📱 objection - runtime mobile exploration

SensePost

Last update: Jan 5, 2023

Related tags

Utility android security ios mobile framework instrumentation pentest frida

Overview

📱 objection - Runtime Mobile Exploration

objection is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.

Supports both iOS and Android.
Inspect and interact with container file systems.
Bypass SSL pinning.
Dump keychains.
Perform memory related tasks, such as dumping & patching.
Explore and manipulate objects on the heap.
And much, much more...

Screenshots are available in the wiki.

installation

Installation is simply a matter of pip3 install objection. This will give you the objection command. You can update an existing objection installation with pip3 install --upgrade objection.

For more detailed update and installation instructions, please refer to the wiki page here.

license

objection is licensed under a GNU General Public v3 License. Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.

Comments

frida.ProcessNotFoundError: unable to find process with name 'Gadget'

Hi there,

I just installed frida and objection to try some iOS debugging. Unfortunately I only receive errors about closed connection and missing gadget. I tried to google it and read all the docs but havent found anything. So hopefully I dont ask a stupid RTFM question.

I have

a jailbroken iPad with iOS 9.3.3
connected through USB cable
frida is installed through Cydia and the frida-server is running
objection is installed through pip

frida is capable to list the device

frida-ls-devices 
Id                                        Type    Name        
----------------------------------------  ------  ------------
local                                     local   Local System
581759c322bf                    tether  iOS Device  
tcp                                       remote  Local TCP

Process listening seems to work also:

frida-ps -Uai
PID  Name           Identifier                     
---  -------------  -------------------------------
994  Cydia          com.saurik.Cydia               
993  Kalender       com.apple.mobilecal            
290  Mail           com.apple.mobilemail           
941  Nachrichten    com.apple.MobileSMS            
  -  App Store      com.apple.AppStore             
...

When I try objection explore, for a dedicated process/gadget, I receive the following error:

objection -g "com.apple.Preferences" explore
Error: unable to find process with name 'com.apple.Preferences'

Even though the process exists.

When I run objection device_type I receive another issue:

objection device_type
Traceback (most recent call last):
  File "/root/virtual-python3/bin/objection", line 11, in <module>
    sys.exit(cli())
  File "/root/virtual-python3/lib/python3.6/site-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/root/virtual-python3/lib/python3.6/site-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/root/virtual-python3/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/root/virtual-python3/lib/python3.6/site-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/root/virtual-python3/lib/python3.6/site-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/root/virtual-python3/lib/python3.6/site-packages/objection/console/cli.py", line 164, in device_type
    device_name, system_name, model, system_version = get_device_info()
  File "/root/virtual-python3/lib/python3.6/site-packages/objection/commands/device.py", line 20, in get_device_info
    runner.run(hook=hook)
  File "/root/virtual-python3/lib/python3.6/site-packages/objection/utils/frida_transport.py", line 346, in run
    session = self.get_session()
  File "/root/virtual-python3/lib/python3.6/site-packages/objection/utils/frida_transport.py", line 281, in get_session
    return frida.get_usb_device(5).attach(state_connection.gadget_name)
  File "/root/virtual-python3/lib/python3.6/site-packages/frida/core.py", line 97, in attach
    return Session(self._impl.attach(self._pid_of(target)))
  File "/root/virtual-python3/lib/python3.6/site-packages/frida/core.py", line 115, in _pid_of
    return self.get_process(target).pid
  File "/root/virtual-python3/lib/python3.6/site-packages/frida/core.py", line 73, in get_process
    raise _frida.ProcessNotFoundError("unable to find process with name '%s'" % process_name)
frida.ProcessNotFoundError: unable to find process with name 'Gadget'

🐛bug help wanted

opened by HachimanSec 35

Unable to install the patched ipa file into iOS device - AMDeviceSecureInstallApplication (ios_deploy)

Unable to install the patched ipa file into iOS device

OS: MAC Catalina 10.15.5 (installed in VirtualBox) iOS Device connected : iPhone 11 (Non-Jailbroken Phone)

Logged-in using new Apple developer ID in Xcode tool and i have created Apple Development Certificates.

I created the new project in Xcode, build succeeded and installed successfully in iOS Device. But it fails when i try to install patched ipa to iOS device using ios-deploy tool.

I followed the steps mentioned in this link: https://github.com/sensepost/objection/wiki/Patching-iOS-Applications

objection patchipa --source ~/Downloads/DamnVulnerableiOSApp.ipa --codesign-signature DB788065444E6695A883E4EECE97AC215DFECD8B

Using latest Github gadget version: 12.11.17 Patcher will be using Gadget version: 12.11.17 No provision file specified, searching for one... Found provision file /Users/babugan/Library/Developer/Xcode/DerivedData/KMBTestt-estfvctxwdlbtzemjgmxlnbzvyyu/Build/Products/Debug-iphoneos/KMBTestt.app/embedded.mobileprovision expiring in 6 days, 7:49:46.062156 Found provision file /Users/babugan/Library/Developer/Xcode/DerivedData/KMBTest-bqdaayrmrlxrnlgkpesneuvtulmr/Build/Products/Debug-iphoneos/KMBTest.app/embedded.mobileprovision expiring in 6 days, 12:42:25.062156 Found a valid provisioning profile Working with app: DamnVulnerableIOSApp.app Bundle identifier is: com.highaltitudehacks.dvia Creating Frameworks directory for FridaGadget... Codesigning 1 .dylib's with signature DB788065444E6695A883E4EECE97AC215DFECD8B Code signing: FridaGadget.dylib Creating new archive with patched contents... Codesigning patched IPA... Cannot find entitlements in binary. Using defaults

Copying final ipa from /var/folders/yl/rcc7qwfd7vlf3cpb29njhxsm0000gn/T/DamnVulnerableiOSApp-frida-codesigned.ipa to current directory... Cleaning up temp files...

unzip DamnVulnerableiOSApp-frida-codesigned.ipa

Archive: DamnVulnerableiOSApp-frida-codesigned.ipa creating: Payload/DamnVulnerableIOSApp.app/ creating: Payload/DamnVulnerableIOSApp.app/_CodeSignature/ inflating: Payload/DamnVulnerableIOSApp.app/_CodeSignature/CodeResources
inflating: Payload/DamnVulnerableIOSApp.app/main-bg.png
inflating: Payload/DamnVulnerableIOSApp.app/card-bg.png
extracting: Payload/DamnVulnerableIOSApp.app/menuIcon.png
creating: Payload/DamnVulnerableIOSApp.app/en.lproj/ inflating: Payload/DamnVulnerableIOSApp.app/en.lproj/InfoPlist.strings
inflating: Payload/DamnVulnerableIOSApp.app/640_960_SplashScn.png
inflating: Payload/DamnVulnerableIOSApp.app/152x152.png
....

