Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't find mono runtime #17

Open
alexdetrano opened this issue Mar 31, 2021 · 2 comments
Open

Can't find mono runtime #17

alexdetrano opened this issue Mar 31, 2021 · 2 comments

Comments

@alexdetrano
Copy link

alexdetrano commented Mar 31, 2021
edited

I'm trying to hook a Xamarin-based iOS app and am getting the following error:

~/t/s/s/f/fridax > ./fridax.js inject --device usb --scripts scripts/aot_modify_class_function_argument.js
[*] Awaiting storage initialization.
[*] Awaiting USB device.
[*] Up and running on iPhone.
? Which application do you want to inject? XXXXX
[*] Happy hacking.
[*] Attached to application (session: 74911).
[*] Injected a test script (this runs from within the injected application)!
Error: Can't find Mono runtime!
    at <anonymous> (vendors/frida-mono-api/mono-module.js:33)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/mono-api.js:2)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (vendors/frida-mono-api/index.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (node_modules/browser-pack/_prelude.js:1)
    at <anonymous> (scripts/aot_modify_class_function_argument.js:1)
    at call (native)
    at o (node_modules/browser-pack/_prelude.js:1)
    at r (node_modules/browser-pack/_prelude.js:1)
    at <eval> (/script2.js:1246)

I've looked at #1 and the issue was fixed but I'm still having the issue. I've tried poking around but am just getting started with frida. Things I've tried:

  • looking for mono using Process.enumerateModulesSync()
  • looking for mono using Process.enumerateExports()
  • hooking dlopen and looking for any import of mono

but nothing shows up. Is there anything else I can do to troubleshoot the issue? Sadly I can't share the ipa.
@omareltf
Copy link

omareltf commented Mar 31, 2021
edited

I have the same problem on iOS with a different file.

I have executed grep on the Application folder and this is the result:

grep -ir "mono"
Binary file System.aotdata.arm64 matches
Binary file Seling.Mobile.dll matches
CodeSignature/CodeResources: Mono.Security.aotdata.arm64
_CodeSignature/CodeResources: Mono.Security.dll
_CodeSignature/CodeResources: Mono.Security.aotdata.arm64
_CodeSignature/CodeResources: Mono.Security.dll

Binary file APPNAME.iOS matches
Binary file Mono.Security.aotdata.arm64 matches
Binary file zxing.portable.dll matches
Binary file System.Core.dll matches
Binary file mscorlib.dll matches
Binary file Xamarin.iOS.dll matches
Binary file Xamarin.Forms.Platform.iOS.dll matches
Binary file Mono.Security.dll matches
Binary file SQLitePCLRaw.provider.sqlite3.dll matches
Binary file Firebase.Core.dll matches
Binary file System.Net.Http.dll matches
Binary file APPNAME.iOS.exe matches
Binary file System.dll matches

Furthermore:

grep -ir "mono_thread_attach"
Binary file APPNAME.iOS matches

@sammyjeng
Copy link

sammyjeng commented Apr 6, 2023
edited

Hey @alexdetrano and @omareltf,

The above mentioned issue arises because, the Xamarin apps are compiled Ahead of Time in case of iOS and they work just like any other native app with ObjC runtime. There is no Mono runtime to begin with, hence you won't be able to find mono module/mono exports/mono runtime using Fridax.

I am pretty sure that is the case, because following this hunch has yielded results. But If someone has successfully used Fridax to hook into iOS applications and has found mono-module (very unlikely), I would love to know how they did it and get the full picture of what's going on.

What one can do to hook into Xamarin apps on iOS?

  • Hook into ObjC classes and methods using Objection or Frida scripts and it should work just fine.

References:

  1. https://www.c-sharpcorner.com/article/how-xamarin-works-on-different-platforms/
  2. https://learn.microsoft.com/en-us/xamarin/ios/internals/architecture
  3. https://www.mono-project.com/docs/advanced/embedding/

Update:

  • It seems that you can't find the mono module/runtime if the build was compiled without theDEBUG flag.
  • Fridax will work fine on debug builds where you'll be able to find the mono module.
  • If the app is compiled using these conditional symbols, Fridax is useful __IOS__;__MOBILE__;__UNIFIED__;DEBUG
  • if the above mentioned DEBUG flag is missing in the compiler flags then the alternative way is to hook into ObjC classes and methods. For both the cases, hooking into ObjC runtime works totally fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexdetrano @omareltf @sammyjeng