Why the breakpoint doesn't work?

[vmprog]

Hello.
Please help me understand. When I run the command:
frida-trace com. instagram. android-i "EVP_EncryptUpdate*"
Next, I scroll in the app, frida-trace shows me the calls to this function.

When I run such a sequence of commands:
r2 frida://spawn/usb//com.instagram.android
[0x00000000]> \db EVP_EncryptUpdate
[0x00000000]> \dt EVP_EncryptUpdate
[0x00000000]> \dc
resumed spawned process.

When I scroll in the app, nothing happens.
What am I doing wrong?

Host system:
Linux debian 5.10.0-4-amd64 #1 SMP Debian 5.10.19-1 (2021-03-02) x86_64 GNU/Linux

[[0x00000000]> ?V
4.6.0-gitaka 4.4.0-925-g14f82ee30 commit 25261

Target system:
[[0x00000000]> \i
arch arm
bits 32
os linux
pid 11714
aid 10204
obj c false
runtime QJS
java true
mainLoop false
pageSize 4096
pointer Size 4
code Signing Policy optional
isDebuggerAttached false

[enovella]

Hi there,

Frida-trace is setting interceptor hooks to trace the symbol. On r2frida, you should use \dtf to trace functions. Breakpoints are not the same as hooks. Try with something like this:

[0x7ab47ee000]> \il~crypt
0x0000007d5d646000 libcrypto.so
0x0000007ab47ee000 libjavacrypto.so
0x0000007ab48cf000 libcrypto.so
[0x7ab47ee000]> s 0x0000007ab47ee000
[0x7ab47ee000]> \ii~+EVP_aes
0x7d5d71b02c f EVP_aes_128_cbc /system/lib64/libcrypto.so
0x7d5d71b058 f EVP_aes_128_ctr /system/lib64/libcrypto.so
0x7d5d71b23c f EVP_aes_128_ecb /system/lib64/libcrypto.so
0x7d5d71b0b0 f EVP_aes_128_gcm /system/lib64/libcrypto.so
0x7d5d71b0dc f EVP_aes_192_cbc /system/lib64/libcrypto.so
0x7d5d71b108 f EVP_aes_192_ctr /system/lib64/libcrypto.so
0x7d5d71b268 f EVP_aes_192_ecb /system/lib64/libcrypto.so
0x7d5d71b160 f EVP_aes_192_gcm /system/lib64/libcrypto.so
0x7d5d71b18c f EVP_aes_256_cbc /system/lib64/libcrypto.so
0x7d5d71b1b8 f EVP_aes_256_ctr /system/lib64/libcrypto.so
0x7d5d71b294 f EVP_aes_256_ecb /system/lib64/libcrypto.so
0x7d5d71b210 f EVP_aes_256_gcm /system/lib64/libcrypto.so
[0x7ab47ee000]> \dtf 0x7d5d71b02c
true
[0x7ab47ee000]> \dc

Regarding this command below, this syntax could be improved, is this symbol recognized inside of the r2 shell? Probably sym.xxx.EVP_EncryptUpdate? Make sure you add these imports/exports into your session? Have you tried to set the address of this symbol instead?

\db EVP_EncryptUpdate

[vmprog]

Hi, @enovella.
Thanks for the explanation, but I haven't had any success yet.

attempt 1
kl@debian:$ r2 frida://spawn/usb//com.instagram.android
[0x00000000]> .\i*
[0x00000000]> \illige
[0x00000000]> \dc
resumed spawned process.
[0x00000000]> \illige
0x7b485000 libliger.so
[0x00000000]> s 0x7b485000
[0x7b485000]> .\iE*
[0x7b485000]> \ii+EVP_
[0x7b485000]>
[0x7b485000]> / EVP_EncryptUpdate
hits: 5
0x79b94b7f hit0_0
0x7b48e98b hit0_1
0x95d1104d hit0_2 EVP_EncryptUpdate
0x95d6d224 hit0_3 EVP_EncryptUpdate
0xad02e224 hit0_4 EVP_EncryptUpdate
[0x7b485000]> \dtf 0x79b94b7f
true
[0x7b485000]> \dtf 0x7b48e98b
true
[0x7b485000]> \dtf 0x95d1104d
true
[0x7b485000]> \dtf 0x95d6d224
true
[0x7b485000]> \dtf 0xad02e224
true
[0x7b485000]> \dc
Continue 0 thread(s).
[0x7b485000]> \db 0x79b94b7f
[0x7b485000]> \db 0x7b48e98b
[0x7b485000]> \db 0x95d1104d
[0x7b485000]> \db 0x95d6d224
[0x7b485000]> \db 0xad02e224
When I scroll in the app, nothing happens.

attempt 2
kl@debian:$ r2 frida://attach/usb//com.instagram.android
[0x00000000]> \illige
0x7baa0000 libliger.so
[0x00000000]> s 0x7baa0000
[0x7baa0000]> .\iE*
[0x7baa0000]> .\i*
[0x7baa0000]> \ii~+EVP_
[0x7baa0000]> \iE libliger.so~+EVP_EncryptUp
0x7bc514d9 f EVP_EncryptUpdate
[0x7baa0000]> \dtf 0x7bc514d9
true
When I scroll in the app, i get PROCESS_TERMINATED.
[0x7baa0000]> DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED

attempt 3
kl@debian:$ r2 frida://attach/usb//com.instagram.android
[0x00000000]> .\i*
[0x00000000]> \illige
0x7b754000 libliger.so
[0x00000000]> s 0x7b754000
[0x7b754000]> .\iE*
[0x7b754000]> \iE*+EVP_EncryptUp
f sym.fun.EVP_EncryptUpdate = 0x7b9054d9
[0x7b754000]> \iE libliger.so+EVP_EncryptUp
0x7b9054d9 f EVP_EncryptUpdate
[0x7b754000]> \db sym.fun.EVP_EncryptUpdate
[0x7b754000]>
[0x7b754000]> 0x7b9054d9
When I scroll in the app, i get PROCESS_TERMINATED.
DetachReason: FRIDA_SESSION_DETACH_REASON_PROCESS_TERMINATED

Do I understand correctly that this means that the breakpoint is triggered, but the application protection prevents this?

[enovella]

Regarding attempts:

1. Attempt 1. Are you sure that this function is called and your hook is inserted before calling it? Can you try another call you're sure its being called? In the worst case, you could find a workaround for this with a Frida script hooking android_dlopen_ext, detect the library you want to hook on, and right after loading it you insert your hook.
2. Attempt 2. Check adb logcat and find out why its crashing. Are you using the latest Frida? Any protection on the binary?
3. Attempt 3. Same as above

I cannot answer the last question, we need to dig deeper into the logs to figure out what's going on underneath. Good luck!

[vmprog]

Thank you for your explanation.
I will explore further.