codesign -v --verbose DamnVulnerableIOSApp.app DamnVulnerableIOSApp.app: valid on disk DamnVulnerableIOSApp.app: satisfies its Designated Requirement

ios-deploy --bundle DamnVulnerableIOSApp.app -d -v -W
[....] Waiting for iOS device to be connected Handling device type: 1 Already found device? 0 Hardware Model: N104AP Device Name: Cloud Keybank iPhone 11 ID:151 Model Name: iPhone 11 SDK Name: iphoneos Architecture Name: arm64e Product Version: 13.5.1 Build Version: 17F80 [....] Using 00008030-000E21DA3AF0802E (N104AP, iPhone 11, iphoneos, arm64e) a.k.a. 'Cloud iPhone 11 ID:151'. ------ Install phase ------ [ 0%] Found 00008030-000E21DA3AF0802E (N104AP, iPhone 11, iphoneos, arm64e) a.k.a. 'Cloud iPhone 11 ID:151' connected through USB, beginning install [ 5%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/META-INF/ to device [ 5%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/META-INF/com.apple.ZipMetadata.plist to device [ 5%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/_CodeSignature/ to device [ 5%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/_CodeSignature/CodeResources to device [ 5%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/main-bg.png to device [ 6%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/card-bg.png to device [ 6%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/menuIcon.png to device [ 6%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/en.lproj/ to device [ 6%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/en.lproj/InfoPlist.strings to device [ 6%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/640_960_SplashScn.png to device [ 7%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/152x152.png to device [ 7%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/640x1136_SplashScn.png to device [ 7%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/120x120.png to device [ 8%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 8%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/slider-bg.png to device [ 8%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 8%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 8%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 9%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 9%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Base.lproj/ to device [ 9%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Base.lproj/Main.storyboardc/ to device [ 9%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Base.lproj/Main.storyboardc/g9c-Ju-vFC-view-IFp-rO-8Ad.nib to device [ 10%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Base.lproj/Main.storyboardc/cLD-LZ-seZ-view-4QP-f7-Xbj.nib to device [ 10%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Base.lproj/Main.storyboardc/UIViewController-5xJ-MS-CJp.nib to device ... [ 49%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/Info.plist to device [ 49%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/[email protected] to device [ 49%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/57x57.png to device [ 49%] Copying /Users/babugan/Downloads/Payload/DamnVulnerableIOSApp.app/PkgInfo to device [ 52%] CreatingStagingDirectory [ 57%] ExtractingPackage [ 60%] InspectingPackage [ 60%] TakingInstallLock [ 65%] PreflightingApplication [ 65%] InstallingEmbeddedProfile [ 70%] VerifyingApplication 2020-09-24 04:06:05.229 ios-deploy[2865:916828] [ !! ] Error 0xe8008001: An unknown error has occurred. AMDeviceSecureInstallApplication(0, device, url, options, install_callback, 0)

Not sure the reason for this error from ios_deploy tool.

Similarly when check for other pathed ipa file, codesign -v --verbose KMB_QV2.app KMB_QV2.app: code object is not signed at all In architecture: arm64

Need your help to resolve this issue.
dependency apps

opened by ganesh2183 20

Error occured while extracting the APK.

root@xxx:~# objection patchapk -s com.mimikko.mimikkoui_1.8.6_29.apk --architecture arm64-v8a
Using latest Github gadget version: 10.6.54
Patcher will be using Gadget version: 10.6.54
Unpacking com.mimikko.mimikkoui_1.8.6_29.apk
An error may have occured while extracting the APK.
Exception in thread "main" java.lang.NullPointerException
	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1792)
	at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1769)
	at org.apache.commons.io.IOUtils.copy(IOUtils.java:1744)
	at brut.androlib.res.AndrolibResources.getFrameworkApk(AndrolibResources.java:570)
	at brut.androlib.res.AndrolibResources.loadFrameworkPkg(AndrolibResources.java:112)
	at brut.androlib.res.data.ResTable.getPackage(ResTable.java:82)
	at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:65)
	at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:61)
	at brut.androlib.res.decoder.ResAttrDecoder.decode(ResAttrDecoder.java:39)
	at brut.androlib.res.decoder.AXmlResourceParser.getAttributeValue(AXmlResourceParser.java:369)
	at org.xmlpull.v1.wrapper.classic.XmlPullParserDelegate.getAttributeValue(XmlPullParserDelegate.java:69)
	at brut.androlib.res.decoder.XmlPullStreamDecoder$1.parseManifest(XmlPullStreamDecoder.java:97)
	at brut.androlib.res.decoder.XmlPullStreamDecoder$1.event(XmlPullStreamDecoder.java:65)
	at brut.androlib.res.decoder.XmlPullStreamDecoder.decode(XmlPullStreamDecoder.java:141)
	at brut.androlib.res.decoder.XmlPullStreamDecoder.decodeManifest(XmlPullStreamDecoder.java:153)
	at brut.androlib.res.decoder.ResFileDecoder.decodeManifest(ResFileDecoder.java:140)
	at brut.androlib.res.AndrolibResources.decodeManifestWithResources(AndrolibResources.java:199)
	at brut.androlib.Androlib.decodeManifestWithResources(Androlib.java:140)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:100)
	at brut.apktool.Main.cmdDecode(Main.java:165)
	at brut.apktool.Main.main(Main.java:81)

App already has android.permission.INTERNET
Smali not found in smali directory. This might be a multidex APK. Searching...
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 11, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 697, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.5/dist-packages/click/core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/objection/console/cli.py", line 219, in patchapk
    patch_android_apk(**locals())
  File "/usr/local/lib/python3.5/dist-packages/objection/commands/mobile_packages.py", line 155, in patch_android_apk
    patcher.inject_load_library()
  File "/usr/local/lib/python3.5/dist-packages/objection/utils/patchers/android.py", line 496, in inject_load_library
    raise Exception('Unable to find smali to patch!')
Exception: Unable to find smali to patch!
Cleaning up temp files...
Failed to cleanup with error: [Errno 2] No such file or directory: '/tmp/tmpqavggvwl.apktemp.objection.apk

I am not sure what happened to this app. Do you need this apk?

dependency apktool

opened by iusearch 20

[bug] A Frida agent exception has occurred cannot read property 'address' of undefined

Describe the bug When i try to watch any method of a class i ran into this error after that i updated my Frida and objection framework to see if the issue gets resolved but still getting the same error.

WARNING: Ignoring this template and not completing the fields could result in your issue simply being closed.

To Reproduce Steps to reproduce the behavior:

Run command 'ios hooking set return_value "-[FIRGetAccountInfoResponseUser emailVerified:]" true'
ios hooking watch method "-[FIRSecureTokenRequest APIKey:]" --dump-args

Both Commands result into same error. Expected behavior A clear and concise description of what you expected to happen.

Evidence / Logs / Screenshots Any output from objection, such as stack traces or errors that occurred. Be sure to run objection with the --debug flag so that errors from the agent are verbose enough to debug. For example: Getting this error when trying to dump arguments of a method call

A Frida agent exception has occurred.
TypeError: cannot read property 'address' of undefined
at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:56618)
at /script1.js:10272
at frida/runtime/message-dispatcher.js:15
at o (frida/runtime/message-dispatcher.js:25)

Python stack trace: Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/objection/console/repl.py", line 371, in start_repl
self.run_command(document)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/objection/console/repl.py", line 185, in run_command
exec_method(arguments)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/objection/commands/ios/hooking.py", line 234, in watch_class_method
api.ios_hooking_watch_method(selector,
File "/Users/osamamahmood/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 401, in method
return script._rpc_request('call', js_name, args, **kwargs)
File "/Users/osamamahmood/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/Users/osamamahmood/Library/Python/3.8/lib/python/site-packages/frida/core.py", line 333, in _rpc_request
raise result[2]
frida.core.RPCException: TypeError: cannot read property 'address' of undefined
at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:56618)
at /script1.js:10272
at frida/runtime/message-dispatcher.js:15
at o (frida/runtime/message-dispatcher.js:25)

Environment (please complete the following information):

Device: iPhone X
OS: iOS 13.4
Frida Version 12.8.20
Objection Version 1..9.1

apps

opened by OsamaMahmood 17

How to patch in multi-apk/app bundle scenario? Part 2

This is a follow up to https://github.com/sensepost/objection/issues/340 which was closed, and I considered reopening, but this is a separate issue seemingly so I thought a new bug report would be better.

