frida / frida-tools Goto Github PK

View Code? Open in Web Editor NEW

318.0 17.0 93.0 548 KB

Frida CLI tools

License: Other

Python 78.28% Meson 1.19% TypeScript 15.59% Makefile 0.16% Shell 4.39% Batchfile 0.39%

frida-tools's Introduction

Frida CLI tools

CLI tools for Frida.

Making dev changes to frida-tools

You do not need to build this repo in order to make changes (for a pull request, or for local development).

Simply set your PYTHONPATH environment variable to wherever you've cloned this repo to.

For example, on Windows, assuming you clone to C:\src:

git clone https://github.com/frida/frida-tools.git
cd frida-tools
SET PYTHONPATH=C:\src\frida-tools

Now when you run frida.exe, these scripts and any changes you make will be referenced instead!

Loading your custom frida-java-bridge

Add the following lines to agents/tracer/agent.ts:

Object.defineProperty(global, 'Java', { value: require('frida-java-bridge') });

Run live reload:

cd agents/tracer; npm link frida-java-bridge; npm run watch

Now you can:

make changes to agents/tracer/node_modules/frida-java-bridge/*
run your frida-tools from this repo and see how it works!

Installing Fish completions

Currently there is no mechanism to install Fish completions through the setup.py script so if you want to have completions in Fish you will have to install it manually. Unless you've changed your XDG_CONFIG_HOME location, you should just copy the completion file into ~/.config/fish/completions like so:

cp completions/frida.fish ~/.config/fish/completions

frida-itrace file format

File starts with a 4-byte magic: "ITRC"

frida-tools/frida_tools/itracer.py

Lines 365 to 366 in 1ea077f

 self._outfile = open(outpath, "wb") 

 self._outfile.write(self.FILE_MAGIC)

Then, following that, there are two different types of records, MESSAGE and CHUNK. Each record starts with a big-endian uint32 specifying the type of record, where 1 means MESSAGE, 2 means CHUNK.

MESSAGE

length: uint32 (big-endian)
message: JSON, UTF-8 encoded
data_size: uint32 (big-endian)
data_values: uint8[data_size]

Generated here.

There are three different kinds of MESSAGEs:

"itrace:start": Signals that the trace is starting, providing the initial register values. Contains register names and sizes in the JSON portion, and register values in the data portion. Generated here.
"itrace:end": Signals that the endpoint was reached, when specifying a range with an end address included.
"itrace:compile": Signals that a basic block was discovered, providing the schema of future CHUNKs pertaining to it. Generated here and by the code above it that computes the "writes" array.

The "writes" array contains tuples (arrays) that look like this:

(block_offset, cpu_ctx_offset)

Where block_offset is how many bytes into the basic block the write happens, and cpu_ctx_offset is the index into the registers declared by "itrace:start".

CHUNK

size: uint32 (big-endian)
data: uint8[size]

Generated here.

The CHUNK records combine to a stream of raw register values at different parts of the given basic block. Each record looks like this:

block_start_address: uint64 (target-endian, i.e. little-endian on arm64)
link_register_value: uint64 (target-endian)
block_register_values: uint64[n], where n depends on the specific basic block. (See above docs on "itrace:compile" and its "writes" array.)

frida-tools's People

Contributors

Stargazers

Watchers

Forkers

fopina st-rnd csftech trufae dweinstein arizvisa jeffli678 kernullist yuknight otadmor igio90 ii0 linhere20 tasssadar dutchme333 paulyc dsimerly forkkit jmcabandara vforks iddoeldor kliuz davenpcj5542009 mosherubin forensicmike 0100101001 aya7hero rakhithjk inode- louis2014a1 stjordanis nullfullme evtromand jpstotz migrant777 tigerwood lvyitian happyholic1203 enovella dki yotamn ouddddw hackkimss kingking888 nipunanirmal gitcode999999 akiranosushi meme laser-beard amoryan pepsin jevinskie apkunpacker mohx64 azurda mhils magicjva londek regomne boshijingang jnwilson pachoo cipher9rat lgq2015 tmm1 excloudx6 hartl3y94 5l1v3r1 gotas10 aaron1011 oriori1703 diaul oldliumark imzpy wadecong zhangxinwu filthyshoe zhangbozhb ambrosecdmeng dongpinglai 13158937245 build-testing yunsiong smcpeak gsmodz2077 mbaroudi chichou 420646826 amesianx undefinedidentifier

frida-tools's Issues

Add profiler capabilities to frida-trace

It would be good to have support to trace profiler information using frida-trace.

how many times a function is called
min and max times needed to run
sorted by amount
backtraces

Cannot pipe frida-ps

$ frida-ps -U|head -n 1
 PID  Name
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/threading.py", line 865, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 431, in _run
    work()
  File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 280, in _try_start
    self._start()
  File "/usr/local/lib/python3.7/site-packages/frida_tools/ps.py", line 69, in _start
    self._print(line_format % (process.pid, process.name))
  File "/usr/local/lib/python3.7/site-packages/frida_tools/application.py", line 346, in _print
    print(*encoded_args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 41, in write
    self.__convertor.write(text)
  File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 162, in write
    self.write_and_convert(text)
  File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 190, in write_and_convert
    self.write_plain_text(text, cursor, len(text))
  File "/usr/local/lib/python3.7/site-packages/colorama/ansitowin32.py", line 196, in write_plain_text
    self.wrapped.flush()
BrokenPipeError: [Errno 32] Broken pipe
``

Spaw process not loading script.

