When i executed bash bfinject -P Reddit -L test, i received this error:

bfinject: line 43: wc: command not found
[!] "Reddit" was not uniquely found, please check your criteria.

Where do i take the wc command from? I tried searching in Cydia but it's not in the default sources.

[Electra 1.0.1] - iOS 11.1.2

Thanks!

with tweaks disabled electra, i get "[!] Unknown jailbreak. Aborting." could someone help?

Please Support Unc0ver Jailbreak

I tried using 'test' and 'decrypt' features with an app which displayed a modal view when launched.
In that case, although the library injection did succeed, no UI from 'test' or 'decrypt' was shown.

I wonder if something could be done about it?

iPhone 7
iOS 12.1.2
Chimera jailbreak 1.0.2

iPhone:~ root# bash bfinject4realz -p 571 -L cycript
bfinject4realz: bfinject4realz: cannot execute binary file

i get this error when I try and crack an IPA from the iTunes store Instead of app store. (iTunes store is on pc)

My device is iPhone 7 (Global), iOS 11.1.1(15B150), using LiberiOS 11.0.3 jailbreak.

If I tap "YES" after decryption complete, the app will get stuck.

By the way, I ssh to my device by usbmuxd.

See the screenshot below.

every time i got this Error on electra
11.1.1-
1.0.4

Can someone help me how can i get The target app TEAM ID ? Iam new in bfinject :(
And when i try to run the bash bfinject -P 714 -L test it said no Team id

I recently installed Electra and installed bfinject and am getting this error when I try to run anything:

iPhone:~/bfinject root# bash bfinject -p 402 -L test
[+] Electra detected.
bfinject: line 172: md5sum: command not found
bfinject: line 173: md5sum: command not found
cp: '/electra/usr/local/bin/bfinject4realz' and '/electra/usr/local/bin/bfinject4realz' are the same file
bfinject: line 184: tail: command not found
bfinject: line 184: cut: command not found
[+] Injecting into ''
[+] Getting Team ID from target application...
bfinject: line 199: tail: command not found
bfinject: line 199: cut: command not found
bfinject: line 199: cut: command not found
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID  and platform entitlements...
jtool /electra/usr/local/bin/ signing error. barfing.

I also tried running the command with -P instead of the PID and when I do that I get:
'[!] "Appname" was not uniquely found, please check your criteria'

I'm not sure what's going on, the only thing I can think of that was odd was when I installed Electra and went to my general settings, there was no 'devices and profile management' section where I had to click 'trust' to launch Electra -- and Electra launched fine and jailbroke. I think that this may just be because I have a full apple developer account however.

Also, I did install Electra with tweaks disabled

Thanks!

Running bfinject on iOS 11.2.2 with Electra 1.3.2 and it stuck at at the following phase.

iphone:/usr/local/tools/bfinject root# ./bfinject -p 4699 -L decrypt
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/5E39DFBF-881B-459D-9DCB-64DAA52196B6/Recolor.app/Recolor'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID TW66A342VK and platform entitlements...

When I manually run "bfinject4realz 4699 bfdecrypt.dylib", I get the following error.

[bfinject4realz] Returned from 'dlerror' 3262e1c3(682,0x1b27b4b80) malloc: *** mach_vm_map(size=6092734464) failed (error code=3)

Any idea on this? Any more info that is required?

Hi, I'm trying this on Electra b7 and get the error (regardless what app):

/bootstrap/bfinject root# bash bfinject -p 481 -L decrypt [+] Electra detected. [+] Injecting into '/var/containers/Bundle/Application/4F70322B-9079-4490-81EA-40C4AAF12CD5/Reddit.app/Reddit' [+] Getting Team ID from target application... [+] Signing injectable .dylib with Team ID 2TDUX39LX8 and platform entitlements... bfinject: line 182: 0a89bbca313be61ff6194fab53cd0e30: command not found [+] So long and thanks for all the fish.

There might be as well a bug with binaries, which have spaces like 1-2-3 Tanken or DB Navigator.
Thanks for the great work.

