Problem with Repackaging Applications with Frida Gadget on iOS

Question

I've been tinkering with Frida Gadget recently on a Phoenix jailbroken iOS 9.3.6 device and keep running into a problem that prevents my re-packaged application from launching.

In this example, I have re-packaged my DVIA application using the patch-ipa option that comes with objection. This tool basically automatically re-packages an ipa file with Frida Gadget.

I have also tried re-packaging manually by following this link.

In both methods of re-packaging an application with Frida Gadget, I end up with an application that crashes the moment I launch it. It seems that there might be an error with loading a dynamic library but I cannot seem to find any fixes after combing through the internet to see if anyone has experienced anything similar, and am completely lost.

The full console logs from launching a re-packaged-with-frida-gadget DVIA (Damn Vulnerable iOS Application) with the crash are as follows:

Jan? 4 10:03:20 [device name] SpringBoard[198] <Error>:? SecTrustEvaluate? [leaf IssuerCommonName SubjectCommonName]
Jan? 4 10:03:20 [device name] SpringBoard[198] <Error>:? SecTrustEvaluate? [leaf IssuerCommonName SubjectCommonName]
Jan? 4 10:03:20 [device name] SpringBoard[198] <Error>:? SecTrustEvaluate? [leaf IssuerCommonName SubjectCommonName]
Jan? 4 10:03:20 [device name] kernel[0] <Notice>: xpcproxy[385] Container: /private/var/mobile/Containers/Data/Application/1C3C3A02-07F0-4010-8F0C-8419BCFDF6C7 (sandbox)
Jan? 4 10:03:20 [device name] com.apple.xpc.launchd[1] (UIKitApplication:com.highaltitudehacks.dvia[0xf5a5][385]) <Notice>: Service exited due to signal: Trace/BPT trap: 5
Jan? 4 10:03:20 [device name] assertiond[64] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan? 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to register for exec notifications: No such process
Jan? 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for pid 385: (os/kern) failure (5)
Jan? 4 10:03:20 [device name] SpringBoard[198] <Warning>: Unable to obtain a task name port right for <FBApplicationProcess: 0x1a3a5600; com.highaltitudehacks.dvia; pid: 385>
Jan? 4 10:03:20 [device name] SpringBoard[198] <Warning>: Application 'UIKitApplication:com.highaltitudehacks.dvia[0xf5a5]' crashed.
Jan? 4 10:03:21 [device name] SpringBoard[198] <Warning>: Application '(null)' exited for an unknown reason.
Jan? 4 10:03:21 [device name] ReportCrash[386] <Error>: assertion failed: 13G37: libsystem_trace.dylib + 15927 [E82A6F2D-873A-39AD-8014-EDEB52248157]: 0x0
Jan? 4 10:03:21 [device name] Unknown[386] <Error>:
Jan? 4 10:03:21 [device name] ReportCrash[386] <Warning>: os_activity_diagnostic_for_pid() failed!
Jan? 4 10:03:21 [device name] ReportCrash[386] <Notice>: Formulating report for corpse[385] DamnVulnerableIOSApp
Jan? 4 10:03:21 [device name] ReportCrash[386] <Warning>: Saved type '109(109_DamnVulnerableIOSApp)' report (5 of max 25) at /var/mobile/Library/Logs/CrashReporter/DamnVulnerableIOSApp-2021-01-04-100321.ips

The crash report for the above is as follows:

{"bug_type":"109","os_version":"iPhone OS 9.3.6 (13G37)","build_version":"1.0","timestamp":"2021-01-04 10:03:21.21 +0800","app_name":"DamnVulnerableIOSApp","bundleID":"com.highaltitudehacks.dvia","name":"DamnVulnerableIOSApp","is_first_party":false,"app_version":"1.3","share_with_app_devs":false,"slice_uuid":"1b3a202d-cf7c-38ba-94ae-99923d388833","adam_id":0}
Incident Identifier: 99FF2E94-6F2D-4BF6-A7C9-97F6B1C75699
CrashReporter Key:   3f8c88cf4fceb4312cfc55f27818aa6f7e4e4042
Hardware Model:      iPhone4,1
Process:             DamnVulnerableIOSApp [385]
Path:                /private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Identifier:          com.highaltitudehacks.dvia
Version:             1.0 (1.3)
Code Type:           ARM (Native)
Parent Process:      launchd [1]

Date/Time:           2021-01-04 10:03:21.21 +0800
Launch Time:         2021-01-04 10:03:20.20 +0800
OS Version:          iOS 9.3.6 (13G37)
Report Version:      104

Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000000e7ffdefe
Triggered by Thread:  0

Filtered syslog:
None found

Dyld Error Message:
Dyld Message: Library not loaded: @executable_path/Frameworks/FridaGadget.dylib
  Referenced from: /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
  Reason: no suitable image found.  Did find:
    /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
    /private/var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/Frameworks/FridaGadget.dylib: no matching architecture in universal wrapper
  Dyld Version: 390.7

Binary Images:
0xae000 - 0x281fff DamnVulnerableIOSApp armv7  <1b3a202dcf7c38ba94ae99923d388833> /var/containers/Bundle/Application/EC7885CC-F900-4B34-8116-C3F3D11C2934/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
0x1fe0c000 - 0x1fe33fff dyld armv7  <146dc907cdf7350eb7cf92a77291119f> /usr/lib/dyld

Error Formulating Crash Report:
Failed while requesting activity/breadcrumb diagnostics

It would be great if someone could point me in the right direction. Thank You!

question from:https://stackoverflow.com/questions/65557508/problem-with-repackaging-applications-with-frida-gadget-on-ios

Answer 1

iOS fails to load FridaGadget.dylib with the error message no matching architecture in universal wrapper.

Combining this error message with the knowledge that Frida has dropped iOS 32bit support some months ago (as far as I remember 12.11.x were the last versions with 32bit support) the chance is high that the app you are trying to repackage is a 32 bit app.

Based on the size of the decompressed version of FridaGadget.dylib you can identify if it is a version with 32bit support or not. If it smaller than 70MB then it is a 64bit only version. If you want the full list of supported architectures use otoool or file command.

Therefore you have now two options: If possible I would recommend you to change DVIA app to 64bit. Then the recent Frida gadget will work again.

Alternatively you can try to use an older Frida gadget versions that still has 32bit support. Keep in mind that you also have to use the old Frida python scripts because the Frida 14.x seems to use a modified communication protocol between Frida and the FridaGadget and thus the communication between recent Frida 14.x scripts and old 12.x Frida gadget will not work.