hackerboi.fsop\134";\134n    BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n    Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n    ExistsInLSDatabase = 1;\134n    InUseLevel = 5;\134n    PluginBundleIds =     (\134n    );\134n    SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":5,"expected type":"Generic"}}
Jan 25 20:09:24 kernel[0] <Notice>: UnCrackable Level 1[1959] Corpse allowed 1 of 5
Jan 25 20:09:24 locationd[71] <Notice>: {"msg":"computing freshAuthorizationContext", "Client":"icom.hackerboi.fsop:", "ClientDictionary":"{\134n    BundleId = \134"com.hackerboi.fsop\134";\134n    BundlePath = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134";\134n    Executable = \134"\134/private\134/var\134/containers\134/Bundle\134/Application\134/E6A57895-036E-4248-8253-A54D3C370FD6\134/UnCrackable Level 1.app\134/UnCrackable Level 1\134";\134n    ExistsInLSDatabase = 1;\134n    InUseLevel = 0;\134n    PluginBundleIds =     (\134n    );\134n    SuppressShowingInSettings = 1;\134n}", "BigSwitch":1, "InUseLevel":{"type":"decode failure","raw value":0,"expected type":"Generic"}}
Jan 25 20:09:24 ReportCrash[134] <Notice>: Formulating fatal 309 report for corpse[1959] UnCrackable Level 1
Jan 25 20:09:24 ReportCrash[134] <Notice>: loadStoreInfo [platform 2] com.hackerboi.fsop from file:///private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable%20Level%201.app/
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: creating type 309 as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/.UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper(OSAnalytics)[208] <Notice>: Saved type '309(<private>)' report (1 of max 25) at /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 osanalyticshelper[208] <Notice>: xpc log creation type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
Jan 25 20:09:24 ReportCrash(OSAnalytics)[134] <Notice>: client log create type 309 result success: /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/UnCrackable Level 1-2024-01-25-200924.ips
		0: <string: 0xc18afd220> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
	"Program" => <string: 0xc18acb2f0> { length = 115, contents = "/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1" }
Jan 25 20:33:07 kernel(Sandbox)[0] <Notice>: /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/UnCrackable Level 1[1961] ==> container
Jan 25 20:33:07 kernel(Sandbox)[0] <Error>: Sandbox: UnCrackable Level 1(1961) deny(1) sysctl-read kern.bootargs
Jan 25 20:33:07 kernel[0] <Error>: memorystatus: Ignore assertion driven idle priority. Process not previously controlled UnCrackable Level 1:1961
^C
Exiting...

Environment (please complete the following information):

  • Device: Iphone 14
  • OS: 17.2
  • Frida Version: 16.0.8
  • Objection Version: 16.1.11

Application
Uncrackable level 1 from OWASP

As far I have done the searched GPT gave me 2 possible reasons by looking at the error:

Sandbox Violation: The app is trying to read the kern.bootargs system control variable, which is not allowed in the app's sandbox environment. This is causing the app to crash. To fix this, you would need to remove or modify the code that is trying to read this variable.
AMFI Constraint Violation: The FridaGadget.dylib framework has entitlements but is not a main binary. This is causing the Apple Mobile File Integrity (AMFI) to block the app. To fix this, you would need to ensure that the FridaGadget.dylib framework is correctly embedded in the app and that it has the necessary entitlements.
@VivekChoudhary128 VivekChoudhary128 added the freshissue Default label for new, untriaged issues. label Jan 25, 2024
@thinkdev1
Copy link

frida only working with jb

@0xElessar
Copy link

I have the same problem. Using Frida gadget on MACOS for example:

/Users/<USER>/.cache/frida/gadget-ios.dylib

works perfectly on non-jailbroken iPhones. I tested iPhoneXS with iOS 18.1. However, repackacking does not work in newer iOS. I think this error is critical:

an 25 20:09:24 kernel(AppleMobileFileIntegrity)[0] <Notice>: AMFI: constraint violation /private/var/containers/Bundle/Application/E6A57895-036E-4248-8253-A54D3C370FD6/UnCrackable Level 1.app/Frameworks/FridaGadget.dylib has entitlements but is not a main binary

@leonjza When you have a moment, it would be great to fix this issue. Thanks a lot for the tool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
freshissue Default label for new, untriaged issues.
Projects
None yet
Development

No branches or pull requests

3 participants