I'm reading the guide and at the end of the cycript section there's this text: "You can connect to Cycript from your MacBook like this (assuming you installed Cycript into ~/bin/)"

I don't happen to have a Mac and I really want to run Cycript with my iPad. Is there any equivalent step for Windows?

I'm running Electra 11-3 on an iPhone 5S with iOS 11.0.3.

I did a fresh Electra install with No Tweaks and followed the Electra instructions with the most recent version of bfinject. I'm seeing these errors when running:

bash bfinject -P Reddit -L test

[+] Electra detected.
bfinject: line 163: md5: command not found
bfinject: line 164: md5: command not found
cp: '/bootstrap/usr/local/bin/bfinject4realz' and '/bootstrap/usr/local/bin/bfinject4realz' are the same file
[+] Injecting into '/var/containers/Bundle/Application/F0ABA1CC-E72A-4D88-AF1C-95D855B3BA83/Reddit.app/Reddit'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID 2TDUX39LX8 and platform entitlements...
jtool /bootstrap/usr/local/bin/ signing error. barfing.
Coles-iPhone:~/bfinject root# 

Any ideas? Thanks!

sh bfinject -p APP_PROCESS_NUM -L decrypt
ipa created successfully, but the Plugin/xxx.appex/xxx is not decrypted.

I've tried the appex executable's process number:

[+] Electra detected.
[+] Injecting into '/private/var/containers/Bundle/Application/46E55B2F-C46C-496A-90F1-007456442C35/DemoApp.app/PlugIns/DemoAppEx.appex/DemoAppEx'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID JAU66K5B9X and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 396.
[bfinject4realz] Calling thread_create() on PID 396
[bfinject4realz] Looking for ROP gadget... found at 0x180ca7118
[bfinject4realz] Fake stack frame at 0x102aa4000
[bfinject4realz] Calling _pthread_set_self() at 0x180f7471c...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x180ca6e7c...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x12fe503b0
[+] So long and thanks for all the fish.

It seems like -L decrypt does NOT support appex at all ?

Unfortunately I can't inject into WhatsApp.app... bfinject returns success, but not even the simple dylib injection creates the success popup on the iPhone

root@iPhone (/jb/bfinject) #bash bfinject -P WhatsApp.app -L iSpy
[+] Liberios detected
[+] Injecting into '/var/containers/Bundle/Application/22991067-E622-4525-BC16-12287B29005D/WhatsApp.app/WhatsApp'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID 57T9237FN3 and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 835.
[bfinject4realz] Calling thread_create() on PID 835
[bfinject4realz] Looking for ROP gadget... found at 0x102fc6c08
[bfinject4realz] Fake stack frame at 0x12a800000
[bfinject4realz] Calling _pthread_set_self() at 0x186bff804...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x1869bf460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c01f0e00
[+] So long and thanks for all the fish.

if inject system app, it will exit at thread_create(). can this support system app?

Issue

bfinject needs the app to be launched successfully, because it searches process name using ps.
Some applications I want to decrypt doesn't launch in jailbroken environment, so I need to decrypt them without launching it (or before launching process finishes).

Suggestion

Is it impossible to decrypt AppStore apps without launching it? The decrypting program called Clutch could do it (even though it doesn't seem to support iOS11).

Example

I could not test/decrypt/cycript com.aniplex.kirarafantasia app on AppStore [Link].
It has a jailbreak detection function when launching, and it kills itself quickly and bfinject cannot detect the app.
Please refer to the following log:

root# bash bfinject -P com.aniplex.kirarafantasia -L test
[!] "com.aniplex.kirarafantasia" was not uniquely found, please check your criteria.

This happens when I use either the PID, the executable name or the .app name.

Here's some examples:
bash bfinject -P flipbounce.app -L test
bash bfinject -P flipbounce -L test

Here's an example of when I use the PID:
bash bfinject -p flipbounce.app -L test

Output:
[+] Electra detected.
cp: '/bootstrap/usr/local/bin/bfinject4realz' and '/bootstrap/usr/local/bin/bfinject4realz' are the same file
[+] Injecting into ''
[+] Getting Team ID from target application...
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID and platform entitlements...
jtool /bootstrap/usr/local/bin/ signing error. barfing.