When spawn android process in Android Studio emulator (7.1.1 Android versuon, x86) with frida cmd line like this : frida -U - f com.anybodyapp.app -l workscript.js, script not worked without any error message. When this script load with attach (frida -U - n com.anybodyapp.app -l workscript.js) this worked perfect.

Could not find a version that satisfies the requirement prompt-toolkit

unexpected output in windows

if write log("xa\\bcd\\nm") in js files and run frida-trace some_exe
it would output

xcd
m

instead of

xa\bcd\nm

code page 65001 when running frida-trace

Why doesn't frida-trace find functions in Ubuntu/GCC binaries that it finds on MacOS/Clang compiles?

Here is a simple program:

int
fx(int a)
{
	a += 20;
	return a;
}
	
int
main(int argc, char *argv[])
{
	return fx(fx(10));
}

I compile this on macOS (bigSur) with Clang, and trace it:

0 ✓ [11:21:19 Fri Aug 27] ~/nobackup/frida/02
% gcc -g -O0 test.c 
0 ✓ [11:21:24 Fri Aug 27] ~/nobackup/frida/02
% frida-trace ./a.out -i 'a.out!*'
Instrumenting...                                                        
fx: Auto-generated handler at "/Users/pt/nobackup/frida/02/__handlers__/a.out/fx.js"
main: Auto-generated handler at "/Users/pt/nobackup/frida/02/__handlers__/a.out/main.js"
Started tracing 2 functions. Press Ctrl+C to stop.                      
           /* TID 0x103 */
   100 ms  main()
   100 ms     | fx()
   100 ms     | fx()
Process terminated
1 ✗ [11:21:31 Fri Aug 27] ~/nobackup/frida/02

Perfect. It created the __handler__ JavaScript and everything.

However, I do the same thing on Ubuntu with gcc, and Frida doesn't find the functions:

pt@serval:~/frida$ gcc -g -O0 test.c 
pt@serval:~/frida$ frida-trace ./a.out -i 'a.out!*'
Started tracing 0 functions. Press Ctrl+C to stop.                      
Process terminated

...but they are in the symbol table with objdump -t, and I can find them by walking the modules in the Frida JavaScript API.

What is the magic compiler switch I am missing? I tried visibility and export symbols with no luck.

Trying to get the TP-UE300 Ethernet Adapter to work with the internet on THEA500

I am using the r1832.ko, ipv4.ko and ipv6.ko from this and trying to get the internet working on THEA500 Mini using a TP-Link UE300 Ethernet Adapter(https://www.tp-link.com/uk/home-networking/computer-accessory/ue300/), its the only one I could find that has a r1853 chip in it but its only connect to ipv6 only(you can see it on my routers settings page under devices attached) and not connecting via ipv4, it has a ip v4 ip address on THEA500 but never shows in my routers settings page...?
Maybe you can help...?
I am Spannernick.

From THEA500 Putty...

Ethernet 0
eth0      Link encap:Ethernet  HWaddr 50:3E:AA:8B:30:66
              inet addr:192.168.0.4  Bcast:192.168.0.255  Mask:255.255.255.0
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:49 (49.0 B)  TX bytes:90 (90.0 B)

dmesg...
[   39.020887] NET: Registered protocol family 2
[   39.021445] TCP established hash table entries: 256 (order: 0, 4096 bytes)
[   39.021462] TCP bind hash table entries: 256 (order: 0, 4096 bytes)
[   39.021471] TCP: Hash tables configured (established 256 bind 256)
[   39.021932] TCP: reno registered
[   39.021948] UDP hash table entries: 256 (order: 1, 8192 bytes)
[   39.021962] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[   39.051931] NET: Registered protocol family 10
[   39.071215] usbcore: registered new interface driver r8152
[   39.242455] usb 5-1: reset high-speed USB device number 2 using xhci-hcd
[   39.260374] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffd80
[   39.260381] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffdc0
[   39.260387] xhci-hcd xhci-hcd.0.auto: xHCI xhci_drop_endpoint called with disabled ep ffffffc01b0ffe00
[   39.410032] r8152 5-1:1.0 eth0: v2.15.0 (2021/04/15)
[   39.410043] r8152 5-1:1.0 eth0: This product is covered by one or more of the following patents:
[   39.410043]         US6,570,884, US6,115,776, and US6,327,625.
[   39.410043] 
[   40.110443] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   41.003175] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   41.003694] r8152 5-1:1.0 eth0: carrier on