Still trying to get objection working as per the docs.

My versions

objection version
objection: 1.9.0

apktool --version
2.4.1

javac -version
javac 1.8.0_172

java -version
openjdk version "1.8.0_172"
OpenJDK Runtime Environment (Zulu 8.30.0.1-macosx) (build 1.8.0_172-b01)
OpenJDK 64-Bit Server VM (Zulu 8.30.0.1-macosx) (build 25.172-b01, mixed mode)

adb --version
Android Debug Bridge version 1.0.41
Version 29.0.6-6198805
Installed as /Users/coltonidle/Development/Android/SDK/platform-tools/adb

As per the docs I got the path then:

adb shell pm path com.ubercab

package:/data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/base.apk
package:/data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/split_config.arm64_v8a.apk
package:/data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/split_config.xxhdpi.apk

then

adb pull /data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/base.apk
adb pull /data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/split_config.arm64_v8a.apk
adb pull /data/app/com.ubercab-7XGjq2gMXVpmTgo_g7gA==/split_config.xxhdpi.apk

then I tried running objection patchapk --source base.apk but it failed, so I then tried objection patchapk -D --source base.apk(I found that in a random github issue, not sure exactly why it works) and that seemed to work. I now have 4 apks (1 of them is the base.objection.apk)

I then follow your previous instructions of calling adb install-multiple.

adb install-multiple base.objection.apk split_config.arm64_v8a.apk split_config.xxhdpi.apk 
adb: failed to finalize session
Failure [INSTALL_FAILED_INVALID_APK: /data/app/vmdl248531366.tmp/split_config.arm64_v8a.apk signatures are inconsistent]

So it seems as though the signatures are different now because base.objection.apk is patched (not sure if that's intended, first time using objection/apktool).

Not sure what to do next. I did try to patch the other split_config apks, via something like objection patchapk -D --source split_config.arm64_v8a.apk but that failed with

No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 12.8.19
Patcher will be using Gadget version: 12.8.19
Detected apktool version as: 2.4.1
Running apktool empty-framework-dir...
I: Removing 1.apk framework file...
Unpacking split_config.arm64_v8a.apk
Cannot patch an APK for Internet permission when --skip-resources is set, remove this and try again.
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 358, in patchapk
    patch_android_apk(**locals())
  File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 181, in patch_android_apk
    patcher.inject_internet_permission(skip_resources=skip_resources)
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 427, in inject_internet_permission
    raise Exception('Cannot --skip-resources with no Internet permission')
Exception: Cannot --skip-resources with no Internet permission
Cleaning up temp files...
Failed to cleanup with error: [Errno 2] No such file or directory: '/var/folders/25/hs76h2h56tj7m4xhlbtfj7640000gn/T/tmpkaqm5qfm.apktemp.objection.apk'

Then I tried objection patchapk --source split_config.arm64_v8a.apk and got

No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 12.8.19
Patcher will be using Gadget version: 12.8.19
Detected apktool version as: 2.4.1
Running apktool empty-framework-dir...
Unpacking split_config.arm64_v8a.apk
Injecting permission: android.permission.INTERNET
Writing new Android manifest...
Target class not specified, searching for launchable activity instead...
Unable to determine the launchable activity using aapt, trying to manually parse the AndroidManifest for activity aliases...
Unable to determine the launchable activity for this app.
Traceback (most recent call last):
  File "/usr/local/bin/objection", line 8, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/objection/console/cli.py", line 358, in patchapk
    patch_android_apk(**locals())
  File "/usr/local/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 189, in patch_android_apk
    patcher.inject_load_library(target_class=target_class)
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 750, in inject_load_library
    target_class if target_class else self._get_launchable_activity())
  File "/usr/local/lib/python3.7/site-packages/objection/utils/patchers/android.py", line 362, in _get_launchable_activity
    raise Exception('Unable to determine launchable activity')
Exception: Unable to determine launchable activity
Cleaning up temp files...
Failed to cleanup with error: [Errno 2] No such file or directory: '/var/folders/25/hs76h2h56tj7m4xhlbtfj7640000gn/T/tmph_za7zx1.apktemp.objection.apk'

apps

opened by ColtonIdle 16

Not able to download file from Android app

Hi,

I'm currently testing objection together with the MSTG-Hacking-Playground app and I'm not able to download files.

Here's the APK:

https://github.com/OWASP/MSTG-Hacking-Playground/blob/master/Android/OMTG-Android-App/app/app-arm-debug.apk

First of all: patching ...

$ objection patchapk --source app-arm-debug.apk
No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 11.0.12
Patcher will be using Gadget version: 11.0.12
Unpacking app-arm-debug.apk
App already has android.permission.INTERNET
Reading smali from: /var/folders/4g/4rvg_s1d44v_x_6h4qmt5wwr0000gn/T/tmpp_4vlngt.apktemp/smali/sg/vp/owasp_mobile/OMTG_Android/MyActivity.smali
Injecting loadLibrary call at line: 10
Writing patched smali back to: /var/folders/4g/4rvg_s1d44v_x_6h4qmt5wwr0000gn/T/tmpp_4vlngt.apktemp/smali/sg/vp/owasp_mobile/OMTG_Android/MyActivity.smali
Creating library path: /var/folders/4g/4rvg_s1d44v_x_6h4qmt5wwr0000gn/T/tmpp_4vlngt.apktemp/lib/arm64-v8a
Copying Frida gadget to libs path...
Rebuilding the APK with the frida-gadget loaded...
Built new APK with injected loadLibrary and frida-gadget
Signing new APK.
Signed the new APK
Performing zipalign
Zipaling completed
Copying final apk from /var/folders/4g/4rvg_s1d44v_x_6h4qmt5wwr0000gn/T/tmpp_4vlngt.apktemp.aligned.objection.apk to app-arm-debug.objection.apk in current directory...
Cleaning up temp files...

All OK so I install it to my OnePlus on Android 8.1.0. As you can see here, the file is first not there but it appears after clicking "OMTG_DATAST_001_InternalStorage". When trying to download it it throws an error.