Research
After reviewing the script, it seems like there's a problem with grep. Here's an example:
ps -ax | grep flipbounce

Output
Killed

Hello,

I used BFinject to decrypt the twitter app as a test. I then transferred the decrypted ipa to my laptop using the tutorial provided. I tried to make the extension a .zip to unzip it but then it turns into a .cpgz. So i tried to run "class-dump -H twitter.ipa" and I get the error: class-dump: Input file (twitter.ipa) is neither a Mach-O file nor a fat archive. I tried this with other apps and the same things happen. Im just trying to load the ipa into ida-pro.

Anything will help, thanks.

First off, thanks for making bfinject. It's been a great learning tool for me. 😄

I'm on an iPhone 6 11.1.2 LiberiOS 11.0.3

When I try to decrypt or test the YouTube app. dlopen will fail to load the dylib. I've seen this a few times in other apps as well.

Any suggestions on what I can do?

root# bash bfinject -P YouTube -L decrypt
[+] Liberios detected
[+] Injecting into '/var/containers/Bundle/Application/B840EDE7-9E66-417C-8E4E-5B6BFFD7F394/YouTube.app/YouTube'
[+] Getting Team ID from target application...
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID  and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 359.
[bfinject4realz] Calling thread_create() on PID 359
[bfinject4realz] Looking for ROP gadget... found at 0x1831c34e0
[bfinject4realz] Fake stack frame at 0x11f800000
[bfinject4realz] Calling _pthread_set_self() at 0x183403804...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x1831c3460...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] ERROR: dlopen() failed to load the dylib.returned 0x0 (FAILURE)
[bfinject4realz] Calling dlerror() at 0x1831c32b0...
[bfinject4realz] Returned from 'dlerror'
41441718d5f6d4b7f3a15032f28e1728(1152,0x1b4384b80) malloc: *** mach_vm_map(size=6151880704) failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
[bfinject4realz] dlerror() returned: (null)
[+] So long and thanks for all the fish.

state.__pc and gadgetAddress will never be equal and causes infinite loop in iOS12.

Cycript 在iOS11.3.1上无法正常工作，请问现在能支持用Electra越狱的iOS11.3.1系统上正常运行吗？

IPad:~/bfinject-master root# ba
sh bfinject -P pushTanApp -L test
[+] Electra detected.
[+] Injecting into '/var/containers/Bund
le/Application/8410D1BF-BA8E-4459-84A7-0
D9AF603B098/pushTanApp.app/pushTanApp'
[+] Getting Team ID from target applicat
ion...
[+] Thinning dylib into non-fat arm64 im
age
[+] Signing injectable .dylib with Team
ID 9VCS76GRPT and platform entitlements.
..
[bfinject4realz] Calling task_for_pid()
for PID 1973.
[bfinject4realz] Calling thread_create()
on PID 1973
[bfinject4realz] Looking for ROP gadget.
.. found at 0x18303b118
[bfinject4realz] Fake stack frame at 0x1
055a8000
[bfinject4realz] Calling _pthread_set_se
lf() at 0x18330871c...
[bfinject4realz] Returned from '_pthread
_set_self'
[bfinject4realz] Calling dlopen() at 0x1
8303ae7c...
[bfinject4realz] Returned from 'dlopen'
[bfinject4realz] ERROR: dlopen() failed
to load the dylib.returned 0x0 (FAILURE)
[bfinject4realz] Calling dlerror() at 0x
18303accc...
[bfinject4realz] Returned from 'dlerror'
b23e11113793c2005cb0ea5861c9437c -(2097
,0x1b56aab40) malloc: *** mach_vm_map(si
ze=6099107840) failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_bre
ak to debug
[bfinject4realz] dlerror() returned: (nu
ll)
[+] So long and thanks for all the fish.

