I'm trying to inject my library into a few applications (both AppStore & Enterprise Distribution signed) on iPhone8 (11.3), but the applications crash. The same dylib injects and works fine on other devices (only tried with 11.4b3).
iPhone:/User/Downloads/bfinject root# /bin/bash -c '/User/Downloads/bfinject/bfinject -p `ps -e | grep "[M]yAppName$" | while read -a array; do echo "${array[0]}" ; done` -l /User/Downloads/MyLib.dylib'
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/12345678-90AB-CDEF-1234-567890ABCD/MyAppName.app/MyAppName'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID XXXXXXXXXX and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 3503.
[bfinject4realz] Calling thread_create() on PID 3503
[bfinject4realz] Looking for ROP gadget... found at 0x18260b118
[bfinject4realz] Fake stack frame at 0x10e1e8000
[bfinject4realz] Calling _pthread_set_self() at 0x1828d871c...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x18260ae7c...
here, bfinject hangs, and the app crashes.
Attached is the crashed thread stack trace and relevant info from the crash report:
...
Hardware Model: iPhone10,1
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
OS Version: iPhone OS 11.3 (15E216)
Baseband Version: 1.89.00
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001825d8d10
Termination Signal: Trace/BPT trap: 5
Termination Reason: Namespace SIGNAL, Code 0x5
Terminating Process: exc handler [0]
Triggered by Thread: 18
Application Specific Information:
BUG IN LIBDISPATCH: Unexpected error from mach_msg_receive
Abort Cause 268451847
Filtered syslog:
None found
Thread 18 name: Dispatch queue: com.apple.main-thread
Thread 18 Crashed:
0 libdispatch.dylib 0x00000001825d8d10 _dispatch_mach_send_and_wait_for_reply + 1544
1 libdispatch.dylib 0x00000001825d8938 _dispatch_mach_send_and_wait_for_reply + 560
2 libdispatch.dylib 0x00000001825d8e30 dispatch_mach_send_with_result_and_wait_for_reply$VARIANT$armv81 + 56
3 libxpc.dylib 0x00000001829148d8 xpc_connection_send_message_with_reply_sync + 196
4 CoreFoundation 0x0000000182c4ed08 __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke_3.143 + 40
5 CoreFoundation 0x0000000182cf5d04 -[_CFXPreferences withConnectionForRole:performBlock:] + 48
6 CoreFoundation 0x0000000182c4ecd4 __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke_2.142 + 124
7 libsystem_trace.dylib 0x00000001828f5c70 _os_activity_initiate_impl + 60
8 CoreFoundation 0x0000000182c4ec2c __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke.140 + 124
9 CoreFoundation 0x0000000182c4e74c CFPREFERENCES_IS_WAITING_FOR_SYSTEM_CFPREFSD + 48
10 CoreFoundation 0x0000000182c4e984 -[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:] + 184
11 CoreFoundation 0x0000000182c4f238 -[CFPrefsSearchListSource alreadylocked_copyDictionary] + 384
12 CoreFoundation 0x0000000182ceac58 -[CFPrefsSource copyDictionary] + 56
13 CoreFoundation 0x0000000182c4f088 -[CFPrefsSearchListSource generationCount] + 48
14 CoreFoundation 0x0000000182c4f020 -[CFPrefsSearchListSource handleRemoteChangeNotificationForDomainIdentifier:] + 308
15 CoreFoundation 0x0000000182ce9a34 -[CFPrefsSource forEachObserver:] + 288
16 CoreFoundation 0x0000000182cea100 -[CFPrefsSource setValues:forKeys:count:removeValuesForKeys:count:from:] + 348
17 CoreFoundation 0x0000000182cea304 -[CFPrefsSource setValue:forKey:from:] + 64
18 CoreFoundation 0x0000000182ceb55c -[_CFXPreferences+ 1566044 (SourceAdditions) withSourceForIdentifier:user:byHost:container:cloud:perform:] + 744
19 CoreFoundation 0x0000000182c50334 -[_CFXPreferences+ 930612 (SearchListAdditions) with23930198HackSourceForIdentifier:user:byHost:container:cloud:perform:] + 360
20 CoreFoundation 0x0000000182cf4810 -[_CFXPreferences setValue:forKey:identifier:user:host:container:] + 160
21 CoreFoundation 0x0000000182bfb7ec CFPreferencesSetValue + 136
22 ...56963a9152.dylib.arch_arm64 0x000000010cd18b30 0x10cd0c000 + 52016
23 libobjc.A.dylib 0x0000000181e6e9f0 call_load_methods + 184
24 libobjc.A.dylib 0x0000000181e6fb58 load_images + 76
25 dyld 0x00000001012f20c8 dyld::notifySingle+ 8392 (dyld_image_states, ImageLoader const*, ImageLoader::InitializerTimingList*) + 384
26 dyld 0x000000010130212c ImageLoader::recursiveInitialization+ 74028 (ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 440
27 dyld 0x00000001013011cc ImageLoader::processInitializers+ 70092 (ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 136
28 dyld 0x0000000101301288 ImageLoader::runInitializers+ 70280 (ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 84
29 dyld 0x00000001012f5614 dyld::runInitializers+ 22036 (ImageLoader*) + 88
30 dyld 0x00000001012fb934 dlopen + 1024
31 libdyld.dylib 0x000000018260aef0 dlopen + 116
32 libdyld.dylib 0x000000018260b118 _dyld_find_unwind_sections + 136
Thread 18 crashed with ARM Thread State (64-bit):
x0: 0x0000000010004007 x1: 0x000000000400400e x2: 0x0000000000000000 x3: 0x0000000000004000
x4: 0x0000000000001603 x5: 0x0000000000000000 x6: 0x0000000000002503 x7: 0x00000000000003e2
x8: 0x0000000010004007 x9: 0x000000000400400e x10: 0x0000000141054000 x11: 0x0000000140ffbf80
x12: 0x0000000000000018 x13: 0x0000000010000004 x14: 0x0000000000100031 x15: 0x0000000000000000
x16: 0xffffffffffffffe1 x17: 0xffffffd0ffffffff x18: 0x0000000000000000 x19: 0x00000000efffbffe
x20: 0x0000000140ff7f80 x21: 0x0000000000004000 x22: 0x0000000000000000 x23: 0x0000000140ff7f80
x24: 0x0000000000001603 x25: 0x0000000000000000 x26: 0x0000000000002503 x27: 0x000000000400400e
x28: 0x00000001825d8dd8 fp: 0x0000000140ffc0a0 lr: 0x00000001825d8938
sp: 0x0000000140ff7f80 pc: 0x00000001825d8d10 cpsr: 0x80000000
I'm trying to inject my library into a few applications (both AppStore & Enterprise Distribution signed) on iPhone8 (11.3), but the applications crash. The same dylib injects and works fine on other devices (only tried with 11.4b3).
here, bfinject hangs, and the app crashes.
Attached is the crashed thread stack trace and relevant info from the crash report: