ChiChou / bagbak

系统版本：16.2
bagbak：3.3.1

jasmineyoung@jasmine:~/bagbak$ DEBUG=1 ./bin/bagbak.js com.tencent.mqq --raw -f
remote root /private/var/containers/Bundle/Application/17912746-5938-4E67-B3B8-6E73652A727B/QQ.app
copy to .
[info] pulling app bundle from device, please be patient
[info] downloaded 12862 files and 734 folders
[info] app bundle downloaded
mach-o info QQ.app/Frameworks/QQStartup.framework/QQStartup {
path: 'QQ.app/Frameworks/QQStartup.framework/QQStartup',
type: 6,
encryptInfo: { offset: 16384, size: 23674880, id: 0 },
encCmdOffset: 3488
}
mach-o info QQ.app/Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin {
path: 'QQ.app/Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin',
type: 6,
encryptInfo: { offset: 16384, size: 16941056, id: 0 },
encCmdOffset: 3504
}
mach-o info QQ.app/Frameworks/TXSoundTouch.framework/TXSoundTouch {
path: 'QQ.app/Frameworks/TXSoundTouch.framework/TXSoundTouch',
type: 6,
encryptInfo: { offset: 16384, size: 16384, id: 0 },
encCmdOffset: 1328
}
mach-o info QQ.app/Frameworks/UE4.framework/UE4 {
path: 'QQ.app/Frameworks/UE4.framework/UE4',
type: 6,
encryptInfo: { offset: 16384, size: 50577408, id: 0 },
encCmdOffset: 3104
}
mach-o info QQ.app/Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK {
path: 'QQ.app/Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK',
type: 6,
encryptInfo: { offset: 16384, size: 22609920, id: 0 },
encCmdOffset: 3408
}
mach-o info QQ.app/Frameworks/andromeda.framework/andromeda {
path: 'QQ.app/Frameworks/andromeda.framework/andromeda',
type: 6,
encryptInfo: { offset: 16384, size: 1966080, id: 0 },
encCmdOffset: 2520
}
mach-o info QQ.app/Frameworks/ilink.framework/ilink {
path: 'QQ.app/Frameworks/ilink.framework/ilink',
type: 6,
encryptInfo: { offset: 16384, size: 8060928, id: 0 },
encCmdOffset: 2912
}
mach-o info QQ.app/PlugIns/QQBroadCast.appex/QQBroadCast {
path: 'QQ.app/PlugIns/QQBroadCast.appex/QQBroadCast',
type: 2,
encryptInfo: { offset: 176128, size: 4096, id: 1 },
encCmdOffset: 2912
}
mach-o info QQ.app/PlugIns/QQNotificationContent.appex/QQNotificationContent {
path: 'QQ.app/PlugIns/QQNotificationContent.appex/QQNotificationContent',
type: 2,
encryptInfo: { offset: 65536, size: 4096, id: 1 },
encCmdOffset: 3072
}
mach-o info QQ.app/PlugIns/QQNotificationService.appex/QQNotificationService {
path: 'QQ.app/PlugIns/QQNotificationService.appex/QQNotificationService',
type: 2,
encryptInfo: { offset: 122880, size: 4096, id: 1 },
encCmdOffset: 3232
}
mach-o info QQ.app/PlugIns/QQShare.appex/QQShare {
path: 'QQ.app/PlugIns/QQShare.appex/QQShare',
type: 2,
encryptInfo: { offset: 131072, size: 4096, id: 1 },
encCmdOffset: 2992
}
mach-o info QQ.app/PlugIns/QQWidgetExtension.appex/QQWidgetExtension {
path: 'QQ.app/PlugIns/QQWidgetExtension.appex/QQWidgetExtension',
type: 2,
encryptInfo: { offset: 274432, size: 4096, id: 1 },
encCmdOffset: 2736
}
mach-o info QQ.app/QQ {
path: 'QQ.app/QQ',
type: 2,
encryptInfo: { offset: 218886144, size: 4096, id: 1 },
encCmdOffset: 5472
}
encrypted binaries Map(6) {
'com.tencent.mqq' => {
dylibs: [
[Array], [Array],
[Array], [Array],
[Array], [Array],
[Array], [Array]
],
executable: 'QQ'
},
'com.tencent.mqq.BroadCast' => {
dylibs: [ [Array] ],
executable: 'PlugIns/QQBroadCast.appex/QQBroadCast'
},
'com.tencent.mqq.notificationContent' => {
dylibs: [ [Array] ],
executable: 'PlugIns/QQNotificationContent.appex/QQNotificationContent'
},
'com.tencent.mqq.notificationService' => {
dylibs: [ [Array] ],
executable: 'PlugIns/QQNotificationService.appex/QQNotificationService'
},
'com.tencent.mqq.ShareExtension' => { dylibs: [ [Array] ], executable: 'PlugIns/QQShare.appex/QQShare' },
'com.tencent.mqq.qqwidgetapp' => {
dylibs: [ [Array] ],
executable: 'PlugIns/QQWidgetExtension.appex/QQWidgetExtension'
}
}
pid => 2065
main executable => QQ.app/QQ
Failed to attach to pid 2065, skipping...
Warning: Unable to dump Frameworks/QQStartup.framework/QQStartup
Frameworks/QQStartupOnLogin.framework/QQStartupOnLogin
Frameworks/TXSoundTouch.framework/TXSoundTouch
Frameworks/UE4.framework/UE4
Frameworks/WeAppCoreSDK.framework/WeAppCoreSDK
Frameworks/andromeda.framework/andromeda
Frameworks/ilink.framework/ilink
QQ
node:internal/process/promises:289
triggerUncaughtException(err, true /* fromPromise */);
^