I am testing a beta version of an application that was not installed from the App Store. When trying to use bfinject, a team ID is not found. I tried to debug by echoing the TEAMID variable when executing bfinject, but there are no results from JTOOL. It does not appear there are any entitlements for the application.

This is the following error I obtain:

new frida dump tool, no environment is required，support(win,macos,linux)

fd bagbak 通讯录

https://github.com/a97077088/fd

I'm trying to inject my library into a few applications (both AppStore & Enterprise Distribution signed) on iPhone8 (11.3), but the applications crash. The same dylib injects and works fine on other devices (only tried with 11.4b3).

iPhone:/User/Downloads/bfinject root# /bin/bash -c '/User/Downloads/bfinject/bfinject -p `ps -e | grep "[M]yAppName$" | while read -a array; do echo "${array[0]}" ; done` -l /User/Downloads/MyLib.dylib'
[+] Electra detected.
[+] Injecting into '/var/containers/Bundle/Application/12345678-90AB-CDEF-1234-567890ABCD/MyAppName.app/MyAppName'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID XXXXXXXXXX and platform entitlements...
[bfinject4realz] Calling task_for_pid() for PID 3503.
[bfinject4realz] Calling thread_create() on PID 3503
[bfinject4realz] Looking for ROP gadget... found at 0x18260b118
[bfinject4realz] Fake stack frame at 0x10e1e8000
[bfinject4realz] Calling _pthread_set_self() at 0x1828d871c...
[bfinject4realz] Returned from '_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x18260ae7c...

here, bfinject hangs, and the app crashes.

Attached is the crashed thread stack trace and relevant info from the crash report:

...
Hardware Model: iPhone10,1
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]

OS Version: iPhone OS 11.3 (15E216)
Baseband Version: 1.89.00
Report Version: 104

Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001825d8d10
Termination Signal: Trace/BPT trap: 5
Termination Reason: Namespace SIGNAL, Code 0x5
Terminating Process: exc handler [0]
Triggered by Thread: 18

Application Specific Information:
BUG IN LIBDISPATCH: Unexpected error from mach_msg_receive
Abort Cause 268451847