$ objection explore
...g.vp.owasp_mobile.omtg_android on (OnePlus: 8.1.0) [usb] # file download /data/user/0/sg.vp.owasp_mobile.omtg_android/files/test_file
Downloading /data/user/0/sg.vp.owasp_mobile.omtg_android/files/test_file to test_file
Unable to download file. File is not readable
...g.vp.owasp_mobile.omtg_android on (OnePlus: 8.1.0) [usb] # ls
Type    Last Modified    Read    Write    Hidden    Size    Name
------  ---------------  ------  -------  --------  ------  ------

Readable: Yes  Writable: Yes
...g.vp.owasp_mobile.omtg_android on (OnePlus: 8.1.0) [usb] # ls
Type    Last Modified            Read    Write    Hidden    Size    Name
------  -----------------------  ------  -------  --------  ------  ---------
File    2018-06-15 18:58:01 GMT  True    True     False     41.0 B  test_file

Readable: Yes  Writable: Yes
...g.vp.owasp_mobile.omtg_android on (OnePlus: 8.1.0) [usb] # file download /data/user/0/sg.vp.owasp_mobile.omtg_android/files/test_file
Downloading /data/user/0/sg.vp.owasp_mobile.omtg_android/files/test_file to test_file


An exception occurred while processing the command. If this looks like a code related error, please file a bug report!
Error: Error: VM::GetEnv failed: -2
    at e (frida/node_modules/frida-java/lib/result.js:7)
    at frida/node_modules/frida-java/lib/vm.js:71
    at a (frida/node_modules/frida-java/lib/class-factory.js:2743)
    at o (java.js:4544)
    at stringify (native)
    at frida/runtime/core.js:50
    at c (frida/runtime/message-dispatcher.js:71)
    at e (frida/runtime/message-dispatcher.js:55)
    at t (frida/runtime/message-dispatcher.js:24)

I've tested it in the emulator on Android: 5.1.1 and the corresponding APK but got the same results.

Could you please take a look at it? Thank you so much!

🐛bug apps

opened by cpholguera 16

Frida server is not launching
I am on a non rooted device and patched an apk with objection. The app successfully patched and installed ok, however, when I run the app, it continues to load without stopping on a blank screen as frida server runs.

Steps to reproduce the behavior:

Patch apk with objection

Install patched apk

Run application and app continues to splash screen without being called.

Expected behavior: Launch app, app sits on blank screen, app awaits 'objection explore' command and continues as normal.

Error: Unable to connect to the frida server: unable to connect to remote frida-server: Unexpected lack of content trying to read a line

Environment:

Device: Galaxy S8

OS: Android 9

Frida Version latest

Objection Version latest

If this has already been solved, Id appreciate if you can link me there! If the app is just not possible to be used with objection then my bad.
❔question
opened by karmakittenx 14

Error when patching ipa

Exception:

Using latest Github gadget version: 12.7.11
Patcher will be using Gadget version: 12.7.11
No provision file specified, searching for one...
Found provision file /Users/Shehan/Library/Developer/Xcode/DerivedData/LowValueTransactions-dvqkwtuxcwydepdlwzqshjujxaiu/Build/Products/Debug-iphoneos/BOC QA UAT.app/embedded.mobileprovision expiring in 350 days, 15:52:45.716225
Found a valid provisioning profile
Working with app: BOC QA UAT.app
Bundle identifier is: com.bankofceylon.smartpayepic
Codesigning 13 .dylib's with signature 8728AA80DEEBA760DA935CD793D96D7FEEB88887
Code signing: libswiftCoreImage.dylib
Code signing: libswiftObjectiveC.dylib
Code signing: libswiftCore.dylib
Code signing: libswiftCoreGraphics.dylib
Code signing: libswiftUIKit.dylib
Code signing: libswiftMetal.dylib
Code signing: libswiftDispatch.dylib
Code signing: libswiftos.dylib
Code signing: libswiftCoreFoundation.dylib
Code signing: FridaGadget.dylib
Code signing: libswiftDarwin.dylib
Code signing: libswiftQuartzCore.dylib
Code signing: libswiftFoundation.dylib
Creating new archive with patched contents...
Codesigning patched IPA...
**Cannot find entitlements in binary. Using defaults**
**{ Error: EEXIST: file already exists, mkdir '/tmp'
    at Object.fs.mkdirSync (fs.js:885:18)
    at Object.zip (/usr/local/lib/node_modules/applesign/lib/tools.js:149:6)
    at <anonymous> errno: -17, code: 'EEXIST', syscall: 'mkdir', path: '/tmp' }**

Copying final ipa from /tmp/LowValueTransactions-frida-codesigned.ipa to current directory...
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.7/bin/objection", line 11, in <module>
    load_entry_point('objection==1.8.0', 'console_scripts', 'objection')()
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/objection/console/cli.py", line 309, in patchipa
    patch_ios_ipa(**locals())
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/objection/commands/mobile_packages.py", line 85, in patch_ios_ipa
    os.path.join(os.path.abspath('.'), os.path.basename(patcher.get_patched_ipa_path())))
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/shutil.py", line 120, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/LowValueTransactions-frida-codesigned.ipa'
Cleaning up temp files...
Failed to cleanup with error: [Errno 2] No such file or directory: '/tmp/LowValueTransactions-frida-codesigned.ipa'

🐛bug dependency

opened by ShehanMadushanka 14

Failed to load the Frida native extension: DLL load failed: The specified module could not be found.

objection patchapk -s .\myapp.apk

***
Failed to load the Frida native extension: DLL load failed: The specified module could not be found.
Please ensure that the extension was compiled for Python 3.x.
***

Traceback (most recent call last):
  File "C:\Program Files\Python37\Scripts\objection-script.py", line 11, in <module>
    load_entry_point('objection==1.3.0', 'console_scripts', 'objection')()
  File "c:\program files\python37\lib\site-packages\pkg_resources\__init__.py", line 480, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "c:\program files\python37\lib\site-packages\pkg_resources\__init__.py", line 2693, in load_entry_point
    return ep.load()
  File "c:\program files\python37\lib\site-packages\pkg_resources\__init__.py", line 2324, in load
    return self.resolve()
  File "c:\program files\python37\lib\site-packages\pkg_resources\__init__.py", line 2330, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "c:\program files\python37\lib\site-packages\objection\console\cli.py", line 2, in <module>
    import frida
  File "c:\program files\python37\lib\site-packages\frida\__init__.py", line 26, in <module>
    raise ex
  File "c:\program files\python37\lib\site-packages\frida\__init__.py", line 6, in <module>
    import _frida
ImportError: DLL load failed: The specified module could not be found.

Windows 10 1803, Python 3.7.0b5 x64

frida windows

opened by megapro17 14

objection run issue

installed objection tools on mac by "pip3 install -U objection"

while accessing the tool "objection --help" it showing some error message as below python 3.6 was installed

(virtual-python3) ymac:objection apple$ objection --help

Failed to load the Frida native extension: dlopen(/Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so, 2): Symbol not found: ___strlcpy_chk Referenced from: /Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so Expected in: /usr/lib/libSystem.B.dylib in /Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so Please ensure that the extension was compiled for Python 3.x.

Traceback (most recent call last): File "/Users/apple/virtual-python3/bin/objection", line 7, in from objection.console.cli import cli File "/Users/apple/virtual-python3/lib/python3.6/site-packages/objection/console/cli.py", line 2, in import frida File "/Users/apple/virtual-python3/lib/python3.6/site-packages/frida/init.py", line 26, in raise ex File "/Users/apple/virtual-python3/lib/python3.6/site-packages/frida/init.py", line 6, in import _frida ImportError: dlopen(/Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so, 2): Symbol not found: ___strlcpy_chk Referenced from: /Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so Expected in: /usr/lib/libSystem.B.dylib in /Users/apple/virtual-python3/lib/python3.6/site-packages/_frida.cpython-36m-darwin.so
help wanted

opened by naveen12 14
added unicode support during the IPA extraction

Dear All, I'm a security anlyst of QuantumLeap-Deloitte and during an activity I had some problems extracting a IPA file containing Chinese characters, so I thought to add a support for the unicode encoding.

opened by Fabiano1107 13
Issue in using Objection with corellium iOS device
I am using corellium's virtual device for testing an application. I am using USBFlux and is able to connect to the device using the command frida-ps -Ua. However, when I use the command: objection -g 1292 explore. I get the following output

Using USB device `iPhone` Unable to connect to the frida server: unable to communicate with remote frida-server; please ensure that major versions match and that the remote Frida has the feature you are trying to use

I even tried using this command: objection --network --host 10.11.1.2 -g 1292 explore. I still get the above error.

