1

I have an iOS device on 14.2 and am using frida 15.2.2 on Ubuntu 18.04.

If I launch an app via frida, in the repl I can get the base address of the module, add an offset to that address, and print the instruction at that new address. Doing it like this I get the instruction I expect. The commands I entered were:

var baseAddress = Process.enumerateModules()[0].base; var instructionOffset = 0x100004ce8-0x100000000; var targetAddress = baseAddress.add(instructionOffset); Instruction.parse(targetAddress).toString();

and the instruction I expect, based on ghidra, is cbz param_1,LAB_100004d08 which I get.

However, if I try and do the same by loading a script when I launch the app:

var baseAddress = Process.enumerateModules()[0].base; var instructionOffset = 0x100004ce8-0x100000000; var targetAddress = baseAddress.add(instructionOffset); Interceptor.attach(targetAddress, { onEnter: function(args) { console.log("[+] Current instruction: " + (Instruction.parse(targetAddress).toString())); }, });

it prints a different instruction. I'm not sure if there is something I've misunderstood or it is expected to work differently doing this from a script? Or if I need to take in to account the script being loaded in to memory?

Improve this question
3
  • 2
    I think the second case returns a different value because you have hoked the address. That means Frida has replaced the code at that address by it's hooking code to redirect execution flow to it's hooking handler. Commented Sep 14, 2022 at 12:07
  • Thank you @Robert, I think you are correct and that I was trying to do something in an unintended way. Commented Sep 14, 2022 at 13:57
  • @Robert if you would like to add something along those lines as an answer I'm happy to mark that as the solution. Commented Sep 14, 2022 at 14:06

1 Answer 1

Reset to default
1

This was down to my misunderstanding. I was wanting to either nop out an instruction or modify a register value. I had been trying to print the instruction to verify I was at the correct address but not considered that frida would obviously have to insert code to redirect execution flow, thank you @Robert.

At the point of attaching the register value can still be read or modified and will be handled correctly.

Alternatively, launching the app and loading a script but not attaching with interceptor let's me print the correct instruction at the offset via the script, e.g. just doing:

var baseAddress = Process.enumerateModules()[0].base; var instructionOffset = 0x100004ce8-0x100000000; var targetAddress = baseAddress.add(instructionOffset); console.log(Instruction.parse(targetAddress).toString());
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.