Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android: No imports, exports on native library (:iE , :ii) #556

Open
enovella opened this issue Feb 3, 2024 · 6 comments
Open

Android: No imports, exports on native library (:iE , :ii) #556

enovella opened this issue Feb 3, 2024 · 6 comments
Labels
android linux

Comments

@enovella
Copy link
Contributor

enovella commented Feb 3, 2024
edited

Radare2 anal

R2 is capable of detecting the exports of the native library:

$ r2 lib/arm64-v8a/libtool-checker.so
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- Use 'rabin2 -ris' to get the import/export symbols of any binary.
[0x00000990]> iE
[Exports]
nth paddr      vaddr      bind   type   size lib name                                                          demangled
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
8   0x000009cc 0x000009cc GLOBAL FUNC   76       Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages
9   ---------- 0x00003004 GLOBAL NOTYPE 0        _bss_end__
11  ---------- 0x00003004 GLOBAL NOTYPE 0        _edata
12  ---------- 0x00003008 GLOBAL NOTYPE 0        _end
13  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_start
14  0x00000ad4 0x00000ad4 GLOBAL FUNC   196      Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot
15  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_end__
16  0x00000a18 0x00000a18 GLOBAL FUNC   188      _Z6existsPKc                                                  exists(char const*)
19  ---------- 0x00003008 GLOBAL NOTYPE 0        __end__
20  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_start__
[0x00000990]> q

R2Frida (steps to reproduce)

R2Frida is not able to identify the exports or imports at runtime:

$ r2 frida://spawn/usb//com.scottyab.rootbeer.sample
ERROR: error: unable to find module containing 0x0
[0x00000000]> :dc
INFO: resumed spawned process
// Press button on the screen to load the native library
[0x00000000]> :il~+tool
0x0000007511761000 0x0000007511765000 libtool-checker.so
[0x00000000]> s 0x0000007511761000
[0x7511761000]> :iE
[0x7511761000]>

Setup

Latest Frida, r2 and r2frida
APK:
com.scottyab.rootbeer.sample.apk.zip
@enovella
Copy link
Contributor Author

enovella commented Feb 3, 2024

It used to work!
image

@enovella
Copy link
Contributor Author

enovella commented Feb 3, 2024

@trufae FYI - The native library is not loaded until you press the button at the bottom of the screen.

@enovella enovella mentioned this issue Feb 3, 2024
Closed
@as0ler
Copy link
Contributor

as0ler commented Feb 3, 2024

Seems a Frida bug:

[Pixel 4a::com.scottyab.rootbeer.sample ]-> var test = Process.getModuleByName("libtool-checker.so")
[Pixel 4a::com.scottyab.rootbeer.sample ]-> test
{
    "base": "0x773b794000",
    "name": "libtool-checker.so",
    "path": "/data/app/~~4Uu8HmOowBu7iVyv8KKjgg==/com.scottyab.rootbeer.sample-ZTsctaKJ0O9P8Nl3TA1XWQ==/lib/arm64/libtool-checker.so",
    "size": 16384
}
[Pixel 4a::com.scottyab.rootbeer.sample ]-> test.enumerateExports()
[]

@enovella
Copy link
Contributor Author

enovella commented Feb 4, 2024
edited

@as0ler you're right and with Frida 15, it works! /cc for viz @oleavr

[Pixel ::com.scottyab.rootbeer.sample ]-> Frida
{
    "version": "15.2.2"
}
[Pixel ::com.scottyab.rootbeer.sample ]-> %resume
[Pixel ::com.scottyab.rootbeer.sample ]-> var test = Process.getModuleByName("libtool-checker.so")
[Pixel ::com.scottyab.rootbeer.sample ]-> test.enumerateExports()
[
    {
        "address": "0x73fc2d79cc",
        "name": "Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages",
        "type": "function"
    },
    {
        "address": "0x73fc2d7b98",
        "name": "_ZN7_JNIEnv14GetArrayLengthEP7_jarray",
        "type": "function"
    },
    {
        "address": "0x73fc2d7ad4",
        "name": "Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot",
        "type": "function"
    },
    {
        "address": "0x73fc2d7a18",
        "name": "_Z6existsPKc",
        "type": "function"
    },
    {
        "address": "0x73fc2d7bd0",
        "name": "_ZN7_JNIEnv21GetObjectArrayElementEP13_jobjectArrayi",
        "type": "function"
    },
    {
        "address": "0x73fc2d7c10",
        "name": "_ZN7_JNIEnv17GetStringUTFCharsEP8_jstringPh",
        "type": "function"
    },
    {
        "address": "0x73fc2d7c50",
        "name": "_ZN7_JNIEnv21ReleaseStringUTFCharsEP8_jstringPKc",
        "type": "function"
    }
]

@enovella
Copy link
Contributor Author

enovella commented Feb 4, 2024 

0x00000070e8121000 0x00000070e8125000 libtool-checker.so
0x00000073f8863000 0x00000073f8864000 linux-vdso.so.1
[0x00000000]> s 0x00000070e8121000
[0x70e8121000]> :iE
0x70e81219cc f Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages
0x70e8121b98 f _ZN7_JNIEnv14GetArrayLengthEP7_jarray
0x70e8121ad4 f Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot
0x70e8121a18 f _Z6existsPKc
0x70e8121bd0 f _ZN7_JNIEnv21GetObjectArrayElementEP13_jobjectArrayi
0x70e8121c10 f _ZN7_JNIEnv17GetStringUTFCharsEP8_jstringPh
0x70e8121c50 f _ZN7_JNIEnv21ReleaseStringUTFCharsEP8_jstringPKc
[0x70e8121000]> :?V
{"version":"15.2.2"}

@trufae
Copy link
Member

trufae commented Feb 12, 2024

please try again. i think the bug was not in enumerateExports, but in the way we got the current module. i fixed that thing in r2frida, so please try again and confirm the bug is fixed now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
android linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@trufae @as0ler @enovella