Modules...
```Module                  Size  Used by    Tainted: G  
r8152                 186429  0 
ipv6                  292654 16 
ipv4                  485168 12 ipv6,[permanent]
rgl_gpiokey             4555  0 
mali_kbase            299796  0 
nand                  420597  2"

Demangle function names on tracing modules with frida-trace

I think it would be nice to see the output like this:

Started tracing 1908 functions. Press Ctrl+C to stop.
           /* TID 0x5ec3 */
   621 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   622 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   622 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   623 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
           /* TID 0x5ecb */
   623 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   623 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
           /* TID 0x5ec3 */
   624 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   624 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   624 ms  android::VideoFrameSchedulerBase::~VideoFrameSchedulerBase()
   624 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   624 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   624 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   624 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   624 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   624 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
           /* TID 0x5eb2 */
   625 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   625 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   625 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   625 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   626 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   626 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   626 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   626 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()
   626 ms  std::__1::__shared_ptr_pointer<ndk::SharedRefBase*, std::__1::default_delete<ndk::SharedRefBase>, std::__1::allocator<ndk::SharedRefBase> >::__on_zero_shared_weak()
   626 ms     | std::__1::__shared_ptr_emplace<android::MediaFilter::BufferChannel, std::__1::allocator<android::MediaFilter::BufferChannel> >::__on_zero_shared_weak()

than like this:

Started tracing 1908 functions. Press Ctrl+C to stop.
           /* TID 0x5f3a */
   774 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   775 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   775 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   775 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   776 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   776 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   776 ms  _ZN7android23VideoFrameSchedulerBaseD1Ev()
   776 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   776 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   776 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   776 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   776 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   776 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
           /* TID 0x5f25 */
   778 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   778 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   778 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   778 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()
   778 ms  _ZNSt3__120__shared_ptr_pointerIPN3ndk13SharedRefBaseENS_14default_deleteIS2_EENS_9allocatorIS2_EEE21__on_zero_shared_weakEv()
   778 ms     | _ZNSt3__120__shared_ptr_emplaceIN7android11MediaFilter13BufferChannelENS_9allocatorIS3_EEE21__on_zero_shared_weakEv()

Auto insert Java.perform when connecting to an Android application

I understand that you might not always want to attach a thread to the JVM with Frida so Java.perform is being used to make it explicit but in the repl it gets a bit tiresome to type it out each time I want to run something. Assuming there isn't a risk with doing automatically I suggest adding a feature that will wrap the repl prompt with Java.perform.

Of course it will be configurable with a command from the repl (%autoperform and %noautoperform I think) and can be off by default if it seems risky (in that case we should probably add a prompt to tell the user about this feature). What do you think @oleavr?

Add parameters/command args to spawned process

I is will be nice to have startup parameters to spawned app.

Args don't appear to be NativePointers in frida-trace handler

EDIT: This appears to be Frida issue 226, but that issue was from 2017 and the the comments in the default handlers + documentation seem to imply attach() should work with floats?

Really simple example that isn't behaving as documented. I expected args to be NativePointers according to the comments. Version 15.0.14.

C-code

#include <stdio.h>
void print_hello(int n, char a, float f) {
	printf("hello %d %c %f\n", n, a, f);
}
int main(int argc, char *argv[]) {
	print_hello(10, 'a', 3.141f);
	return 0;
}

And the handler for print_hello (abreviated):

  onEnter(log, args, state) {
    log('print_hello() enter');
    log(args[0]);
    log(args[1]);
    log(args[2]);
    log(args[2].readFloat());
  },

And the output from frida-trace:

% frida-trace -f a.out  -i print_hello
Instrumenting...                                                        
