Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] APK Crashes after patching #679

Open
batreller opened this issue May 21, 2024 · 4 comments
Open

[bug] APK Crashes after patching #679

batreller opened this issue May 21, 2024 · 4 comments
Labels
freshissue Default label for new, untriaged issues.

Comments

@batreller
Copy link

Every time I launch the APK it crashes
And I get message saying "Amazon Mobile Delivery keeps stopping", however, frida seem to be sucessfully injected

To Reproduce
Steps to reproduce the behavior:
Patching APK

I have pulled from phone working APK that I have installed to the phone from Amazon Flex official website - https://logistics.amazon.co.uk/app/download-app-direct/android

After that I have found launchable activity in AndroidManifest.xml file which is as I understand com.amazon.rabbit.android.RabbitApplication

C:\Users\user>objection patchapk -s C:\Users\user\Desktop\amazon\amazon_flex_extracted.apk --skip-resources --ignore-nativelibs --target-class com.amazon.rabbit.android.RabbitApplication
No architecture specified. Determining it using `adb`...
Detected target device architecture as: arm64-v8a
Using latest Github gadget version: 16.2.5
Patcher will be using Gadget version: 16.2.5
Detected apktool version as: 2.9.3
Running apktool empty-framework-dir...
Press any key to continue . . .
Unpacking C:\Users\user\Desktop\amazon\amazon_flex_extracted.apk
App already has android.permission.INTERNET
Using target class: com.amazon.rabbit.android.RabbitApplication for patch
Smali not found in smali directory. This might be a multidex APK. Searching...
Found smali at: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Reading smali from: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Injecting loadLibrary call at line: 298
Attempting to fix the constructors .locals count
Current locals value is 0, updating to 1:
Writing patched smali back to: C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp\smali_classes16\com/amazon/rabbit/android/RabbitApplication.smali
Copying Frida gadget to libs path...
Rebuilding the APK with the frida-gadget loaded...
Built new APK with injected loadLibrary and frida-gadget
Performing zipalign
Zipalign completed
Signing new APK.
Signed the new APK
Copying final apk from C:\Users\D694~1\AppData\Local\Temp\tmp85xeh4h1.apktemp.aligned.objection.apk to C:\Users\компьютер\Desktop\amazon\amazon_flex_extracted.objection.apk in current directory...
Cleaning up temp files...

Running APK
Frida gadget is injected while the tab saying "Amazon Mobile Delivery keeps stopping" is opened
image

As soon as you click "Close" button on the phone connection gets terminated
image

Similar issues
#167

Expected behavior
Application should not crash and should keep working properly

Crash log
Crash log of Amazon Mobile Delivery application

--------- beginning of crash
05-21 16:54:09.602 27638 27638 E AndroidRuntime: FATAL EXCEPTION: main
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Process: com.amazon.rabbit, PID: 27638
05-21 16:54:09.602 27638 27638 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{com.amazon.rabbit/com.amazon.rabbit.android.presentation.core.LaunchActivity}: android.content.res.Resources$NotFoundException: Drawable com.amazon.rabbit:drawable/application_background with resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3539)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3699)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:106)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:236)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:8037)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: Drawable com.amazon.rabbit:drawable/application_background with resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: File res/kjl.xml from drawable resource ID #0x7f080091
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawableForCookie(ResourcesImpl.java:914)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.originalLoadDrawable(ResourcesImpl.java:693)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawable(ResourcesImpl.java:600)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.MiuiResourcesImpl.loadDrawable(MiuiResourcesImpl.java:307)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.loadDrawable(Resources.java:1010)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.getDrawableForDensity(Resources.java:1000)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.res.Resources.getDrawable(Resources.java:939)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.content.Context.getDrawable(Context.java:702)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.core.content.ContextCompat$Api21Impl.getDrawable(ContextCompat.java:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.core.content.ContextCompat.getDrawable(ContextCompat.java:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.ResourceManagerInternal.getDrawable(ResourceManagerInternal.java:5)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.AppCompatDrawableManager.getDrawable(AppCompatDrawableManager.java:2)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.widget.TintTypedArray.getDrawableIfKnown(TintTypedArray.java:25)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.attachToWindow(AppCompatDelegateImpl.java:35)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.ensureWindow(AppCompatDelegateImpl.java:17)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatDelegateImpl.onCreate(AppCompatDelegateImpl.java:6)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at androidx.appcompat.app.AppCompatActivity.onCreate(AppCompatActivity.java:6)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.amazon.rabbit.android.presentation.core.LaunchActivity.onCreate(LaunchActivity.kt:1)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Activity.performCreate(Activity.java:8157)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Activity.performCreate(Activity.java:8129)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1310)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3512)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3699)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:85)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2135)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:106)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:236)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:8037)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
05-21 16:54:09.602 27638 27638 E AndroidRuntime:        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)
05-21 16:54:09.603 27638 27638 E AndroidRuntime: Caused by: android.content.res.Resources$NotFoundException: File res/kjl.xml from xml type drawable resource ID #0x7f080091
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlResourceParser(ResourcesImpl.java:1312)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlDrawable(ResourcesImpl.java:975)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadDrawableForCookie(ResourcesImpl.java:897)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        ... 32 more
05-21 16:54:09.603 27638 27638 E AndroidRuntime: Caused by: java.io.FileNotFoundException: res/kjl.xml
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.AssetManager.nativeOpenXmlAsset(Native Method)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:1128)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        at android.content.res.ResourcesImpl.loadXmlResourceParser(ResourcesImpl.java:1296)
05-21 16:54:09.603 27638 27638 E AndroidRuntime:        ... 34 more

