Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

R2Pay crashes on arm64 with "Bad access due to invalid address" #1

Open
enovella opened this issue Jan 24, 2022 · 4 comments
Open

R2Pay crashes on arm64 with "Bad access due to invalid address" #1

enovella opened this issue Jan 24, 2022 · 4 comments
Assignees
@FrenchYeti
Labels
bug Something isn't working

Comments

@enovella
Copy link

It seems this crash is not produced by the RASP inside R2pay:

[14:30 edu@xps radare2]  (master)>  frida --codeshare FrenchYeti/android-arm64-strace -H 127.0.0.1:27042 -f re.pwnme --no-pause
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `re.pwnme`. Resuming main thread!                               
[Remote::re.pwnme]-> [STARTING TRACE] UID=0 Thread 14474
Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/walleye/walleye:11/RP1A.200720.009/6720564:user/release-keys'
Revision: 'MP1'
ABI: 'arm64'                                                                                                                                                                 
Timestamp: 2022-01-24 08:30:41-0500
pid: 14474, tid: 14474, name: re.pwnme  >>> re.pwnme <<<
uid: 10250
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1f03e036000074
    x0  0000007c520841a4  x1  0000007c36a3c658  x2  0000007bf23b3970  x3  0000000000000001
    x4  0000007bf23b70f4  x5  0000000000000000  x6  0000000000000040  x7  7f7f7f7f7f7f7f7f
    x8  0000007ee78eb000  x9  0000007c523f8000  x10 0000007b00000007  x11 0000000000000001
    x12 0000000001120197  x13 0000007c50a5e09c  x14 0000007c522bd998  x15 0000007c522bd998
    x16 0000000000000001  x17 0000000000000000  x18 0000000000000000  x19 0000007c36a3c658
    x20 2a1f03e036000074  x21 2a1f03e036000060  x22 0000007dc2411be0  x23 0000007c520841a4
    x24 0000007d32411160  x25 0000000000000004  x26 0000007ee78eb000  x27 0000007fdec4dac8
    x28 0000000000000139  x29 0000007fdec4d4b0
    lr  0000007c520841a4  sp  0000007fdec4d470  pc  0000007c36a3cae8  pst 0000000080000000
backtrace:
      #00 pc 000000000001cae8  <anonymous:7c36a20000>
      #01 pc 00000000003411a0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x341000) (art::jit::Jit::MaybeDoOnStackReplacement(art::Thread*, art::ArtMethod*, unsigned int, int, art::JValue*)+112) (BuildId: d0f321775158ed00df284edfabf672b6)
      #02 pc 00000000003411a0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x341000) (art::jit::Jit::MaybeDoOnStackReplacement(art::Thread*, art::ArtMethod*, unsigned int, int, art::JValue*)+112) (BuildId: d0f321775158ed00df284edfabf672b6)
      #03 pc 0000000000172b88  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x16a000) (void art::interpreter::ExecuteSwitchImplCpp<true, false>(art::interpreter::SwitchImplContext*)+35408) (BuildId: d0f321775158ed00df284edfabf672b6)
      #04 pc 000000000013f7d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13f000) (ExecuteSwitchImplAsm+8) (BuildId: d0f321775158ed00df284edfabf672b6)
      #05 pc 00000000001a22e8  /system/framework/framework.jar (android.app.ActivityThread.updateDefaultDensity)
      #06 pc 00000000003095d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x309000) (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.7618685802058321727)+528) (BuildId: d0f321775158ed00df284edfabf672b6)
      #07 pc 0000000000311840  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x311000) (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+200) (BuildId: d0f321775158ed00df284edfabf672b6)
      #08 pc 0000000000313b5c  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x311000) (bool art::interpreter::DoCall<true, true>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+1692) (BuildId: d0f321775158ed00df284edfabf672b6)
      #09 pc 00000000001755f8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x16a000) (void art::interpreter::ExecuteSwitchImplCpp<true, false>(art::interpreter::SwitchImplContext*)+46272) (BuildId: d0f321775158ed00df284edfabf672b6)
      #10 pc 000000000013f7d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13f000) (ExecuteSwitchImplAsm+8) (BuildId: d0f321775158ed00df284edfabf672b6)
      #11 pc 000000000019dacc  /system/framework/framework.jar (android.app.ActivityThread.handleBindApplication)
      #12 pc 00000000003095d8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x309000) (art::interpreter::Execute(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame&, art::JValue, bool, bool) (.llvm.7618685802058321727)+528) (BuildId: d0f321775158ed00df284edfabf672b6)
      #13 pc 00000000006740c0  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x674000) (artQuickToInterpreterBridge+776) (BuildId: d0f321775158ed00df284edfabf672b6)
      #14 pc 000000000013cff8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x13c000) (art_quick_to_interpreter_bridge+88) (BuildId: d0f321775158ed00df284edfabf672b6)
      #15 pc 0000000000133564  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x133000) (art_quick_invoke_stub+548) (BuildId: d0f321775158ed00df284edfabf672b6)
      #16 pc 00000000001a97e8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x1a9000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200) (BuildId: d0f321775158ed00df284edfabf672b6)
      #17 pc 000000000055b830  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x480000) (art::JValue art::InvokeWithVarArgs<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, std::__va_list)+448) (BuildId: d0f321775158ed00df284edfabf672b6)
      #18 pc 000000000055bcf4  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x480000) (art::JValue art::InvokeWithVarArgs<_jmethodID*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+92) (BuildId: d0f321775158ed00df284edfabf672b6)
      #19 pc 0000000000427560  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x394000) (art::JNI<true>::CallNonvirtualVoidMethodV(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, std::__va_list)+656) (BuildId: d0f321775158ed00df284edfabf672b6)
      #20 pc 000000000037ded8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x367000) (art::(anonymous namespace)::CheckJNI::CallMethodV(char const*, _JNIEnv*, _jobject*, _jclass*, _jmethodID*, std::__va_list, art::Primitive::Type, art::InvokeType)+2576) (BuildId: d0f321775158ed00df284edfabf672b6)
      #21 pc 000000000036c9e8  /apex/com.android.art/lib64/libart.so!libart.so (offset 0x367000) (art::(anonymous namespace)::CheckJNI::CallNonvirtualVoidMethod(_JNIEnv*, _jobject*, _jclass*, _jmethodID*, ...)+144) (BuildId: d0f321775158ed00df284edfabf672b6)
      #22 pc 0000000000002b94  /dev/re.frida.helper/frida-server-64.so (offset 0x740000)
***
[Remote::re.pwnme]->                                                                                                                                                         