print_hello: Loaded handler at "/Users/ptorelli/study/frida/01/__handlers__/a.out/print_hello.js"
hello 10 a 3.141000
Started tracing 1 function. Press Ctrl+C to stop.                       
           /* TID 0x103 */
     4 ms  print_hello() enter
     4 ms  0xa
     4 ms  0x61
     4 ms  0x7ffee3d99d90
     4 ms  -8.028827138591864e+21
     4 ms  print_hello() exit
Process terminated

I expected args[0] and args[1] to be pointers, they are instead the values.

args[2] looks like a pointer, but when i call readFloat() on it I get random values.

The comments simply say these should be NativePointers.

Advice?

MacOS Big Sur, Apple clang version 12.0.0 (clang-1200.0.32.28)

Tried this on Ubuntu 20.04 with gcc 9.3.0 (-O0) and frida-trace can't even find print_hello (even if static).

Error message when using Frida-Tools with Frida 16.0.7: "ValueError: file descriptor cannot be a negative integer"

It appears that something in Frida 16.0.7 causes an error message to appear on launch of multiple tools within Frida-Tools (frida-ls-devices and frida-ps have been confirmed). 16.0.6 does not experience the same issue. I've experienced this with Python 3.9, 3.10, and 3.11. Frida-Tools is the latest version (12.0.3). This is on MacOS. See screenshot for example. Error message is:

~/Desktop/objection $ frida-ls-devices
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.11/bin/frida-ls-devices", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/lsd.py", line 109, in main
    app.run()
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 386, in run
    self._reactor.run()
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/reactor.py", line 44, in run
    self._run_until_return(self)
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 71, in await_enter
    input_with_cancellable(reactor.ui_cancellable)
  File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/frida_tools/application.py", line 59, in input_with_cancellable
    rlist, _, _ = select.select([sys.stdin, cancellable_fd], [], [])
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: file descriptor cannot be a negative integer (-42)

REPL completion breaks when “dotting” an array value

[USB::iPhone::Settings]-> O.bless(ptr('0x126ee71c0')).$ownMethods.parse error (line 15)

Thanks to @trufae for finding this.

Incompatible with prompt-toolkit 2

prompt-toolkit has breaking change:
(like this: jupyter/jupyter_console#158)

$ frida Finder
Traceback (most recent call last):
  File "/usr/local/bin/frida", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/frida_tools/repl.py", line 23, in main
    from prompt_toolkit.shortcuts import create_prompt_application, create_output, create_eventloop
ImportError: cannot import name 'create_prompt_application' from 'prompt_toolkit.shortcuts' (/usr/local/lib/python3.7/site-packages/prompt_toolkit/shortcuts/__init__.py)

For those who has encountered same problem, you can temporary downgrade by pip3 install 'prompt-toolkit==1.0.15'

Strict mode for repl

It is easy to add strict mode to the repl, the hard part is making sure that defined variables get declared in the global scope instead of the local one.

any argument can enable frida-trace to trace child process automatically ?

including different os.
trace child process automatically

increase members limit ?

[ agents\tracer\agent.ts ]

Is it feasible to increase the members limit (1000) ?
I got crash after raising it to 2000+, Is there anything else that needs to be changed?

// async function getHandlers

    let size = 0;
    for (const { name, members: pendingMembers } of pendingScopes) {
        const curMembers: MemberName[] = [];
        curScopes.push({
            name,
            members: curMembers
        });

        let exhausted = false;
        for (const member of pendingMembers) {
            curMembers.push(member);

            size++;
            if (size === 1000) {
                exhausted = true;
                break;
            }
        }
        if (exhausted) {
            break;
        }
    }

}

frida-discover fails with the Chrome app in Android 10

When "frida-discover" is run to monitor the Chrome app (v 86.0.x.y) in Android 10, it dies with multiple error messages depending on the execution (as soon as it tries to run). Different crash samples are provided below.

The Frida environment is using version 12.11.18 in macOS and Python 3.8, and "frida-server" version 12.11.18 running as root in Android 10.

In this case "frida-discover" tries to trace all threads, and Frida dies. As a result, the app also dies:

$ frida-discover -U com.android.chrome
Tracing 47 threads. Press ENTER to stop.
Process terminated
Stopping...

$ frida-discover -U com.android.chrome
Failed to spawn: unable to find process with name 'com.android.chrome'

In this case, there is a trap via "libc" and "trichromelibrary":

$ frida-discover -U com.android.chrome
Tracing 49 threads. Press ENTER to stop.
Process crashed: Trace/BPT trap

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/sargo/sargo:10/QQ2A.200405.005/6254899:user/release-keys'
Revision: 'MP1.0'
ABI: 'arm'
Timestamp: 2020-10-20 11:37:52+0200
pid: 5675, tid: 5719, name: RenderThread  >>> com.android.chrome <<<
uid: 10189
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'RenderThread Looper POLL_ERROR!'
    r0  00000000  r1  00001657  r2  00000006  r3  00000006
