1

I'm using Frida to run this command on my iPhone 7 (iOS 14.4):

frida-trace -U -S lib.js -m "-[NSMutableURLRequest setValue*]" --decorate -f com.apple.AppStore

lib.js contains this simple helper function:

function backtrace() {
    return '\tBacktrace:\n\t' +
            Thread.backtrace(this.context, Backtracer.ACCURATE)
                .map(item => {
                    var symbol = DebugSymbol.fromAddress(item);
                    return JSON.stringify(symbol);
                })
                .join('\n\t');
}

And then in onEnter of the produced handler I do this:

log(backtrace());

And all I see in the terminal is:

  1400 ms       Backtrace:
        {"address":"0x1069bb294","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02ddc","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069f92c4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02024","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a02f2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x106a01d2c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afaf8","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069afbf4","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x1069c0770","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x10695eca0","name":null,"moduleName":null,"fileName":null,"lineNumber":null}
        {"address":"0x104cd407c","name":null,"moduleName":null,"fileName":null,"lineNumber":null}

Why is this happening and how can I get module and method names of the call stack items?

StackTracer
  • 45
  • 2
  • 7

1 Answers1

1

In my experience DebugSymbol.fromAddress() does not work very good on some iOS apps. I even encountered that applying this method on a stack trace was causing an app crash. Not sure why it does not work, could be a bug or the app binary just misses debug symbols.

Alternatively for understanding the stack trace you can map each address to the module it belongs to using Frida's ModuleMap

var moduleMap = new ModuleMap();
var backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE); 
return backtrace.map(addr => return moduleMap.get(addr).name).join('\n\t');

Then you still miss the method name, I don't know how to get it in such a situation.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Thanks for your response but it didn't work - seems that module map doesn't have those addresses. I checked it using `moduleMap.has(address)`. I think I'll try this method https://stackoverflow.com/a/68335254/3405844 – StackTracer Mar 05 '22 at 11:07