Error: pids is null
at implementation (/script1.js:116)
at call (native)
at f (:1) {
fileName: '/script1.js',
lineNumber: 116
}

Node.js v20.11.1

dopamine为2.0.11最新版本

直接用 main，#141 已经修掉

直接用main，#141已经修改掉

大佬，用main砸出来也是显示未脱壳，是什么原因呢

jasmineyoung@jasmine:~$ sudo DEBUG=1 bagbak 小红书 --raw -f
[sudo] jasmineyoung 的密码：
remote root /private/var/containers/Bundle/Application/0626478C-53EF-4DD4-911C-06356BF924BD/discover.app
copy to .
[info] pulling app bundle from device, please be patient
[info] downloaded 1414 files and 439 folders
[info] app bundle downloaded
mach-o info discover.app/Frameworks/A.framework/A {
path: 'discover.app/Frameworks/A.framework/A',
type: 6,
encryptInfo: { offset: 16384, size: 16384, id: 0 },
encCmdOffset: 2824
}
mach-o info discover.app/Frameworks/KasaSDK.framework/KasaSDK {
path: 'discover.app/Frameworks/KasaSDK.framework/KasaSDK',
type: 6,
encryptInfo: { offset: 16384, size: 5816320, id: 0 },
encCmdOffset: 3080
}
mach-o info discover.app/Frameworks/TXFFmpeg.framework/TXFFmpeg {
path: 'discover.app/Frameworks/TXFFmpeg.framework/TXFFmpeg',
type: 6,
encryptInfo: { offset: 16384, size: 3145728, id: 0 },
encCmdOffset: 1560
}
mach-o info discover.app/Frameworks/TXSoundTouch.framework/TXSoundTouch {
path: 'discover.app/Frameworks/TXSoundTouch.framework/TXSoundTouch',
type: 6,
encryptInfo: { offset: 16384, size: 32768, id: 0 },
encCmdOffset: 1408
}
mach-o info discover.app/Frameworks/Tquic.framework/Tquic {
path: 'discover.app/Frameworks/Tquic.framework/Tquic',
type: 6,
encryptInfo: { offset: 16384, size: 2048000, id: 0 },
encCmdOffset: 2672
}
mach-o info discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension {
path: 'discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension',
type: 2,
encryptInfo: { offset: 385024, size: 4096, id: 1 },
encCmdOffset: 3240
}
mach-o info discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension {
path: 'discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension',
type: 2,
encryptInfo: { offset: 282624, size: 4096, id: 1 },
encCmdOffset: 2840
}
mach-o info discover.app/PlugIns/ShareExtension.appex/ShareExtension {
path: 'discover.app/PlugIns/ShareExtension.appex/ShareExtension',
type: 2,
encryptInfo: { offset: 28672, size: 4096, id: 1 },
encCmdOffset: 2680
}
mach-o info discover.app/PlugIns/Siri.appex/Siri {
path: 'discover.app/PlugIns/Siri.appex/Siri',
type: 2,
encryptInfo: { offset: 16384, size: 4096, id: 1 },
encCmdOffset: 2280
}
mach-o info discover.app/PlugIns/TodayExtension.appex/TodayExtension {
path: 'discover.app/PlugIns/TodayExtension.appex/TodayExtension',
type: 2,
encryptInfo: { offset: 36864, size: 4096, id: 1 },
encCmdOffset: 2920
}
mach-o info discover.app/PlugIns/WidgetExtension.appex/WidgetExtension {
path: 'discover.app/PlugIns/WidgetExtension.appex/WidgetExtension',
type: 2,
encryptInfo: { offset: 569344, size: 4096, id: 1 },
encCmdOffset: 4016
}
mach-o info discover.app/discover {
path: 'discover.app/discover',
type: 2,
encryptInfo: { offset: 856064, size: 4096, id: 1 },
encCmdOffset: 5552
}
encrypted binaries Map(7) {
'com.xingin.discover' => {
dylibs: [ [Array], [Array], [Array], [Array], [Array], [Array] ],
executable: 'discover'
},
'com.xingin.discover.BroadcastUploadExtension' => {
dylibs: [ [Array] ],
executable: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension'
},
'com.xingin.discover.NotificationServiceExtension' => {
dylibs: [ [Array] ],
executable: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension'
},
'com.xingin.discover.ShareExtension' => {
dylibs: [ [Array] ],
executable: 'PlugIns/ShareExtension.appex/ShareExtension'
},
'com.xingin.discover.Siri' => { dylibs: [ [Array] ], executable: 'PlugIns/Siri.appex/Siri' },
'com.xingin.discover.TodayExtension' => {
dylibs: [ [Array] ],
executable: 'PlugIns/TodayExtension.appex/TodayExtension'
},
'com.xingin.discover.Widget' => {
dylibs: [ [Array] ],
executable: 'PlugIns/WidgetExtension.appex/WidgetExtension'
}
}
pid => 5530
main executable => discover.app/discover
Failed to attach to pid 5530, skipping...
Warning: Unable to dump Frameworks/A.framework/A
Frameworks/KasaSDK.framework/KasaSDK
Frameworks/TXFFmpeg.framework/TXFFmpeg
Frameworks/TXSoundTouch.framework/TXSoundTouch
Frameworks/Tquic.framework/Tquic
discover
pid => 5531
main executable => discover.app/PlugIns/ShareExtension.appex/ShareExtension
msg {
type: 'send',
payload: {
event: 'begin',
name: 'PlugIns/ShareExtension.appex/ShareExtension',
fatOffset: 0
}
} null
[decrypt] PlugIns/ShareExtension.appex/ShareExtension
patch >> discover.app/PlugIns/ShareExtension.appex/ShareExtension
[script log] info module => ShareExtension 0x100354000 49152
[script log] info encrypted => 28672 4096
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 28672,
name: 'PlugIns/ShareExtension.appex/ShareExtension'
}
} <Buffer 80 c2 00 91 61 1a 40 f9 02 01 80 52 fd 7b 41 a9 f4 4f c2 a8 ff 01 00 14 f4 4f be a9 fd 7b 01 a9 fd 43 00 91 f3 03 00 aa 00 18 40 f9 01 01 80 52 fb 01 ... 4046 more bytes>
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 2688,
name: 'PlugIns/ShareExtension.appex/ShareExtension'
}
} <Buffer 00 00 00 00 00 00 00 00 00 00 00 00>
msg {
type: 'send',
payload: { event: 'end', name: 'PlugIns/ShareExtension.appex/ShareExtension' }
} null
result => ok
session detached application-requested null
pid => 5532
main executable => discover.app/PlugIns/Siri.appex/Siri
msg {
type: 'send',
payload: { event: 'begin', name: 'PlugIns/Siri.appex/Siri', fatOffset: 0 }
} null
[decrypt] PlugIns/Siri.appex/Siri
patch >> discover.app/PlugIns/Siri.appex/Siri
[script log] info module => Siri 0x100b18000 32768
[script log] info encrypted => 16384 4096
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 16384,
name: 'PlugIns/Siri.appex/Siri'
}
} <Buffer c0 03 5f d6 f6 57 bd a9 f4 4f 01 a9 fd 7b 02 a9 fd 83 00 91 e0 03 03 aa f4 03 02 aa 43 00 00 94 f3 03 00 aa e0 03 14 aa 73 00 00 94 fd 03 1d aa 41 00 ... 4046 more bytes>
msg {
type: 'send',
payload: { event: 'trunk', fileOffset: 2288, name: 'PlugIns/Siri.appex/Siri' }
} <Buffer 00 00 00 00 00 00 00 00 00 00 00 00>
msg {
type: 'send',
payload: { event: 'end', name: 'PlugIns/Siri.appex/Siri' }
} null
result => ok
session detached application-requested null
pid => 5533
main executable => discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension
msg {
type: 'send',
payload: {
event: 'begin',
name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension',
fatOffset: 0
}
} null
[decrypt] PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension
patch >> discover.app/PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension
[script log] info module => BroadcastUploadExtension 0x104bcc000 491520
[script log] info encrypted => 385024 4096
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 385024,
name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension'
}
} <Buffer e8 00 00 90 08 21 15 91 14 79 74 f8 03 00 00 14 f4 00 00 90 94 02 1a 91 e0 03 14 aa bc 09 00 94 40 06 00 b4 48 01 00 d0 15 e1 47 f9 e0 03 13 aa df 08 ... 4046 more bytes>
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 3248,
name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension'
}
} <Buffer 00 00 00 00 00 00 00 00 00 00 00 00>
msg {
type: 'send',
payload: {
event: 'end',
name: 'PlugIns/BroadcastUploadExtension.appex/BroadcastUploadExtension'
}
} null
result => ok
session detached application-requested null
pid => 5534
main executable => discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension
msg {
type: 'send',
payload: {
event: 'begin',
name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension',
fatOffset: 0
}
} null
[decrypt] PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension
patch >> discover.app/PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension
[script log] info module => NotificationServiceExtension 0x102794000 409600
[script log] info encrypted => 282624 4096
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 282624,
name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension'
}
} <Buffer 28 20 40 f9 69 06 40 f9 29 19 40 b9 15 01 09 8b a0 fe df c8 40 03 00 b5 e0 03 13 aa bd 01 00 94 b4 fe 5f c8 d4 00 00 b5 a0 fe 08 c8 a8 ff ff 35 28 00 ... 4046 more bytes>
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 2848,
name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension'
}
} <Buffer 00 00 00 00 00 00 00 00 00 00 00 00>
msg {
type: 'send',
payload: {
event: 'end',
name: 'PlugIns/NotificationServiceExtension.appex/NotificationServiceExtension'
}
} null
result => ok
session detached application-requested null
pid => 5535
main executable => discover.app/PlugIns/TodayExtension.appex/TodayExtension
Failed to attach to pid 5535, skipping...
Warning: Unable to dump PlugIns/TodayExtension.appex/TodayExtension
pid => 5542
main executable => discover.app/PlugIns/WidgetExtension.appex/WidgetExtension
msg {
type: 'send',
payload: {
event: 'begin',
name: 'PlugIns/WidgetExtension.appex/WidgetExtension',
fatOffset: 0
}
} null
[decrypt] PlugIns/WidgetExtension.appex/WidgetExtension
patch >> discover.app/PlugIns/WidgetExtension.appex/WidgetExtension
[script log] info module => WidgetExtension 0x1025dc000 704512
[script log] info encrypted => 569344 4096
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 569344,
name: 'PlugIns/WidgetExtension.appex/WidgetExtension'
}
} <Buffer 10 aa 44 f9 00 02 1f d6 10 01 00 b0 10 ae 44 f9 00 02 1f d6 10 01 00 b0 10 b2 44 f9 00 02 1f d6 10 01 00 b0 10 ba 44 f9 00 02 1f d6 10 01 00 b0 10 be ... 4046 more bytes>
msg {
type: 'send',
payload: {
event: 'trunk',
fileOffset: 4024,
name: 'PlugIns/WidgetExtension.appex/WidgetExtension'
}
} <Buffer 00 00 00 00 00 00 00 00 00 00 00 00>
msg {
type: 'send',
payload: {
event: 'end',
name: 'PlugIns/WidgetExtension.appex/WidgetExtension'
}
} null
result => ok
session detached application-requested null
Saved to discover.app

