[bug] After patching ios app crashes

[CorruptionHades]

Describe the bug
After running objection patchipa --source App.ipa --codesign-signature xxx and deploying using ios-deploy the app installs successfully but crashes on opening.

To Reproduce
Steps to reproduce the behavior:

1. Run aforementioned command
2. Run unzip App-frida-codesigned.ipa
3. Run ios-deploy --bundle Payload/App.app -W -d

Similar issues

Expected behavior
The app should launch normally with frida gadget

Evidence / Logs / Screenshots
Any output from objection, such as stack traces or errors that occurred. Be sure to run objection with the --debug flag so that errors from the agent are verbose enough to debug. For example:

XCode crash log:
Hardware Model:      iPad12,1
Process:             Suite [28083]
Path:                /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Suite
Identifier:          me.corruptionhades.TestProj
Version:             5.2.887 (887.0)
AppStoreTools:       16E137
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           me.corruptionhades.TestProj [7124]

Date/Time:           2025-05-30 13:35:04.1340 +0200
Launch Time:         2025-05-30 13:35:03.1755 +0200
OS Version:          iPhone OS 18.4.1 (22E252)
Release Type:        User
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGKILL)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x000000019c5cd254
Exception Codes: 0x0000000000000002, 0x000000019c5cd254
VM Region Info: 0x19c5cd254 is in 0x19c5cc000-0x19c5d0000;  bytes after start: 4692  bytes before end: 11691
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      unused __TEXT            19c574000-19c5cc000 [  352K] r-x/r-x SM=COW  unused  unknown system shared lib __TEXT
--->  unused __DATA            19c5cc000-19c5d0000 [   16K] rw-/rw- SM=COW  unused  unknown system shared lib __DATA
      unused __TEXT            19c5d0000-19c5d6000 [   24K] r-x/r-x SM=COW  unused  unknown system shared lib __TEXT
Termination Reason: CODESIGNING 2 Invalid Page

Triggered by Thread:  0

Kernel Triage:
VM - (arg = 0x0) CL - 

Thread 0 name:   Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libsystem_c.dylib             	       0x19c5cd254 abort + 0
1   FridaGadget.dylib             	       0x109c2b89c 0x109be8000 + 276636
2   FridaGadget.dylib             	       0x109c26f28 0x109be8000 + 257832
3   FridaGadget.dylib             	       0x109c27500 0x109be8000 + 259328
4   FridaGadget.dylib             	       0x109bed788 0x109be8000 + 22408
5   FridaGadget.dylib             	       0x109c00b3c 0x109be8000 + 101180
6   dyld                          	       0x1bb0416f4 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 623
7   dyld                          	       0x1bb03b2e0 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 323
8   dyld                          	       0x1bb03ae08 invocation function for block in mach_o::Header::forEachSection(void (mach_o::Header::SectionInfo const&, bool&) block_pointer) const + 239
9   dyld                          	       0x1bb03ab0c mach_o::Header::forEachLoadCommand(void (load_command const*, bool&) block_pointer) const + 207
10  dyld                          	       0x1bb03a8dc mach_o::Header::forEachSection(void (mach_o::Header::SectionInfo const&, bool&) block_pointer) const + 123
11  dyld                          	       0x1bb02371c dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 515
12  dyld                          	       0x1bb0233a4 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 175
13  dyld                          	       0x1bb0255e8 dyld4::JustInTimeLoader::runInitializers(dyld4::RuntimeState&) const + 35
14  dyld                          	       0x1bb021a3c dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&, dyld3::Array<dyld4::Loader const*>&) const + 307
15  dyld                          	       0x1bb0219dc dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&, dyld3::Array<dyld4::Loader const*>&) const + 211
16  dyld                          	       0x1bb046d88 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const::$_0::operator()() const + 179
17  dyld                          	       0x1bb046c10 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 759
18  dyld                          	       0x1bb0212a0 dyld4::APIs::runAllInitializersForMain() + 291
19  dyld                          	       0x1bb040ccc dyld4::prepare(dyld4::APIs&, mach_o::Header const*) + 3255
20  dyld                          	       0x1bb063114 dyld4::start(dyld4::KernelArgs*, void*, void*)::$_0::operator()() const + 235
21  dyld                          	       0x1bb02b9e4 start + 5719

Thread 1 name:  frida-gadget
Thread 1:
0   libsystem_kernel.dylib        	       0x1e5196768 kevent + 8
1   FridaGadget.dylib             	       0x109dbb16c 0x109be8000 + 1913196
2   FridaGadget.dylib             	       0x109dba38c 0x109be8000 + 1909644
3   FridaGadget.dylib             	       0x109dba5a0 0x109be8000 + 1910176
4   FridaGadget.dylib             	       0x109c00c20 0x109be8000 + 101408
5   FridaGadget.dylib             	       0x109dc9e64 0x109be8000 + 1973860
6   libsystem_pthread.dylib       	       0x21ea5fafc _pthread_start + 135
7   libsystem_pthread.dylib       	       0x21ea5fa04 thread_start + 7


Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000000   x1: 0x0000000000004000   x2: 0x0000000000000005   x3: 0x0000000000000001
    x4: 0x00000e1500000000   x5: 0x0000060700000000   x6: 0x000000000000002c   x7: 0x0000000000000000
    x8: 0x0000000000000002   x9: 0x0000000000004000  x10: 0x000000019c568000  x11: 0x0000000000000005
   x12: 0x0000000000000203  x13: 0x000000020017e000  x14: 0x0000000000000000  x15: 0x0000000000000000
   x16: 0x000000019c5cd254  x17: 0x000000010ad881c0  x18: 0x0000000000000000  x19: 0x0000000106fdc830
   x20: 0x0000000106fddd40  x21: 0x0000000106fc3f60  x22: 0x0000000000000000  x23: 0x0000000000004000
   x24: 0x0000000106fded80  x25: 0x0000000106fead00  x26: 0x0000000000000000  x27: 0x0000000109c283e4
   x28: 0x0000000106fddd40   fp: 0x000000016da7f8f0   lr: 0x0000000109c2b89c
    sp: 0x000000016da7f8f0   pc: 0x000000019c5cd254 cpsr: 0x20000000
   far: 0x000000019c5cd254  esr: 0x8200000f (Instruction Abort) Permission fault

Binary Images:
       0x102378000 -        0x1050bffff Suite arm64  <6007346023af38cdaf01251c95177595> /var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Suite
       0x106e00000 -        0x106e07fff MDFInternationalization arm64  <5e50f912c6683659bcdb6dc124077536> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/MDFInternationalization.framework/MDFInternationalization
       0x106e18000 -        0x106e1ffff MDFTextAccessibility arm64  <306b60f142603222aa2d9a727249f1e7> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/MDFTextAccessibility.framework/MDFTextAccessibility
       0x107330000 -        0x1074a7fff MaterialComponents arm64  <65ad36ae78593f28878e0160f8ba565f> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/MaterialComponents.framework/MaterialComponents
       0x106e54000 -        0x106e5ffff MotionAnimator arm64  <f08f669e7ff23427aa50fde10cd56be2> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/MotionAnimator.framework/MotionAnimator
       0x106f18000 -        0x106f1ffff MotionInterchange arm64  <0565dd8b039134b3837aec9e2c69ed52> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/MotionInterchange.framework/MotionInterchange
       0x107004000 -        0x107023fff pop arm64  <750417c061f53177b07ce561cee6612d> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/pop.framework/pop
       0x1070f4000 -        0x10714bfff UILibrary arm64  <ee993d99594a3ac3965d9cb8e848493d> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/UILibrary.framework/UILibrary
       0x109be8000 -        0x10ad87fff FridaGadget.dylib arm64e  <d957eed7d40f30c98bb7849eed00e207> /private/var/containers/Bundle/Application/82E982C3-77AA-402C-948E-6969D60B648B/Suite.app/Frameworks/FridaGadget.dylib
       0x19c556000 -        0x19c5d58b7 libsystem_c.dylib arm64e  <027de04c2929357bb6a3701405aab6be> /usr/lib/system/libsystem_c.dylib
       0x1bb01b000 -        0x1bb0b5013 dyld arm64e  <189fe4805d5b3b89928958bc88624420> /usr/lib/dyld
               0x0 - 0xffffffffffffffff ??? unknown-arch  <00000000000000000000000000000000> ???
       0x1e518f000 -        0x1e51c8b77 libsystem_kernel.dylib arm64e  <9d196db4701331768c025b4c68701c92> /usr/lib/system/libsystem_kernel.dylib
       0x21ea5e000 -        0x21ea6a3fb libsystem_pthread.dylib arm64e  <00306a1f11183f8690bdd18b5ed5409f> /usr/lib/system/libsystem_pthread.dylib

EOF

Environment (please complete the following information):

• Device: Ipad
• OS: Macos
• Frida Version Latest
• Objection Version Latest

Could be frida problem

[IPMegladon]

Latest Frida means you are using 17.0.5 correct?
Similarly I assume you are using the latest pip release objection and not the latest dev build?
Finally please provide the ios version.

[CorruptionHades]

I switched to frida 16.7.19 and gadget aswell.
Im on IpadOS 18.4.1.
I managed to launch the app with frida gadget injected using
xcrun devicectl device process launch --device 00008030-000971923AC3C02E --start-stopped me.corruptionhades.TestProj
but when launching it normally without debugger attached it crashes instantly. Is there a way to fix this so that my modded app can be run without the need of being connected to a macbook

[CorruptionHades]

I've analysed and written a frida script for my app which mods it. Is there a way to have the frida gadget work in a non debug enviroment because when I set 'code_signing' to required my script stops working, probably because the frida gadget cannot modify a signed application. But is there a way around this?

[IPMegladon]

My ios ecosystem knowledge is quite limited but I wonder if this is not also AMFI related (#661), you can try see if you get the same not a main binary error in the syslog during startup, though I don't see anything directly related in the crash log you provided.
If this is the issue I do not currently know how to solve it, I would guess that the entitlements would have to be stripped from the Frida dylib and moved to the main binary.
Unfortunately I do not have an ios 18 device to test with which makes it very difficult for me to replicate the issue and test.

[nsstream]

Same problem

[testingbetaversion]

Same issue on iOS 18.5

[CorruptionHades]

Now I just use node applesign for signing because that works flawlessly

[tienbui2307]

Hi @CorruptionHades , I have same issue with frida 16.7.19 and IOS 18.7.1. Can you provide detailed steps to work around it using the applesign you mentioned above? Tks.