iOS return value hooking not setting correct values

[aph3rson]

Getting odd behavior when trying to run the latest version of Objection and frida-gadget. I patch a method to always return False/0, and the set-method-return job shows it as being overridden to 0x0. However, a watch-method job shows it as returning 0x1 (and my app crashes).

This was not an issue with the last version of objection, so I suspect it has to do with the move to the typescript agent.

The below output shows my issue pretty well. If it makes any difference, I'm running on Windows, and am connecting to frida-server over a network connection.

PS C:\Users\iwilliams> objection --network --host [snip] --gadget '[snip]' explore --startup-command "ios hooking set return_value '-[AppceleratorHttpsModule createX509Certificate
PinningSecurityManager:]' 0"
Using networked device @`[snip]:27042`
Agent injected and responds ok!
Running a startup command... ios hooking set return_value '-[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]' 0
(agent) Selector address enumeration complete.
(agent) Found selector at 0x104d43c54 as -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]
(agent) Registering job 2yssrjepb0j. Type: set-method-return for: -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]
[snip]
[snip] on (iPad: 11.4) [net] # ios hooking watch method "-[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]" --dump-args --dump-backtrace --d
ump-return
(agent) Selector address enumeration complete.
(agent) Found selector at 0x104d43c54 as -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]
(agent) Registering job xwne5q5gdic. Type: watch-method for: -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:]
[snip] on (iPad: 11.4) [net] # (agent) [xwne5q5gdic] Called: -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:] 1 arguments(Kind: instance) (Super: TiModule)
(agent) [xwne5q5gdic] -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:] Backtrace:
        [snip]
(agent) [xwne5q5gdic] Argument dump: [AppceleratorHttpsModule createX509CertificatePinningSecurityManager: (
        [snip]
)]
(agent) [2yssrjepb0j] -[AppceleratorHttpsModule createX509CertificatePinningSecurityManager:] Return value was: 0x15dda64e0, overriding to 0x0
(agent) [xwne5q5gdic] Return Value: 0x1
(session detach message) process-terminated

[aph3rson]

Relatedly, I was doing the known-working methods I described in #187.

[aph3rson]

I think the issue is here, on line 244:

objection/agent/src/ios/hooking.ts

Lines 235 to 246 in 097d016

	case false:
	if (retval.equals(FALSE)) {
	return;
	}
	send(
	c.blackBright(`[${job.identifier}] `) +
	`${c.green(selector)} ` +
	`Return value was: ${c.red(retval.toString())}, overriding to ${c.green(FALSE.toString())}`,
	);
	retval.replace(TRUE);
	break;
	}

[leonjza]

Interesting. I am going to have to debug this one a little more. May be a race condition in how the InvocationListener's fire. Apart from the watch hook reporting 0x1, does the bypass work though?

[aph3rson]

does the bypass work though?

No, the app gets 0x1 as the return value, and crashes. I'm going to try updating the compiled JS, and see if that fixes it.

[aph3rson]

Can confirm, changing the compiled JS fixes the issue. I can submit a PR to fix the typescript file, if you'd like.

[leonjza]

Awesome, a PR would rock :)