    r4  00000006  r5  c3bfc930  r6  da29b254  r7  0000010c
    r8  c3bfc930  r9  c3bfc8bc  r10 c3bfc9b0  r11 d59eda20
    ip  c3bfc928  sp  c3bfc870  lr  ba335d9b  pc  ef032c74

backtrace:
      #00 pc 00097c74  /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x97000) (tgkill+12) (BuildId: 8c3173001a99af3ab544de85a610e066)
      #01 pc 00348d99  /data/app/com.google.android.trichromelibrary_424009933-MLvtBvj9odLq1ZikiiIpiA==/base.apk
***
Stopping...

In this case, the script injection generates an exception and the script is destroyed:

$ frida-discover -U com.android.chrome
Injecting script...
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 635, in _run
    work()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/application.py", line 330, in _try_start
    self._start()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 35, in _start
    self._discoverer.start(self._session, self._runtime, self)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida_tools/discoverer.py", line 89, in start
    params = self._script.exports.start()
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 401, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Users/<user>/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 333, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script is destroyed

How to load script and exit frida environment after removing `--no-pause`?

--no-pause behaviour was changed in a557bfe

hello.c

#include <stdio.h>
#include <unistd.h>

void
f (int n)
{
  printf ("Number: %d\n", n);
}

int
main (int argc,
      char * argv[])
{
  int i = 0;

  printf ("f() is at %p\n", f);

  while (1)
  {
    f (i++);
    sleep (1);
  }
}

$ gcc -Wall hello.c -o hello

hello.js

Interceptor.attach(ptr("0x55c9f407e169"), {
    onEnter(args) {
        args[0] = ptr("1337");
    }
})

./hello
f() is at 0x55c9f407e169
Number: 0
Number: 1
Number: 2
Number: 3
Number: 4
Number: 5

# since frida 16 --no-pause removed :(
frida hello -l hello.js

     ____
    / _  |   Frida 16.0.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)

[Local::hello ]->

Is there any way to exit from [Local::hello ]-> after script loaded?

Add delay option

Some APPs have Frida detection, which needs to be bypassed first and then traced.I would like to add a delayed injection option

Move the codeshare implementation in a separate file to be reusable

Feature: option to disable terminal colors (colorama)

would be friendly to have an option or environment variable to disable the usage of colorama so that terminal escape sequences aren't emitted. this way colors aren't imposed on the user and they have a choice.

delete

delete. issue opened by mistake

frida-ps segfaults for jailed iOS devices (but works for Android)

System information:

$ uname -a
Darwin <hostname> 20.5.0 Darwin Kernel Version 20.5.0: Sat May  8 05:10:33 PDT 2021; root:xnu-7195.121.3~9/RELEASE_X86_64 x86_64

Steps to reproduce:

Prepare a fresh virtual environment for Frida tools:

$ pyenv virtualenv 3.9.5 3.9.5-frida-tools
$ pyenv local 3.9.5-frida-tools
$ pip install --upgrade pip
$ pip install --upgrade setuptools
$ python --version
Python 3.9.5
$ pip list -v
Package    Version Location                                                                                 Installer
---------- ------- ---------------------------------------------------------------------------------------- ---------
pip        21.1.2  /Users/iosbuild/.pyenv/versions/3.9.5/envs/3.9.5-frida-tools/lib/python3.9/site-packages pip
setuptools 57.0.0  /Users/iosbuild/.pyenv/versions/3.9.5/envs/3.9.5-frida-tools/lib/python3.9/site-packages pip

Install frida-tools

$ pip install frida-tools
$ pyenv which frida-ls-devices
/Users/iosbuild/.pyenv/versions/3.9.5-frida-tools/bin/frida-ls-devices
$ pyenv which frida-ps
/Users/iosbuild/.pyenv/versions/3.9.5-frida-tools/bin/frida-ps

Produce a segmentation fault:

$ frida-ls-devices
Id                                        Type    Name        
----------------------------------------  ------  ------------
local                                     local   Local System
<serial-one-redacted>                     usb     Mi A3
<serial-two-redacted>                     usb     iPhone
$ firda-ps --device <serial-one-redacted>
<produces a list of processes>
$ frida-ps --device <serial-two-redacted>
Failed to enumerate processes: channel closed                           
zsh: segmentation fault  frida-ps --device <serial-two-redacted>

In the segmentation fault above, the "Failed to enumerate processes" sometimes is not visible, and only the segmentation fault message is there. I am also attaching a crash report from /Users/iosbuild/Library/Logs/DiagnosticReports/, which shows the crash happens in frida-main-loop.

Same segmentation fault occurs if I build Frida from source on that machine following these instructions.

$ ./build/frida-macos-x86_64/bin/frida-ps --device <serial-two-redacted>
Failed to enumerate processes: channel closed                           
zsh: segmentation fault  ./build/frida-macos-x86_64/bin/frida-ps --device <serial-two-redacted>

Finally, Frida worked on that machine one week ago (21st of May), so something changed either on the machine or for Frida in the last week.

frida-ps failes with GLIBC_2.28 error launching from ubuntu1804/aarch64/python3.8.10

frida-ps doesn't run on Ubuntu18.04 aarch64 with python 3.8.10