Frida version on my mac and the corellium device is 16.0.1

I am struggling with the above issue for quite some time. Please help me out.
freshissue
opened by ubaidahmedIN 0

An unexpected internal exception has occurred. If this looks like a code related error, please file a bug report!

...e.android. on (samsung: 7.1.2) [usb] # frida
An unexpected internal exception has occurred. If this looks like a code related error, please file a bug report!
'filename'

Python stack trace: Traceback (most recent call last):
  File "G:\python\Lib\site-packages\objection\console\repl.py", line 371, in start_repl
    self.run_command(document)
  File "G:\python\Lib\site-packages\objection\console\repl.py", line 185, in run_command
    exec_method(arguments)
  File "G:\python\Lib\site-packages\objection\commands\frida_commands.py", line 38, in frida_environment
    ('Script Filename', frida_env['filename']),
                        ~~~~~~~~~^^^^^^^^^^^^
KeyError: 'filename'

freshissue

opened by zicohip 0

[bug] The patched app contains an app extension with an illegal bundle identifier

Describe the bug After patching an IPA and installing using the ios-deploy, get this error. Installation tried through both ios-deploy and using the xcode device management Error 0xe800009e: This app contains an app extension with an illegal bundle identifier. App extension bundle identifiers must have a prefix consisting of their containing application's bundle identifier followed by a '.'. AMDeviceSecureInstallApplication(0, device, url, options, install_callback, 0)

To Reproduce Steps to reproduce the behavior:

Run command 'objection patchipa --source <app.ipa> --codesign-signature < certID >'
Run command 'unzip < patched >.ipa'
Run command 'ios-deploy --bundle Payload/<your.app> -W -d'

Expected behavior Should be able to install the patched app into a device

Evidence / Logs / Screenshots

objection patchipa --source ~/Downloads/com.dummy.appname-59266-prerelease.ipa --codesign-signature 9524D78A8185778D1B3EBABA560B5FE115344E28
Using latest Github gadget version: 16.0.8
Patcher will be using Gadget version: 16.0.8
No provision file specified, searching for one...
Found provision file /Users/user/Library/Developer/Xcode/DerivedData/app1-fjudncfhvclytrbveytxrghhrlit/Build/Products/Debug-iphoneos/app1.app/embedded.mobileprovision expiring in 7 days, 4:08:00.397419
Found a valid provisioning profile
Mobile provision bundle identifier is: com.dummy.test.app1
Working with app: your test.app
Bundle identifier is: com.dummy.appname-dogfood
Codesigning 2 .dylib's with signature 9524D78A8185778D1B3EBABA560B5FE115344E28
Code signing: libswift_Concurrency.dylib
Code signing: FridaGadget.dylib
Creating new archive with patched contents...
Codesigning patched IPA...
[
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/IntentExtension.appex/IntentExtension',
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/IntentExtensionUI.appex/IntentExtensionUI',
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/NotificationContentExtension.appex/NotificationContentExtension',
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension',
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/ShareExtension.appex/ShareExtension',
  '/var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/PlugIns/WidgetsExtension.appex/WidgetsExtension'
]
Cannot resolve rpath for: @rpath/libswiftCore.dylib from /var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/Frameworks/libswift_Concurrency.dylib
Warning: Cannot resolve dependency library: /var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida.ipa.5cd7b461-3de2-4cf5-9b98-947682a8bbee/Payload/your test.app/Frameworks/libswift_Concurrency.dylib
Warning: missing file: @rpath/libswiftCore.dylib

Copying final ipa from /var/folders/_n/2g909kj527l11wck90h06c4r0000gq/T/com.dummy.appname-59266-prerelease-frida-codesigned.ipa to current directory...
Cleaning up temp files...

Environment (please complete the following information):

Device: [iPhoneXR]
OS: [iOS 14.4.1]
Frida Version [16.0.8]
Objection Version [1.11.0]

Additional context Application should have some extensions defined in it? Sorry I'm not a iOS developer, so I'm not sure of the lingo

freshissue

opened by arjun-govindaraju 0

Unable to find aapt. Install it with: apt install aapt (Kali Linux) before continuing (Windows 11)

tried this command on my windows 11 command prompt: objection patchapk --source injuredandroid_pulled.apk. then after some few minute it displayed: Unable to find aapt. Install it with: apt install aapt (Kali Linux) before continuing, so please how do i fix this am trying to patch an app for my emulator pixel 3a x86
freshissue

opened by Th3Samaritan 1

[bug] (agent.js) Unhandled null value in getBroadcastReceivers

Describe the bug

Unhandled null value in getBroadcastReceivers (agent/src/android/hooking.ts).

To Reproduce

Steps to reproduce the behavior:

Run command objection -n com.foo.bar -d start
Run command android hooking list receivers

Expected behavior

The resulting exception should be properly handled, or the value should be checked to avoid the TypeError.

Evidence / Logs / Screenshots

# android hooking list receivers

A Frida agent exception has occurred.
TypeError: cannot read property 'map' of null
    at <anonymous> (src/android/hooking.ts:487)
    at <anonymous> (src/android/lib/libjava.ts:9)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:12)
    at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250)
    at <anonymous> (frida/node_modules/frida-java-bridge/index.js:225)
    at <anonymous> (frida/node_modules/frida-java-bridge/lib/vm.js:12)
    at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244)
    at perform (frida/node_modules/frida-java-bridge/index.js:204)
    at <anonymous> (src/android/lib/libjava.ts:13)
    at Promise (native)
    at wrapJavaPerform (src/android/lib/libjava.ts:14)
    at getBroadcastReceivers (src/android/hooking.ts:493)
    at androidHookingListBroadcastReceivers (src/rpc/android.ts:54)
    at apply (native)
    at <anonymous> (frida/runtime/message-dispatcher.js:13)
    at c (frida/runtime/message-dispatcher.js:23)

context.getPackageManager()
          .getPackageInfo(context.getPackageName(), GET_RECEIVERS).receivers.value // <= null

Environment

Device: SM-G780G
OS: Android 12
Frida: 16.0.2
Objection: 1.11.0

Additional context

The target app statically registers a broadcast receiver in the manifest, then dynamically disables it through package manager at run time.

freshissue

opened by Ha0ris 0

Releases(1.11.0)

1.11.0(Apr 6, 2021)
notes

This release has a significant change in how iOS applications are patched. Most importantly, after some help over at nowsecure/node-applesign#113, we realised we needed to set the bundle id and add the entitlement cloning flag. By default objection will now parse the bundleid from your .mobileprovision file automatically, but if you need to set it to something else, you can use the new -b flag on the patchipa command.

fixes

Correctly parse apktool versions, even if build from source. (https://github.com/sensepost/objection/commit/554c6c660b2e68627ff845301cdd664836eef9ee) (via #449) (thanks @No-Cellist-7780)

