Target process terminated error: Script is destroyed

[rookiexjl]

r2 frida://ec4f9ac17ce5/com.xingin.xhs
DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED
CrashReport: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'Xiaomi/rosy/rosy:8.1.0/OPM1.171019.026/9.9.2:user/release-keys'
Revision: '0'
ABI: 'arm'
pid: 23297, tid: 29490, name: Thread-140 >>> com.xingin.xhs <<<
signal 11 (SIGSEGV), code 0 (SI_USER), fault addr --------
r0 bd759924 r1 71c2afeb r2 71c2afeb r3 ffffffff
r4 000005a8 r5 bd75affc r6 bfd9339c r7 bd7598f8
r8 00000004 r9 bfd9339c sl 00000002 fp bd75993c
ip ebe5d62c sp bd7598e8 lr ebe27ba7 pc bfd6c5ca cpsr 00010030

backtrace:
#00 pc 000175ca /data/app/com.xingin.xhs-akrh7f7b7UTuCNvs7DGE0A==/lib/arm/libBaiduMapSDK_base_v6_2_0.so (_baidu_framework::bd_android_signal_handler(int, siginfo*, void*)+313)
#1 pc 0012aaeb /data/local/tmp/re.frida.server/frida-agent-32.so

Target process terminated
error: Script is destroyed

[rookiexjl]

r2 -d frida://ec4f9ac17ce5/com.xingin.xhs
good

[trufae]

i've tracked down the issue to get the frida reproducer. The crash happens when trying to read 4 bytes at address 8, you can get the same crash like this:

$ frida -U -p $pidof.com.android.chrome
-> Memory.readByteArray(ptr(8), 4)

So it's an issue in frida server's Exceptor for android/thumb.

From the r2frida side i did a workaround that is now available on master. Run r2 like this:

R2FRIDA_SAFE_IO=1 r2 frida://usb//pid

[trufae]

I'm closing the issue because that's a bug in Frida and we have a workaround in r2frida

Follow the frida bug in frida/frida-gum#422