Thank you for using Frida!
[14:30 edu@xps radare2]  (master)>
@FrenchYeti
Copy link
Owner

FrenchYeti commented Jan 24, 2022
edited
Loading

Yes, i tested and i had same issue. I didn't start to search the cause, but r2pay results are better when tracing starts when libnative is loading or when app started

It will trace all (but not follow fork/clone/ ... yet) when app is loaded :

Java.perform(()=> {

    Interruptor
        .newAgentTracer({
            exclude: {
                syscalls: ["clock_gettime"]
            }
        })
        .start();

});

It is also possible to do that:

 Interruptor
        .newAgentTracer({
            exclude: {
                syscalls: ["clock_gettime"]
            }
        })
        .startOnLoad(/libnative-lib/g);

@FrenchYeti FrenchYeti self-assigned this Jan 24, 2022
@FrenchYeti FrenchYeti added the bug Something isn't working label Jan 24, 2022
@apkunpacker
Copy link

for me

$ frida -H 127.0.0.1:1234 -f re.pwnme --codeshare FrenchYeti/android-arm64-strace --no-pause
     ____
    / _  |   Frida 15.1.14 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit                                                         . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `re.pwnme`. Resuming main thread!
[Remote::re.pwnme]-> [STARTING TRACE] UID=0 Thread 31147
[/apex/com.android.runtime/lib64/bionic/libc.so +0xa74]   SVC :: 0x42   writev (  fd = 2  undefined   , const struct iovec *vec = 0x7fde3bc1b8 , unsigned long vlen = 0x2  )    > 0x2e
[/apex/com.android.runtime/lib64/bionic/libc.so +0x614]   SVC :: 0xc6   socket (  int = 0x1 , int = 0x80802 , int = 0x0  )    > 0x3e
[/apex/com.android.runtime/lib64/bionic/libc.so +0x2f4]   SVC :: 0xcb   connect (  int = 0x3e , struct sockaddr * = 0x7fde3bc0c0 , int = 0x6e  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0xa74]   SVC :: 0x42   writev (  fd = 62  undefined   , const struct iovec *vec = 0x7fde3bc0c0 , unsigned long vlen = 0x6  )    > 0x3f
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0x39   close (  fd = 62  undefined    )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0xf94]   SVC :: 0xde   mmap (  start_addr = 0x0 , size = 0x46 , prot = PROT_READ | PROT_WRITE , flags = MAP_PRIVATE | MAP_ANONYMOUS , fd = -1 IGNORED   offset = 0x0  )    > 0x7916e39000
[/apex/com.android.runtime/lib64/bionic/libc.so +0xd4]   SVC :: 0xa7   prctl (  opt = PR_SET_VMA , unsigned long arg2 = 0x0 , unsigned long arg3 = 0x7916e39000 , unsigned long arg4 = 0x46 , unsigned long arg5 = 0x79168638da  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0x554]   SVC :: 0x87   rt_sigprocmask (  int how = 0x2 , sigset_t *set = 0x7fde3bc5a0 , sigset_t *oset = 0x0 , size_t sigsetsize = 0x8  )    > 0x0
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0xac   getpid (  )    > 0x79ab
[/apex/com.android.runtime/lib64/bionic/libc.so +0x3bc]   SVC :: 0xb2   gettid (  )    > 0x79ab
[/apex/com.android.runtime/lib64/bionic/libc.so +0xcd4]   SVC :: 0xae   getuid (  )    > 0x28d2
Process terminated

@FrenchYeti
Copy link
Owner

Ok, in my case i don't use "--no-pause"

@apkunpacker
Copy link

Ok, in my case i don't use "--no-pause"

may be because i removed those rootbear checks from apk manually

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FrenchYeti FrenchYeti

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FrenchYeti @enovella @apkunpacker