Android: No imports, exports on native library (`:iE` , `:ii`)

Question

Android: No imports, exports on native library (`:iE` , `:ii`)

enovella opened this issue 4 months ago · comments

Radare2 anal

R2 is capable of detecting the exports of the native library:

$ r2 lib/arm64-v8a/libtool-checker.so
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- Use 'rabin2 -ris' to get the import/export symbols of any binary.
[0x00000990]> iE
[Exports]
nth paddr      vaddr      bind   type   size lib name                                                          demangled
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
8   0x000009cc 0x000009cc GLOBAL FUNC   76       Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages
9   ---------- 0x00003004 GLOBAL NOTYPE 0        _bss_end__
11  ---------- 0x00003004 GLOBAL NOTYPE 0        _edata
12  ---------- 0x00003008 GLOBAL NOTYPE 0        _end
13  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_start
14  0x00000ad4 0x00000ad4 GLOBAL FUNC   196      Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot
15  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_end__
16  0x00000a18 0x00000a18 GLOBAL FUNC   188      _Z6existsPKc                                                  exists(char const*)
19  ---------- 0x00003008 GLOBAL NOTYPE 0        __end__
20  ---------- 0x00003004 GLOBAL NOTYPE 0        __bss_start__
[0x00000990]> q

R2Frida (steps to reproduce)

R2Frida is not able to identify the exports or imports at runtime:

$ r2 frida://spawn/usb//com.scottyab.rootbeer.sample
ERROR: error: unable to find module containing 0x0
[0x00000000]> :dc
INFO: resumed spawned process
// Press button on the screen to load the native library
[0x00000000]> :il~+tool
0x0000007511761000 0x0000007511765000 libtool-checker.so
[0x00000000]> s 0x0000007511761000
[0x7511761000]> :iE
[0x7511761000]>

Setup

Latest Frida, r2 and r2frida
APK:
com.scottyab.rootbeer.sample.apk.zip

Eduardo Novella · Answer 1 · Sun Feb 04 2024 03:24:27 GMT+0800 (China Standard Time)

It used to work!

Eduardo Novella · Answer 2 · Sun Feb 04 2024 03:42:38 GMT+0800 (China Standard Time)

@trufae FYI - The native library is not loaded until you press the button at the bottom of the screen.

Murphy · Answer 3 · Sun Feb 04 2024 05:00:38 GMT+0800 (China Standard Time)

Seems a Frida bug:

[Pixel 4a::com.scottyab.rootbeer.sample ]-> var test = Process.getModuleByName("libtool-checker.so")
[Pixel 4a::com.scottyab.rootbeer.sample ]-> test
{
    "base": "0x773b794000",
    "name": "libtool-checker.so",
    "path": "/data/app/~~4Uu8HmOowBu7iVyv8KKjgg==/com.scottyab.rootbeer.sample-ZTsctaKJ0O9P8Nl3TA1XWQ==/lib/arm64/libtool-checker.so",
    "size": 16384
}
[Pixel 4a::com.scottyab.rootbeer.sample ]-> test.enumerateExports()
[]

Eduardo Novella · Answer 4 · Sun Feb 04 2024 17:51:50 GMT+0800 (China Standard Time)

@as0ler you're right and with Frida 15, it works! /cc for viz @oleavr

[Pixel ::com.scottyab.rootbeer.sample ]-> Frida
{
    "version": "15.2.2"
}
[Pixel ::com.scottyab.rootbeer.sample ]-> %resume
[Pixel ::com.scottyab.rootbeer.sample ]-> var test = Process.getModuleByName("libtool-checker.so")
[Pixel ::com.scottyab.rootbeer.sample ]-> test.enumerateExports()
[
    {
        "address": "0x73fc2d79cc",
        "name": "Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages",
        "type": "function"
    },
    {
        "address": "0x73fc2d7b98",
        "name": "_ZN7_JNIEnv14GetArrayLengthEP7_jarray",
        "type": "function"
    },
    {
        "address": "0x73fc2d7ad4",
        "name": "Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot",
        "type": "function"
    },
    {
        "address": "0x73fc2d7a18",
        "name": "_Z6existsPKc",
        "type": "function"
    },
    {
        "address": "0x73fc2d7bd0",
        "name": "_ZN7_JNIEnv21GetObjectArrayElementEP13_jobjectArrayi",
        "type": "function"
    },
    {
        "address": "0x73fc2d7c10",
        "name": "_ZN7_JNIEnv17GetStringUTFCharsEP8_jstringPh",
        "type": "function"
    },
    {
        "address": "0x73fc2d7c50",
        "name": "_ZN7_JNIEnv21ReleaseStringUTFCharsEP8_jstringPKc",
        "type": "function"
    }
]

Eduardo Novella · Answer 5 · Sun Feb 04 2024 18:30:39 GMT+0800 (China Standard Time)

0x00000070e8121000 0x00000070e8125000 libtool-checker.so
0x00000073f8863000 0x00000073f8864000 linux-vdso.so.1
[0x00000000]> s 0x00000070e8121000
[0x70e8121000]> :iE
0x70e81219cc f Java_com_scottyab_rootbeer_RootBeerNative_setLogDebugMessages
0x70e8121b98 f _ZN7_JNIEnv14GetArrayLengthEP7_jarray
0x70e8121ad4 f Java_com_scottyab_rootbeer_RootBeerNative_checkForRoot
0x70e8121a18 f _Z6existsPKc
0x70e8121bd0 f _ZN7_JNIEnv21GetObjectArrayElementEP13_jobjectArrayi
0x70e8121c10 f _ZN7_JNIEnv17GetStringUTFCharsEP8_jstringPh
0x70e8121c50 f _ZN7_JNIEnv21ReleaseStringUTFCharsEP8_jstringPKc
[0x70e8121000]> :?V
{"version":"15.2.2"}

pancake · Answer 6 · Tue Feb 13 2024 03:26:09 GMT+0800 (China Standard Time)

please try again. i think the bug was not in enumerateExports, but in the way we got the current module. i fixed that thing in r2frida, so please try again and confirm the bug is fixed now