is this not supported on systems with older glibc?

$ frida-ps -U

***
Failed to load the Frida native extension: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)
Please ensure that the extension was compiled for Python 3.x.
***

Traceback (most recent call last):
  File "/home/ubuntu/.envs/data/bin/frida-ps", line 8, in <module>
    sys.exit(main())
  File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida_tools/ps.py", line 8, in main
    from frida_tools.application import ConsoleApplication
  File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida_tools/application.py", line 23, in <module>
    import frida
  File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida/__init__.py", line 24, in <module>
    raise ex
  File "/home/ubuntu/.envs/data/lib/python3.8/site-packages/frida/__init__.py", line 7, in <module>
    import _frida
ImportError: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)

$ python -V
Python 3.8.10

$ python -V
Python 3.8.10

$ ldd /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so
/home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /home/ubuntu/.envs/data/lib/python3.8/site-packages/_frida.cpython-38-aarch64-linux-gnu.so)
        linux-vdso.so.1 (0x0000ffff97982000)
        libdl.so.2 => /lib/aarch64-linux-gnu/libdl.so.2 (0x0000ffff95ece000)
        libpthread.so.0 => /lib/aarch64-linux-gnu/libpthread.so.0 (0x0000ffff95ea2000)
        libresolv.so.2 => /lib/aarch64-linux-gnu/libresolv.so.2 (0x0000ffff95e7d000)
        libm.so.6 => /lib/aarch64-linux-gnu/libm.so.6 (0x0000ffff95dc4000)
        libc.so.6 => /lib/aarch64-linux-gnu/libc.so.6 (0x0000ffff95c6b000)
        /lib/ld-linux-aarch64.so.1 (0x0000ffff97956000)

not sure where we built the pip packages for this. It seems the pip package for this problematic one was built on ubuntu20.
We should consider build from an older system in order to have better binary compatibility.

Loaded script globals are no longer added to the REPL namespace

I upgraded to Frida 15.2.2 and I have to following problem. I used to load a JS script into Frida REPL and all the functions defined in that script were available in the REPL. In the latest version, even though they are executed from the script, I cannot call them manually from the REPL anymore.

Example script:

function testFunc() {
    console.log("testFunc called");
}

Run like this:

> frida -U -F -l test.js --no-pause

In version 15.1.4 I was able to type testFunc in the REPL (with autocompletion even) and execute this function. In 15.2.2 this function is no longer available.

JNI DETECTED ERROR IN APPLICATION: obj == null'

Build fingerprint: 'google/sdk_google_phone_x86/generic_x86:7.0/NYC/6696031:userdebug/dev-keys'
Revision: '0'
ABI: 'x86'
pid: 4359, tid: 4359, name: test.com >>> com.test.com <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'art/runtime/java_vm_ext.cc:470] JNI DETECTED ERROR IN APPLICATION: obj == null'
eax 00000000 ebx 00001107 ecx 00001107 edx 00000006
esi bfc4ea0c edi bfc4e8a0
xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
eip a9482424 ebp bfc4e920 esp bfc4e838 flags 00000282

backtrace:
#00 pc ffffe424 [vdso:a9482000] (__kernel_vsyscall+16)
#1 pc 0007eb78 /system/bin/linker (__dl_syscall+40)
#2 pc 00004681 /system/bin/linker (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1201)
#3 pc 0078a844 /data/local/tmp/re.frida.server/frida-agent-32.so (offset 0x61e000)

//Function to hoo:
private final void verifySafety(String str) {
h.h.a.d.o.e.a(this).K(generateNonce(), Constants.SAFETY).j(this, new m0(this, str)).g(this, p0.a);
}

//Javascript:
videoActivity.verifySafety.implementation = function(str){
console.log("testing");
};

Add manpages

$ man frida-trace
No manual entry for frida-trace

Use python-prompt-toolkit own code to handle dumb terminals

Seems like python-prompt-toolkit are adding their own support for dumb terminals.
(for examples prompt-toolkit/python-prompt-toolkit@35d510d)
It might be a good replacement for frida's dumb-terminal specific code in
https://github.com/frida/frida-tools/blob/master/frida_tools/repl.py
I haven't tried using it.

frida CLI app spawned via await does not honor the "--no-pause" flag

I noticed that the frida CLI does not honor the --no-pause flag when using the --await option.

This was useful for me, so I've submitted a PR #111 if that's generally useful.

Cannot access variables in scripts in the interactive shell

After upgrade to frida-tools 11.0.0, cannot access variables in scripts in the interactive shell
script:

var a = 0;
console.log(a);

run frida and print variable a in the interactive shell:

❯ frida -f ./a -l ./a.js
     ____
    / _  |   Frida 15.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Local System (id=local)
Spawning `./a`...
0
Spawned `./a`. Use %resume to let the main thread start executing!
[Local::a ]-> a
ReferenceError: 'a' is not defined

Replace deprecated optparse with argparse

optparse is deprecated since Python 3.2 (somewhere around 2011) so we should probably update the code to use argparse. It will also improve the help message

frida-trace FileMonitor

FileMonitor does not seem to be triggering under MacOSX (Sierra), so handlers are not reloaded when files are updated.

I couldn't really debug into it so I updated my tracer to use https://pythonhosted.org/watchdog/ which is a common package, cross-platform, heavily used/tested.

Is this a PR that could be of interest?

Create a replrc configuration file

A common use case I see is passing some helper script files to the REPL so it would be easier to work with. This and the configuration flags I'm adding (#76, #82) and plan to add (#83, #84), can make the frida command repetitive and long. Maybe we could add a simple configuration file which is simply a list of REPL commands? I'm thinking of something like this:

%autoperform on
%autoreload off
%load -y ~/Scripts/Frida/repl-utils.js

Rewrite in Vala/Rust to remove the python dependency?

App Icons sometimes do not Render on iTerm2

Im running into issues with app icons not rendering in iTerm2. Is there a way to simply disable the feature. I have tried different things to try and figure out the root cause and haven't figured it out.

frida-trace messes up stdin

can't use frida-trace with apps that read from stdin. it should just handle ^C not ^D

Completion broken in REPL

It seems that the completion does not support calls to functions but instead of aborting the completion and not showing any suggestions the completion crash and show annoying error message to the user.

Aborting is probably the best short term solution but maybe a better completion using ternjs and TypeScript could be used instead. Is there something that would be welcomed? There are some trade off for the two options:

ternjs development isn't very active but it probably still works
tsserver require nodejs and I'm not sure how hard it would be to run it on quickJS

Unable to connect to local Portal

This could just be user error, but having difficulty using the CLI tools to test the Portal functionality. When starting the portal locally I'm running:

frida-portal --cluster-certificate=frida-cert.pem --cluster-token=foo

And then attempting to connect using frida-join, running:

frida-join -D [device] "[process]" "127.0.0.1:27042" frida-cert.pem foo

I get the message Joining portal... which goes for a bit, then ends with Unable to join: timeout was reached. I've attempted with different combinations of token and certificate and haven't had any success.

Running APK are crashing during dumping using Frida-trace -U -i "*" to dump all function

Feature: quick, customizable command in REPL

I'm developing a feature called "quick command" in frida REPL, like:

[Local::a.exe ]-> .d 401000 10
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
00401000  55 8b ec 81 c4 fc fe ff ff 8b 45 0c 83 f8 01 75  U.........E....u

The quick cmd starts with '.' (same as nodejs REPL), and can be customized dynamically by the javascript loaded.

For example, register a new quick cmd 'u' in agent.js :

REPL.register_quick_cmd(
    'u', // the quick cmd
    1, // at least 1 argument
    function disasm(addr, inst_cnt = 10) { ... } // target function
)

Which can be used in REPL:

[Local::a.exe ]-> .u 401000
00401000    push ebp
00401001    mov ebp, esp
00401003    add esp, 0xfffffefc
00401009    mov eax, dword ptr [ebp + 0xc]
0040100C    cmp eax, 1
0040100F    jne 0x401028
00401011    push dword ptr [0x403864]
00401017    push 1
00401019    push 0x466
0040101E    push dword ptr [ebp + 8]

I have not contributed to this project yet, and would like to know if it is possble to make a pull request for this feature directly?

send() output broken in 2.1.0

Hello, PR #8 breaks the send api in Frida scripts. Put send({ "foo": "bar"}); or send('{ "foo": "bar" }'); to a Frida script, run it with repl and you get this exception:

Traceback (most recent call last):
  File "threading.py", line 916, in _bootstrap_inner
  File "threading.py", line 864, in run
  File "frida_tools/application.py", line 452, in _run
  File "frida_tools/repl.py", line 158, in <lambda>
  File "frida_tools/repl.py", line 444, in _process_message
  File "frida_tools/application.py", line 351, in _print
TypeError: sequence item 1: expected str instance, dict found

I tried to fix it and submit PR, but the logic added in #8 completely bypasses the code in _print that's designed to handle non-string args by joining all args to a single string.

If I'm reading it correctly, it also changes behavior of _print() with multiple args:

Before PR: self._print("a", "b") -> a b
After PR: self._print("a", "b") -> ab

So I'm not sure what you want the fix to be, which behavior of _print is desired.

Add a way to disable auto reload

Auto reload is great but the way it's implemented it deletes any state in the REPL. I propose to add a flag to disable it.
I personally think auto reload should be off by default but because we can't change it without breaking backwards compatibility I suggest adding the flag --no-auto-reload. If we want to eventually make it the default I also suggest adding --auto-reload flag that does nothing so the migration will be easier in the future.

We should also have a way to change the settings from the REPL which mean a %autoreload {on/off} command.

I plan on implementing it after my magics refactor is merged.

Add a load command to the REPL

It can be a bit tricky because we need to give the user indication that it will erase the REPL state, maybe with a prompt and a flag that always says yes? Something like that:

%load [-y] PATH

frida-ls-devices cannot detect multiple devices more than 4

I use Ubuntu Desktop 16.04, frida-tools == 1.2.2, frida == 12.2.9
