android: alternative offset to ExceptionClear in libart (https://github.com/frida/frida/issues/2958)(https://github.com/frida/frida-java-bridge/issues/336) #337
Conversation
|
On Android 14, libart 350820960 the error goes away when starting the server but when trying to run an app with frida attached, the phone soft-reboots after a few seconds. (The app did actually spawn). Were you able to spawn and attach with this PR? |
I tried only with frida-inject and I was working fine. In this commit android: handle change of signature of runFlip:
|
|
It is confirmed that this patch works on |
|
@matbrik It has issues on older devices or those without
|
can you provide more details and logs on the error? |
This is sample information, you can run it and try. If you need more information, give me your Discord or Telegram, we can discuss further. {
"type": "error",
"description": "Error: access violation accessing 0x7cff553fd0",
"stack": "Error: access violation accessing 0x7cff553fd0\n at Ln (frida/node_modules/frida-java-bridge/lib/android.js:1617:1)\n at kt (frida/node_modules/frida-java-bridge/lib/android.js:582:1)\n at frida/node_modules/frida-java-bridge/lib/memoize.js:4:1\n at vt (frida/node_modules/frida-java-bridge/lib/android.js:577:1)\n at frida/node_modules/frida-java-bridge/lib/class-model.js:112:1\n at Function.build (frida/node_modules/frida-java-bridge/lib/class-model.js:7:1)\n at k._make (frida/node_modules/frida-java-bridge/lib/class-factory.js:168:1)\n at k.use (frida/node_modules/frida-java-bridge/lib/class-factory.js:62:1)\n at frida/node_modules/frida-java-bridge/index.js:224:1\n at c.perform (frida/node_modules/frida-java-bridge/lib/vm.js:12:1)",
"fileName": "frida/node_modules/frida-java-bridge/lib/android.js",
"lineNumber": 1617,
"columnNumber": 1
}eg code: import Wrapper = Java.Wrapper;
Java.perform(() => {
try {
const application = Java.use('android.app.ActivityThread').currentApplication() as (Wrapper | null);
if (!application) {
console.log('initBroadcastReceiver !application');
return;
}
const ctx = application.getApplicationContext();
console.log(ctx);
} catch (e) {
//===
console.error('initBroadcastReceiver error', e);
//===
}
}) |
|
I don't have a similar device available. |
If you comment out that conditional statement, it will work like it did before.
It seems that when building, Frida will minify the JavaScript code, leading to stack traces no longer matching those in this library. Can you guide me on how to set up to add logging? By the way, this is the command I use to build. |
so it does work correctly on your Android 10?
check also this comment from frida/frida there is a variation of this pull request with a different heuristic |
Yes, it works just like before.
I will try and report back the results. |
@matbrik After applying the patch to Additionally, when I applied the patch to the |
|
@matbrik @thinhbuzz On my S21 Ultra running Android 14 and this latest Google Play update, this PR fixes the error but the actual function passed to Java.perform never gets called. Are you not seeing this problem on your device? It works fine on an old Android 11 Pixel 2. |
@radubogdan2k I have someone else reporting me the same problem on the same device. Sometimes the hooks are not triggered but there is not any error reported. Maybe @oleavr can share some wisdom on the cause and how to fix it |
Yes, that's exactly the behavior I'm seeing also. Hopefully Ole will be able to help. |
Yeah, I have confirmed that some classes and methods are not hooked in a commercial app that I cannot reveal the name of. (Frida 16.5.6 modified) As of now, I have to remove the com.google.android.art package, and there seems to be no other countermeasure at the moment. |
|
Fix only for arm64 |
Fixed, @matbrik Thx. (Google Play System Update 2024.10, com.android.art@351011240) |
|
@matbrik I got a new error on Samsung Galaxy Note 9 (SM-N960F/DS) - android 10 device {
"type": "error",
"description": "Error: invalid decimal string",
"stack": "Error: invalid decimal string\n at qe (frida/node_modules/frida-java-bridge/lib/android.js:274:1)\n at ze (frida/node_modules/frida-java-bridge/lib/android.js:207:1)\n at Fe (frida/node_modules/frida-java-bridge/lib/android.js:16:1)\n at _tryInitialize (frida/node_modules/frida-java-bridge/index.js:29:1)\n at new _ (frida/node_modules/frida-java-bridge/index.js:21:1)\n at Object.4../lib/android (frida/node_modules/frida-java-bridge/index.js:332:1)\n at o (frida/node_modules/browser-pack/_prelude.js:1:1)\n at frida/node_modules/browser-pack/_prelude.js:1:1\n at Object.22.frida-java-bridge (frida/runtime/java.js:1:1)\n at o (frida/node_modules/browser-pack/_prelude.js:1:1)",
"fileName": "frida/node_modules/frida-java-bridge/lib/android.js",
"lineNumber": 274,
"columnNumber": 1
} |
@thinhbuzz can you share your gadget so I can check where it crashes? and tell me the version of libart installed? |
|
|
I share the current status of this issue (Contributed by @hackcatml) |
|
Thanks a lot for this amazing contribution, and apologies for the delay. I've been in a very deep iOS rabbit-hole, and had to hold off on reviewing non-trivial PRs in the meantime. I've started working on polishing this PR in fix/art-compat, incorporating the improvements by @hackcatml on top of it. The first pass of refactoring is now working on arm64, but 32-bit ARM is still work in progress. |
|
Hi @oleavr thanks for the help and sorry for my horrible code :) . frida-java-bridge/lib/android.js Line 691 in 653246e for the support to arm I had ready a couple of functions for finding the DoCall function and for the ExecuteNterpImpl |
In the latest libart versions (35xxxxxxx) the offset in the vtable of venv for ExceptionClear is not valid anymore.
I added a check through an heuristic to detect if the found function is the correct one or if the new offset is needed.
The commit is only for arm64, a fix for other architectures may be needed.
Tested on libart:
350820380
350820960
350820860