Improve support for patching iOS applications using a free developer account. (https://github.com/sensepost/objection/commit/bb33bce3ca9c36482951081e3d3721645f963124)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/23ba6b09dab9ef6c4d2e18812e17b8b92e97197a)

Formatting fixes (https://github.com/sensepost/objection/commit/7724481889cb8873f3bf94ad63f8c8ab23ad7618)

Code Diff Since v1.10.1
Source code(tar.gz)
Source code(zip)
1.10.2(Mar 30, 2021)
fixes

Don't crash the agent if no matches were found when using the memory search command (https://github.com/sensepost/objection/commit/24582bb9fd1c83155436d6d0b8719cfecbd68028)

Handle keychain entries that have the kSecAttrSynchronizable flag set (https://github.com/sensepost/objection/commit/8560d7586310145568b4b4f1dfa71c84e3b005a8) (thanks @jpstotz)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/1af959f49478ac679fd78ae8d87389745bf32f0d)

Code Diff Since v1.10.0
Source code(tar.gz)
Source code(zip)
1.10.1(Mar 2, 2021)
fixes

Fix import check for objc_release indicating that ARC is enabled (https://github.com/sensepost/objection/commit/3b8cc593162a1f8aba0b83843105d1e9958e880c)

Code Diff Since v1.10.0
Source code(tar.gz)
Source code(zip)
1.10.0(Feb 24, 2021)
new

Add the android hooking list class_loaders command to list the available class loaders (https://github.com/sensepost/objection/commit/b0710ed221ceaf73bc380800d2d7c7dcc1944a14)

Add the objection signapk command to sign multiple apk's using the objection certificate. NOTE: This commit also changes the internal signer used from jarsigner to apksigner (available in the Kali repo) (https://github.com/sensepost/objection/commit/724019a486d410b0b5d83e6d765158b1972b26a8) (via #375) (thanks @mtschirs)

Add wildcard class name support for Android method hooking (https://github.com/sensepost/objection/commit/0dee9d68638a2b32dfdcba45526012ce532d7a1f) (via #383) (thanks @bet4it)

Add the ability to specify an already decoded AndroidManifest to the patchapk command such that --skip-resources could still be used under certain conditions (https://github.com/sensepost/objection/commit/93700023499e471b43585957c079fdef8b21496b) (via #407) (thanks @agreenbhm)

Improve the iOS biometrics bypass hook by also hooking evaluateAccessControl. (https://github.com/sensepost/objection/commit/2977c8a03a1111c352606352d9b68c12a5e4f7df) (via #411) (thanks @jnovak-praetorian)

Add a new ios monitor crypto command to monitor CommonCrypto usage in real time. (https://github.com/sensepost/objection/commit/746d08d6bfa5d314c5efe89ff3335135b8dea139) (via #430) (thanks @gagnonca)

Add a new android proxy set command to set the proxy server used by a specific Android app and not the whole OS. (https://github.com/sensepost/objection/commit/91d131174a3141176a0e6e3c783be72651cb88c3) (via #439) (thanks @GOAT-FARM3R)

Add a new android deoptimize command to disable all optimizations, forcing the android VM to execute via the interpreter. This could help with some missed hooks (https://github.com/sensepost/objection/commit/a34359165fff68fa219473e83208f8ee0816b9a0)

fixes

Improve error handling when the remote Frida version does not match the local version (https://github.com/sensepost/objection/commit/6b7baf8b0610643b701bcbf00e6f1b1e9edae113)

Silence errors that may have occurred while checking for updates (https://github.com/sensepost/objection/commit/925d2bc83e04e8bcb196e46894ca7acbe9b33bb8)

Improve the sqlite connect command to also download SQLite specific temp files if they are available (https://github.com/sensepost/objection/commit/772154f12e146fa6f79f41d0d54e4a5994b3227f) (via #392) (thanks @mame82)

Revert an older JSON.stringify patch to properly display hooked arguments for Android hooks again (https://github.com/sensepost/objection/commit/675a88f174acb8619abced5c6058717e7d326d3b) (via #414) (thanks @ido77778)

other

Update agent dependencies (https://github.com/sensepost/objection/commit/7a727a08f0779d2d5dc7713579965781a6f9f653)

Update agent dependencies (https://github.com/sensepost/objection/commit/618c08759a52241a8d2336c681bcccfbf97e07ba)

Target es2020 for the agent. This makes Frida 14+ a requirement for QuickJS (https://github.com/sensepost/objection/commit/1e79aa336f10a80c8e474257e037b6abfd47e51f)

Major Frida agent dependency bump to latest versions (https://github.com/sensepost/objection/commit/d5642c3fa13284e8b71138cb707253cbdccc78e3)

Reduce the length of generated job ids (https://github.com/sensepost/objection/commit/dc104f8e80687d875bb958aebb640d51434fb9b8)

Add warnings about loaded classes when hooking (https://github.com/sensepost/objection/commit/8abb553a1d7cc78384e127d7d24799ec177b001a) (via #403) (thanks @TheDauntless)

Code Diff Since v1.9.6
Source code(tar.gz)
Source code(zip)
1.9.6(Aug 13, 2020)
new

The pwd command will now do the same as pwd print, fixing #395 (https://github.com/sensepost/objection/commit/b550b9449ec8c5048b232bf0cf1323210b711b2b)

Plugins can now extend the HTTP API by returning a Flask Blueprint in the http_api method of the plugin itself. An example plugin that does this is included here, and will be exposed when specifying the -a flag to the explore command. (https://github.com/sensepost/objection/commit/a2d988bf8114e27101b27aec461705038e0bb87c)

Add new hooks to the iOS jailbreak bypass module for calls to fopen and -[UIApplication canOpenURL:]. Thanks @haxxinen (#390)

fixes

Major update checker refactor. The update checker will now only fire once a day, and will store version information in ~/.objection/version_info. This commit also fixed #386 (https://github.com/sensepost/objection/commit/bca97762497783e8cc5929b4dd4c32427316d4c9)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/4fd28182f7171ca820c11794965a89b81506d6d0)

Bump lodash version (https://github.com/sensepost/objection/commit/9e99a012ccc176a76c1b50ef5febe675226f81de)

Bump agent dependencies (https://github.com/sensepost/objection/commit/76848d803d262fbd6a7764440d1d6018e1db3af9)

Code Diff Since v1.9.5
Source code(tar.gz)
Source code(zip)
1.9.5(Jun 29, 2020)
fixes

Fix exceptions thrown when version checking. Thanks @MarshalX (#382)

Refactor (and fix) Android Heap interaction features to better survive future Frida upgrades :D (https://github.com/sensepost/objection/commit/e46044509a407e115d1e01dc149b381d016475ed)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/45dd99a75750e397dffb63817e83a881d5704a6c)

Bump agent dependencies (https://github.com/sensepost/objection/commit/9605949dca750c1e4eb04179d83eac7c8ae1ad83)

Bump agent dependencies (https://github.com/sensepost/objection/commit/10c7f57794ab5c6464eecbcb8ee1b921c4d6c7a2)

Bump @types/frida-gum (https://github.com/sensepost/objection/commit/a3c3ba8d222484f880506cd0be24b25223321fa6)

Bump frida-objc-bridge version (https://github.com/sensepost/objection/commit/c897944f12883e63faa87fe4cc805ab8ceb55dc6)

Code Diff Since v1.9.4
Source code(tar.gz)
Source code(zip)
1.9.4(May 27, 2020)
fixes