When I plugin 2 Nexus 5P, 1 Nexus5, 3 Nexus 6, total 6 devices, the frida-ls-devices only show 4 devices: 1 nexus 5P, 3 Nexus 6
Does frida support limited number of devices?

Can't run frida-trace

frida-trace -U -p 3291 --runtime v8
Failed to start tracing: [Errno 2] No such file or directory: 'C:\Users\user\AppData\Local\Programs\Python\Python38\lib\site-packages\frida_tools-10.4.1-py3.8.egg\frida_tools\tracer_agent.js'

Frida Gadget cannot find config file

I tried to put frida gadget, config and script files in same folder. Then, load it with System.load(frida). But my application stuck at waiting screen.

Is there anyway to solve it?

What is frida-itrace?

Could someone give me a little detail about the itrace tool?

Run tests in GitHub Actions or another CI

I haven't worked with GitHub Actions but it seems to be the obvious option if we are already using GitHub. Otherwise Sourcehut Build might be a good option.

I'm still unable to run the existing tests so help is welcomed

`frida-apk` fails to make apk debuggable

I tried to use the very cool frida-apk tool with a simple pinning demo app, but for some reason the APK did not end up as debuggable on my Pixel 3. This led me down a terrible rabbit hole into binary XML. To cut a long story short, I have discovered that I can "fix" the generated APK by moving the debuggable attribute to an earlier position in the same tag. I'm not sure why this makes things work, but maybe someone has any ideas.

Here's a minimal repro script that creates two variants of a demo apk. Variant A exhibits the same behavior as if I'm just running frida-apk, variant B is "fixed" by reordering the attributes (see patch below).

#!/usr/bin/sh
# get dependencies
wget -nc -q \
	https://github.com/httptoolkit/android-ssl-pinning-demo/releases/download/v1.2.1/pinning-demo.apk \
	https://github.com/hzw1199/xml2axml/releases/download/1.1.0/xml2axml-1.1.0-SNAPSHOT.jar

# add android:debuggable attribute
frida-apk pinning-demo.apk

# the generated pinning-demo.d.apk already exhibits the same problem as the A variant below.
# The point of the A variant is to make sure that none of the conversion steps we now do fixes it somehow.

# extract manifest from new apk
unzip -p pinning-demo.d.apk AndroidManifest.xml > AndroidManifest.orig.xml

# binary xml -> plaintext xml, create copy for variant B.
java -jar xml2axml-1.1.0-SNAPSHOT.jar d AndroidManifest.orig.xml AndroidManifest.a.xml
cp AndroidManifest.a.xml AndroidManifest.b.xml

# Patch variant B. We only move the debuggable attribute up.
patch << EOM
--- AndroidManifest.b.xml	2022-03-06 02:02:30.940230800 +0100
+++ AndroidManifest.b.xml	2022-03-06 02:02:55.030781200 +0100
@@ -22,13 +22,13 @@
 		android:theme="@7F1001EF"
 		android:label="@7F0F001B"
 		android:icon="@7F0C0000"
+		android:debuggable="true"
 		android:allowBackup="true"
 		android:supportsRtl="true"
 		android:extractNativeLibs="false"
 		android:networkSecurityConfig="@7F120000"
 		android:roundIcon="@7F0C0001"
 		android:appComponentFactory="androidx.core.app.CoreComponentFactory"
-		android:debuggable="true"
 		>
 		<activity
 			android:name="tech.httptoolkit.pinning_demo.MainActivity"

EOM

# plaintext xml -> binary xml
java -jar xml2axml-1.1.0-SNAPSHOT.jar e AndroidManifest.a.xml AndroidManifest.bin.a.xml
java -jar xml2axml-1.1.0-SNAPSHOT.jar e AndroidManifest.b.xml AndroidManifest.bin.b.xml

# create a.apk and b.apk
cp pinning-demo.d.apk pinning-demo.d.a.apk
cp pinning-demo.d.apk pinning-demo.d.b.apk

# update both variants with the new binary manifests.
mv AndroidManifest.bin.a.xml AndroidManifest.xml
zip pinning-demo.d.a.apk AndroidManifest.xml
rm AndroidManifest.xml
mv AndroidManifest.bin.b.xml AndroidManifest.xml
zip pinning-demo.d.b.apk AndroidManifest.xml
rm AndroidManifest.xml

# zipalign and sign APKs for testing
objection signapk pinning-demo.d.a.apk
objection signapk pinning-demo.d.b.apk
rm pinning-demo.d.a.apk pinning-demo.d.b.apk

echo "You now have two apks: pinning-demo.d.a.objection.apk and pinning-demo.d.b.objection.apk, which only differ by the patch above."
echo "Curiously, only the B variant appears as debuggable on a Pixel 3"

Some more notes:

I initially discovered that I can fix this by running apktool d followed by apktool build. For some reasons this also reorders the attributes, I haven't figured out yet why that is the case .
I initially expected @meme's binary XML patching to have some subtle issues and spent a lot of time staring at the patched binary XML. The code looks very much correct though. Here's a Kaitai Struct definition I created to visualize it https://ide.kaitai.io/: https://gist.github.com/mhils/33590982266a3f6fc68b1fea84c2c92b. There is a small inconsistency where the debuggable string is inserted after the padding in the StringPool Chunk, but that shouldn't cause any issues. I fixed it manually once, which didn't change the overall outcome. Also, the issue persists after doing a roundtrip through xml2axml.

	self._outfile = open(outpath, "wb")
	self._outfile.write(self.FILE_MAGIC)

frida / frida-tools Goto Github PK

frida-tools's Introduction

Frida CLI tools

Making dev changes to frida-tools

Loading your custom frida-java-bridge

Installing Fish completions

frida-itrace file format

MESSAGE

CHUNK

frida-tools's People

Contributors

Stargazers

Watchers

Forkers

frida-tools's Issues

System information:

Steps to reproduce:

Recommend Projects

Recommend Topics

Recommend Org