Full log of Amazon Mobile Delivery application (unfortunately it is quite large and I decided to upload it to pastebin) - https://pastebin.com/xf9MSWSb

On line 691 of this crash report "objection explore" command was executed and as you can see it immediatelly caused a crash

Environment (please complete the following information):

  • Device: Xiaomi Redmi Note 8T
  • Phone OS: MIUI 12.5.2
  • Frida Version 16.1.3
  • Objection Version 1.11.0
  • Apktool Version 2.9.3
  • Apksigner Version 0.9
  • PC OS: Windows 10

Application
Application can be installed from official Amazon website - https://logistics.amazon.co.uk/app/download-app-direct/android
@batreller batreller added the freshissue Default label for new, untriaged issues. label May 21, 2024
@IPMegladon
Copy link
Collaborator

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

@weeebdev
Copy link

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

and if that's the case, what do I do?

@IPMegladon
Copy link
Collaborator

I suspect this may be because it could be a multi-part (AAB/APKS) application, you can if that is the case using adb shell pm path com.amazon.rabbit. Please provide the output of that. If it returns more than apk file, that is that case and likely the cause of this issue.

and if that's the case, what do I do?

I have a hacky way that you can try which might work - please let me know if it does, might be worth the trouble to add to objection if enough people have this issue (and the "fix" works).

  1. First you need to get all the apk files.
  2. Use the following command to patch base.apk with Objection, adding the specified flags:
    objection patchapk -s base.apk --ignore-nativelibs --skip-resources --use-aapt2 --pause
    -> do not resume.
  3. Use Apktool to decompress the APK that contains native code libraries (e.g., split_config..apk) apktool d -m --no-res --no-src --force split_config.arm64_v8a.apk.
    -> Replace split_config.arm64_v8a.apk with the appropriate architecture apk.
  4. Locate the libfrida-gadget.so file inserted by Objection from the temporary directory shown in Step 2's output, and move it to the decompressed APK: mv /tmp/tmpXXXXXX/lib/arm64-v8a/libfrida-gadget.so split_config.arm64_v8a/lib/arm64-v8a/.
    -> Replace /tmp/tmpXXXXXX/ and split_config.arm64_v8a/ with the paths relevant to your architecture.
  • Update the config file for apktool in the apk we decompiled (e.g split_config.arm64_v8a/apktool.yml).
  • Include another entry under the doNotCompress section: - lib/arm64-v8a/libfrida-gadget.so (replace arch).
  1. After that, we can recompile both these apks.
  • For objection just press enter.
  • For the native library apk we use apktool again: apktool b split_config.arm64_v8a --use-aapt2 .
  1. Sign the apk files except for base.objection.apk using objection signapk
  • First objection signapk split_config.arm64_v8a/dist/split_config.arm64_v8a.apk.
  • Similarly objection signapk split_config.xxxx.apk for the others(e.g. split_config.en.apk, split_config.xhdpi.apk).
  1. Move signed arch apk to current directory mv split_config.arm64_v8a/dist/split_config.arm64_v8a.objection.apk ./
  2. Install it: adb install-multiple base.objection.apk split_config.arm64_v8a.objection.apk <other_signed_apks>
    -> adding the relevant other split_config.xxxx.objection.apk files.

Hope this actually works.

@IPMegladon IPMegladon mentioned this issue Sep 1, 2024
Closed
@rithvikvibhu
Copy link

Thanks @IPMegladon the process worked! Hope this gets added to objection in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
freshissue Default label for new, untriaged issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rithvikvibhu @IPMegladon @weeebdev @batreller