FATAL ERROR after patch PluginKit validation

Question

FATAL ERROR after patch PluginKit validation

jluo98 opened this issue 2 years ago · 12 comments

Describe the bug
The decrypt process always fails with FATAL ERROR at patch PluginKit validation. Adding --no-extension would prevent the error (decrypted app would have no extensions of course).
砸壳失败，总是在patch PluginKit validation的时候出现FATAL ERROR。用--no-extension可避免错误（当然，出来的app就没有extension了）。

To Reproduce

Clone and set up the repo
Run ./go.js com.tencent.xin
Process stops after patch PluginKit validation prompting FATAL ERROR and [Error: The connection is closed]

Expected behavior
Successfully decrypt app with all extensions.

Screenshots
Logs

Desktop (please complete the following information):

OS: macOS 13.1
nodejs: v16.13.0
frida-node: v16.0.7
frida on device version: v16.0.7
iOS and jailbreak version: iOS 15.1 with Palera1n on iPhone 7 Plus
The app you are trying to work on: com.tencent.xin

Additional context
I manually adjusted frida-node to 16.0.7 but it did not help.

Answer 1 · 2022-12-12T21:10:15.000Z

iOS 14 上一切正常，我没有对应的环境复现。需要 idevicecrashreport 里于 extension 相关的日志才能分析。猜想是因为 jetsam 补丁不起作用了

Answer 2 · 2022-12-12T21:55:54.000Z

我还不太了解iOS的report，不知道这份里面有没有有用的信息：JetsamEvent-2022-12-12-132126.ips.txt

另外我用了另一个project倒是成功拿到了带extension的ipa。

Answer 3 · 2022-12-12T21:58:46.000Z

不是这个，extension 进程崩溃的日志。

另外 frida-ios-dump 完全不处理 extension 进程的解密，和 SSH 直接复制出来是一个效果，说明不知为何没有加密

Answer 4 · 2022-12-12T22:16:31.000Z

我仔细检查了一下，frida-ios-dump 砸壳的ipa有Plugin文件夹，但是extension实际无法工作，看来还是extension的问题。我用 idevicecrashreport 提出来的日志好像没有跟 extension 有关的文件，也可能是我看漏了。能否指条路我去研究研究，把日志导出来。

Answer 5 · 2022-12-16T11:52:53.000Z

use bagbak -zfn <bundleID>

working well on ios 15 and palnera1n

Answer 6 · 2022-12-16T12:15:30.000Z

use bagbak -zfn <bundleID>

working well on ios 15 and palnera1n

yeah but he needs extensions

Answer 7 · 2022-12-18T14:24:07.000Z

@jluo98 idevicecrashreport 命令可以复制所有的崩溃日志到电脑，而且默认会清空手机端的日志。可以先 idevicecrashreport，然后运行，第二次复制出来的日志就是新的

Answer 8 · 2022-12-18T17:45:16.000Z

@jluo98 idevicecrashreport 命令可以复制所有的崩溃日志到电脑，而且默认会清空手机端的日志。可以先 idevicecrashreport，然后运行，第二次复制出来的日志就是新的

我上次的确是这么干的，但是崩溃之后没有新日志。我回头再试试看

Answer 9 · 2023-03-04T02:31:31.000Z

我又折腾了一下，成功 dump with extensions

设备：iPhone 7 Plus
iOS: 15.7.3
Jailbreak: Palera1n 2.0 Beta 4

我手动 checkout 了 169e6d5 commit （主要为了 frida 15）然后在手机上装上了 frida 15.0.13，成功 dump。可能还是 frida 16 有点问题。

Answer 10 · 2023-03-13T18:10:51.000Z

I'm running into this too now, with both bagbak 2.3.1 and 2.5.0 connected to a iPod touch 6th gen on iOS 12.5.7

FATAL ERROR: session detached
reason: process-terminated
unable to dump plugins Error: Script is destroyed
Please file a bug to https://github.com/ChiChou/bagbak/issues
Error: Script is destroyed
    at onScriptDestroyed (/home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/frida/dist/script.js:118:26)
    at /home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/frida/dist/script.js:134:17
    at new Promise (<anonymous>)
    at ScriptServices.request (/home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/frida/dist/script.js:102:16)
    at Proxy.<anonymous> (/home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/frida/dist/script.js:181:38)
    at dump (/home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/bagbak/go.js:313:37)
    at async main (/home/jack/.npm/_npx/a9ffc58366e7bb52/node_modules/bagbak/go.js:406:5)
Congrats!
open dump/com.hammerandchisel.discord/Payload

Answer 11 · 2023-03-23T20:29:03.000Z

I guess it's related to 8badf00d

Answer 12 · 2023-04-05T08:12:12.000Z

frida/frida-core#462