Fix path for embedding scripts on Android platforms (https://github.com/sensepost/objection/commit/1db2da7a4db71e608acd8f02a487dc6a662defec)

Code Diff Since v1.9.3
Source code(tar.gz)
Source code(zip)
1.9.3(May 26, 2020)
fixes

Improve error handling when the --skip-resources flag is used. Thanks @mtschirs (#374)

Exclude leanback activities (AndroidTV) from launchable activity detection in the Android patcher. Thanks @mtschirs (#374)

Ensure that ObjC API's are not called if they are not needed. Fixes #377 (https://github.com/sensepost/objection/commit/8e53e4bce4b3ff67d23dde83db973edc3d82aa2c)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/4f3ee36e3c3bfff9b39eba06eb918376c4ffbfa8)

Disable compression in agent builds. This was messing with line numbers in the generated source map (https://github.com/sensepost/objection/commit/ac94e705f75daa4ad7c4d694a5630e17ddc1780a)

Code Diff Since v1.9.2
Source code(tar.gz)
Source code(zip)
1.9.2(May 10, 2020)
new

Expose the ping command to the CLI to check if the agent is alive and responds. (https://github.com/sensepost/objection/commit/fee42b3947a9c7d3e22b10305e1c8b130d923821)

fixes

Fix a typo in the android hooking generate simple command. Thanks @Techbrunch (#360)

Add missing quotes to the ios hooking watch method command help file (https://github.com/sensepost/objection/commit/a5a1edb4bda424f25c5529f31313d4d706afef54)

Improve error reporting when hooking iOS selectors (https://github.com/sensepost/objection/commit/0a206c8401c326fdf0b11b2f0fa1ab472b55a3dc)

Improve Windows apktool version detection, again (https://github.com/sensepost/objection/commit/46f8d0cc12fb425005e332947a6c9d197a8af243)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/a69fffc4f813456a2400a4f0d960e3bfea75764d)

Code Diff Since v1.9.1
Source code(tar.gz)
Source code(zip)
1.9.1(Apr 7, 2020)
new

Extend support for embedding a gadget configuration and script added in version 1.9.0 to iOS IPA's. Thanks @interference-security (#349)

Automatically toggle extractNativeLibs to false in Android manifests (with a flag to leave the value untouched). Thanks @StingraySA (#353)

Refactor the ios keychain add command. The --key flag has been removed in favour of the --account and --service flags, allowing for more granular setting of attributes for a keychain item. (https://github.com/sensepost/objection/commit/4dadfc497864ff8d0eeff6b4d4468a1645558a95)

fixes

Improve apktool version parsing on Windows (https://github.com/sensepost/objection/commit/79aa7ed881789e5c9458e6a09573bbc848c02441)

Fix command line overload parsing for the android watch class_method command (https://github.com/sensepost/objection/commit/f08cc24cd9bde142c754876690877f5cc5071b84)

Improve shell command argument. Thanks @dvalter (#355)

other

Bump agent dependencies (https://github.com/sensepost/objection/commit/cf204a0e28f247e2aa760f03dc74e30a1928788b)

Code Changes Since v1.9.0
Source code(tar.gz)
Source code(zip)
1.9.0(Mar 29, 2020)
new

Add the --inline flag to the ios heap execute js command, allowing for inline JavaScript evaluation on iOS heap objects. (https://github.com/sensepost/objection/commit/956056aab6d18bbc37105902996102f02a492a67)

Add a new --unzip-unicode flag to the iOS IPA patcher to treat the IPA name as unicode. Thanks @Fabiano1107 (#309)

Add the ability to patch in a gadget configuration and script to Android APK's, making it possible to eternalise scripts without needing a computer. Note: This is an Android only feature for now and needs porting for iOS. For more information, please see: https://frida.re/docs/gadget/. Thanks @gergesh (#329)

Improve the Android method watcher by dumping information about objects instead of simply showing [object, object] for the argument. Thanks @arielmiki (#334)

Improve anti-frida evasion by using a different prefix for .dex files generated by Java.registerClass(). An example patch to recompile the Android frida-server with the name frida renamed to freeda can be seen here. (https://github.com/sensepost/objection/commit/d1035e566cef7e4e4c139258ee6d112adafa09af)

Add a new android keystore watch command. This command will report usages of the java.security.KeyStore class, revealing the password used when accessing items. (https://github.com/sensepost/objection/commit/0513b2d780092eedc95390db51c27c895606f241)

fixes

Fix android hooking set return_value crashing when no optional overload is set. Thanks @root-intruder (#307)

Fix suggested package name for jarsigner on Linux. Thanks @RomainL972 (#327)

Update the iOS biometrics bypass script to handle cases where applications check for an error rather than if a success status was returned. Thanks @gagnonca (#333)

Android patcher improvements. This comes mostly by enforcing the use of apktool version 2.4.1 and up, as well as by automatically running the empty-framework-dir command before patching. Information about upgrading apktool can be found in the wiki here. (https://github.com/sensepost/objection/commit/46288b5c7b708837bf15e03e44f3d45fa24f148f)

Fix Android root detection scripts that were pretty horribly broken 😂 (https://github.com/sensepost/objection/commit/539fc306ca88b6f4f47c486d195c18e896280af6)

other

Bump Python dependencies (https://github.com/sensepost/objection/commit/e09e7bda54e188b3119b0c3c52e6be9f4cb68860)

Bump agent dependencies (https://github.com/sensepost/objection/commit/326b28ec330802cfea0509d96e0c7a1551125c37, https://github.com/sensepost/objection/commit/ae91da03e55e3b0dcd7aa33d03cd6d89ffd51ad3, https://github.com/sensepost/objection/commit/1b78cb36123e5cb7d1b03d5fdf3cd2d8257f9c20, https://github.com/sensepost/objection/commit/d672f1a554212167d922c6260bfe2800c8ef3e3c, https://github.com/sensepost/objection/commit/2ee2dda2f9c356190963099ec174d0ecdafcb6c4, https://github.com/sensepost/objection/commit/5583264e7d4fca67e511ec2525d0d43149f9593c)

Remove support for Python 3.5 (https://github.com/sensepost/objection/commit/1b198e8fca04218f2994d24e08e37225437794dc)

Code cleanups. (https://github.com/sensepost/objection/commit/be95b6006038ccb1b9985a4174b596a4b0e86836, https://github.com/sensepost/objection/commit/b63f6fb2ccaf6e32eb12617042beed5d0f3765d7)

Code Changes Since v1.8.4
Source code(tar.gz)
Source code(zip)
1.8.4(Feb 11, 2020)
other

Temporarily pin the frida-tools version, pending upstream upgrades.

Code Changes Since v1.8.3
Source code(tar.gz)
Source code(zip)
1.8.3(Dec 2, 2019)
fixes

Improve Kotlin app repackaging support (thanks @dnet via #299)

Improve iOS 13 SSL pinning bypass support (thanks @tmm1 via #301)

other

Bump agent dependencies

Code Changes Since v1.8.2
Source code(tar.gz)
Source code(zip)
1.8.2(Nov 5, 2019)
fixes

Fix Android overload filter (thanks @jpacg via #293)

Code Changes Since v1.8.1
Source code(tar.gz)
Source code(zip)
1.8.1(Oct 22, 2019)
fixes

Improve plugin loading when specifying a folder with multiple plugins

Code Changes Since v1.8.0
Source code(tar.gz)
Source code(zip)
1.8.0(Oct 19, 2019)
new

Add a libboringssl SSL pinning bypass for iOS 11+ (thanks @NickstaDB via #281)

Multiple Android APK patcher improvements which include better support for Kotlin coroutines, a flag to use aapt2 with apktool and better error handling. (thanks @dnet via #282, #283 and #284)

Add the ability to watch a specific Java method overload, or set a return value for a specific method overload (thanks @aph3rson via #239)

Add a new iOS command to dump raw, unparsed and unformatted data from the keychain. This is available as the ios keychain dump_raw command and should be used in conjunction with the original dump command to make sure no parsing errors have occurred.