mac上显示无法转储

和你问题相同，砸壳期间一切显示正常，但其实并未解密

Describe the bug
After spawning, frida can't attach to it. The following line fails:

bagbak/index.js

Line 158 in bab0de9

session = await this.#device.attach(pid);

and

bagbak/index.js

Line 160 in bab0de9

if (abortOnError) throw e;

throws the following exception:

[Error: Module not found at "/usr/lib/libSystem.B.dylib"]

Full output

To Reproduce

$ export SSH_USERNAME='mobile'                 
$ export SSH_PASSWORD='alpine'
$ export SSH_PORT=22          
$ export DEBUG_SCP=1
$ npx -- bagbak --abort-on-error -U -d 'com.spotify.client'

Desktop:

OS: macOS 13.6.5 (22G621)
nodejs: v21.7.1
frida on device version: 16.2.1
iOS and jailbreak version: 15.6 (19G69) and Dopamine 2.0.11
- I tried also on iPhone 8+ (A11, arm64) with iOS 16.7.5 jailbroken with Dopamine 2.0.9 and everything works! It seems that the issue only happens on arm64e.
The app you are trying to work on com.spotify.client, AppStore link
bagbak version: 3.3.1 (commit bab0de9 from origin/main)

@miticollo thanks a lot for the detail. It looks like Frida doesn’t work on that environment, can you try attaching anything with its native python command?

Attaching works. Indeed, my frida-ios-dump fork works and correctly decrypt the app (only main executable not plugins). But it implicitly uses spawn from Frida Python API. In particular it extends ConsoleApplication class like all frida-tools do.

@miticollo It's definitely a frida bug.

https://github.com/frida/frida-core/blob/41b87c1d476b66eef7d73368af96ec62692c0cf9/src/darwin/frida-helper-backend-glue.m#L1914

https://github.com/frida/frida-gum/blob/57c89fc71de6c0042785f8fd6cdf4c0e6b027957/gum/backend-darwin/gumprocess-darwin.c#L361

On Apple Silicon macOS, install WhatsApp from Mac App Store and frida WhatsApp you see the same error. I've spent some hours on it but still have no clue why it only happens to certain targets

Thank you for your report! But I don't understand one thing. Why doesn't it happen using Python? bagbak spawns the mainExecutable correctly then attaching fails. My fork spawns the mainExecutable using Frida Python API then attaching doesn't fail. Both projects use Frida API to perform attach (one for NodeJS and the other for Python). Maybe I could be wrong but it is possible that when bagbak spawns the mainExecutable using XPC msg something goes wrong? Spawning app and then attaching on it using Frida API NodeJS work?

But I don't understand one thing. Why doesn't it happen using Python?

The test case I mentioned on macOS is the original Frida Python cli

You are right! After sending my previous message I realized it.
Anyway I tried to downgrade frida-server on iOS up to 16.0.11 but nothing.

Dopamine ENV Test iOS Application bagbak Dump Success.....
iOS Device: iPhone15 (iOS 15.1.1) (frida-server 16.2.1)
jailbreak: Dopamine 2.1.4
bagbak :3.3.1

export SSH_USERNAME=mobile && export SSH_PASSWORD=alpine && export SSH_PORT=2222 && bagbak com.xx.xxxx

Ciao @ChiChou !

Sorry for the ping.

I tried bagbak with Frida 16.2.3 and it works perfectly! Probably this version fixes this issue.

Ciao @ChiChou !

Sorry for the ping.

I tried bagbak with Frida 16.2.3 and it works perfectly! Probably this version fixes this issue.

However I think that issue is not related to this. This is a Darwin injection problem

dopamine分支 砸壳问题

dopamine分支砸壳问题