Add a new file cat command that will perform cat-like activities, added for convenience. Only ASCII printable characters in the target file will be echoed to screen. For any other processing, files should still be downloaded and processed locally.

Add new Frida hook generator commands to quickly get ready to use, boilerplate code for your own Frida hooks. Two flavours are available; a simple and class version. The version you choose will depend on your use case, so feel free to experiment!

Completely refactor SQLite database interactions, removing the old implementation and replacing it with LiteCli. Running the sqlite connect database.sqlite command will now automatically drop you into a litecli REPL. If you want to make changed to the target database, add the --sync flag. This way, once you quit from the litecli REPL, the modified database will be synchronized back to the device.

fixes

Improve RPC messaging from the JavaScript agent to the Python environment.

other

Update the Frida agent's dependencies, bumping @types/frida-gum to version 14.

Code Changes Since v1.7.5
Source code(tar.gz)
Source code(zip)
1.7.5(Oct 1, 2019)
new

Add the plugins directory with some sample plugins.

fixes

Improve the iOS keychain dumper to handle entries with empty data.

other

Update the Frida agent's dependencies.

Code Changes Since v1.7.4
Source code(tar.gz)
Source code(zip)
1.7.4(Aug 27, 2019)
fixes

Change the iOS patcher shorthand flag used when specifying a provisioning profile to an upper case P. Lower case was conflicting with the --pause / -p flag.

Code Changes Since v1.7.3
Source code(tar.gz)
Source code(zip)
1.7.3(Aug 21, 2019)
new

Add an Android Cordova SSL pinning bypass for applications that make use of SSLCertificateChecker-PhoneGap-Plugin. Thanks @clviper.

other

Bump agent dependencies.

Code Changes Since v1.7.2
Source code(tar.gz)
Source code(zip)
1.7.2(Aug 15, 2019)
fixes

Escape APK package names causing parsing errors for the Android patcher.

Stop the iOS IPA patcher if a valid provisioning profile was not found.

other

Bump agent dependencies.

Code Changes Since v1.7.1
Source code(tar.gz)
Source code(zip)
1.7.1(Aug 14, 2019)
new

Add the ability to pause iOS IPA patching to allow for manual changes before repackaging and code signing. This is done by adding a --pause flag to the patchipa command.

Code Changes Since v1.7.0
Source code(tar.gz)
Source code(zip)
1.7.0(Aug 11, 2019)
new

Add new iOS and Android heap interaction methods. These new commands allow you to performs various tasks under the <target> heap command context.

Add a small JavaScript editor for simple scripts using the evaluate command.

Add an iOS binary protections enumeration module.

Add an on device HTTP server.

fixes

Fix Android Activity launching

Complete the iOS file delete feature.

Fix duplicate entries created when adding the Android debuggable flag or a Network Security Config.

Fix iOS keychain data hex string conversions.

other

Upgrade frida-compile to v9.

Code Changes Since v1.6.6
Source code(tar.gz)
Source code(zip)
1.6.6(Jun 23, 2019)
fixes

Fix ascii art 💥

Improve iOS SSL pinning bypass stability.

Improve internal jobs cleanup logic.

other

Cleanup agent TSConfig and replace frida-gum-types with @types/frida-gum.

Code Changes Since v1.6.5
Source code(tar.gz)
Source code(zip)
1.6.5(Jun 7, 2019)
new

The iOS keychain dumper will now add a key called dataHex when dumping entries with the --json flag. This key is a hex string of the raw data from the keychain.

The iOS keychain dumper has a new --smart flag to trigger automatic decoding of data fields. Without this flag (the default), entries are UTF8 encoded.

fixes

Improve the iOS keychain dumper's reliability.

other

Bump agent dependencies

Code Changes Since v1.6.4
Source code(tar.gz)
Source code(zip)
1.6.4(May 22, 2019)
new

Add the ability to enumerate an iOS apps' included frameworks observable by NSBundle. This is available as the new ios bundles list_frameworks command.

Add a new --target-class flag to the Android patcher to inject a loadLibrary call for a Frida gadget in any arbitrary class' constructor (for example, to run before an applications onCreate()). The default is still to use the apps main launchable activity.

Add a new SSL Pinning bypass hook for iOS Cordova applications making use of this plugin. Thanks @aph3rson.

fixes

Improve application stability for the Android patcher when injecting a loadLibrary call into an existing class constructor by correctly incrementing the .locals count.

other

Bump agent dependencies

Code Changes Since v1.6.3
Source code(tar.gz)
Source code(zip)
1.6.3(Apr 11, 2019)
new

Add the ability to enumerate the currently active Android activity. This can be done with the new android hooking get current_activity command.

Add a new R class helper to the agent for Android hooks.

fixes

Fix networked Frida connections. The the --host and --network flags will work again as intended.

Fix spawning on iOS (using a jailbroken environment) (thanks @aph3rson)

Code Changes Since v1.6.2
Source code(tar.gz)
Source code(zip)
1.6.2(Apr 2, 2019)
new

Add the ability to save modules and module exports as json.

fixes

Improve error handling when downloading Frida gadgets.

thanks

This release contains commits primarily contributed by @AV-IO 🎉

Code Changes Since v1.6.1
Source code(tar.gz)
Source code(zip)
1.6.1(Apr 1, 2019)
fixes

Fix Frida remote connection capability. Specifying a host and port will be done in a future release.

Small typing fixes in the agent

Code Changes Since v1.6.0
Source code(tar.gz)
Source code(zip)
1.6.0(Mar 29, 2019)
new

Implement Frida crash reporting.

Add warnings before clearing the iOS keychain or the Android Keystore.

Report the Frida runtime in use as part of the frida command.

Add inspection of live instances of Java objects. This feature is available as a new command: android heap print_instances <class>.

Add an Android method searcher. This is available as a new command: android hooking search methods <search string>.

Add plugin support (thanks @SpeedyFireCyclone). For more information, see the wiki article here. Sample plugins can be seen here (Sample plugin used in tests), here (Stetho sideloader) and here (Objections clipboard monitor as a plugin).

Add the ability to delete files on an Android device. This is implemented as the rm command.

fixes

Fix class enumeration in the Android class watcher where methods with generics broke parsing.

Fix a cache key invalidation issue when uploading files.

Code Changes Since v1.5.4
Source code(tar.gz)
Source code(zip)
1.5.4(Mar 22, 2019)
fixes

Enumerate writable pages when searching memory with the memory search command

new

Improve the visual feedback of the memory search command. Small hexdump snippets will now be returned unless the --offsets-only flag is provided.

other

Bump the Frida agents' dependencies.

Code Changes Since v1.5.3
Source code(tar.gz)
Source code(zip)