Filtered syslog:
None found

Thread 18 name: Dispatch queue: com.apple.main-thread
Thread 18 Crashed:
0 libdispatch.dylib 0x00000001825d8d10 _dispatch_mach_send_and_wait_for_reply + 1544
1 libdispatch.dylib 0x00000001825d8938 _dispatch_mach_send_and_wait_for_reply + 560
2 libdispatch.dylib 0x00000001825d8e30 dispatch_mach_send_with_result_and_wait_for_reply$VARIANT$armv81 + 56
3 libxpc.dylib 0x00000001829148d8 xpc_connection_send_message_with_reply_sync + 196
4 CoreFoundation 0x0000000182c4ed08 __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke_3.143 + 40
5 CoreFoundation 0x0000000182cf5d04 -[_CFXPreferences withConnectionForRole:performBlock:] + 48
6 CoreFoundation 0x0000000182c4ecd4 __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke_2.142 + 124
7 libsystem_trace.dylib 0x00000001828f5c70 _os_activity_initiate_impl + 60
8 CoreFoundation 0x0000000182c4ec2c __80-[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:]_block_invoke.140 + 124
9 CoreFoundation 0x0000000182c4e74c CFPREFERENCES_IS_WAITING_FOR_SYSTEM_CFPREFSD + 48
10 CoreFoundation 0x0000000182c4e984 -[CFPrefsSearchListSource alreadylocked_generationCountFromListOfSources:count:] + 184
11 CoreFoundation 0x0000000182c4f238 -[CFPrefsSearchListSource alreadylocked_copyDictionary] + 384
12 CoreFoundation 0x0000000182ceac58 -[CFPrefsSource copyDictionary] + 56
13 CoreFoundation 0x0000000182c4f088 -[CFPrefsSearchListSource generationCount] + 48
14 CoreFoundation 0x0000000182c4f020 -[CFPrefsSearchListSource handleRemoteChangeNotificationForDomainIdentifier:] + 308
15 CoreFoundation 0x0000000182ce9a34 -[CFPrefsSource forEachObserver:] + 288
16 CoreFoundation 0x0000000182cea100 -[CFPrefsSource setValues:forKeys:count:removeValuesForKeys:count:from:] + 348
17 CoreFoundation 0x0000000182cea304 -[CFPrefsSource setValue:forKey:from:] + 64
18 CoreFoundation 0x0000000182ceb55c -[_CFXPreferences+ 1566044 (SourceAdditions) withSourceForIdentifier:user:byHost:container:cloud:perform:] + 744
19 CoreFoundation 0x0000000182c50334 -[_CFXPreferences+ 930612 (SearchListAdditions) with23930198HackSourceForIdentifier:user:byHost:container:cloud:perform:] + 360
20 CoreFoundation 0x0000000182cf4810 -[_CFXPreferences setValue:forKey:identifier:user:host:container:] + 160
21 CoreFoundation 0x0000000182bfb7ec CFPreferencesSetValue + 136
22 ...56963a9152.dylib.arch_arm64 0x000000010cd18b30 0x10cd0c000 + 52016
23 libobjc.A.dylib 0x0000000181e6e9f0 call_load_methods + 184
24 libobjc.A.dylib 0x0000000181e6fb58 load_images + 76
25 dyld 0x00000001012f20c8 dyld::notifySingle+ 8392 (dyld_image_states, ImageLoader const*, ImageLoader::InitializerTimingList*) + 384
26 dyld 0x000000010130212c ImageLoader::recursiveInitialization+ 74028 (ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 440
27 dyld 0x00000001013011cc ImageLoader::processInitializers+ 70092 (ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 136
28 dyld 0x0000000101301288 ImageLoader::runInitializers+ 70280 (ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 84
29 dyld 0x00000001012f5614 dyld::runInitializers+ 22036 (ImageLoader*) + 88
30 dyld 0x00000001012fb934 dlopen + 1024
31 libdyld.dylib 0x000000018260aef0 dlopen + 116
32 libdyld.dylib 0x000000018260b118 _dyld_find_unwind_sections + 136

Thread 18 crashed with ARM Thread State (64-bit):
x0: 0x0000000010004007 x1: 0x000000000400400e x2: 0x0000000000000000 x3: 0x0000000000004000
x4: 0x0000000000001603 x5: 0x0000000000000000 x6: 0x0000000000002503 x7: 0x00000000000003e2
x8: 0x0000000010004007 x9: 0x000000000400400e x10: 0x0000000141054000 x11: 0x0000000140ffbf80
x12: 0x0000000000000018 x13: 0x0000000010000004 x14: 0x0000000000100031 x15: 0x0000000000000000
x16: 0xffffffffffffffe1 x17: 0xffffffd0ffffffff x18: 0x0000000000000000 x19: 0x00000000efffbffe
x20: 0x0000000140ff7f80 x21: 0x0000000000004000 x22: 0x0000000000000000 x23: 0x0000000140ff7f80
x24: 0x0000000000001603 x25: 0x0000000000000000 x26: 0x0000000000002503 x27: 0x000000000400400e
x28: 0x00000001825d8dd8 fp: 0x0000000140ffc0a0 lr: 0x00000001825d8938
sp: 0x0000000140ff7f80 pc: 0x00000001825d8d10 cpsr: 0x80000000

Hi its me again. I used the newest version, and now it says that there is no teamid. Starting from line 122, I ran jtool --sig --ent "$BINARY" (which the shell code itself does) and it shows all of the information for the signature, so it must be something with the shell code after it - 2> /dev/null | grep 'Team ID' | head -n1 |sed 's/ //g'|cut -f2 -d:|cut -f1 -d(`. As I am no shell code guru I am stuck again, any help?

Using bfinject on an iPhone 6S running iOS 11.1.2 and LiberiOS 11.0.3 results in "[!] Unknown jailbreak. Aborting.".
Any ideas on that?

Can this be updated to support the recent Electra jailbreak?

https://coolstar.org/electra/

Currently I'm getting the following error: [!] Unknown jailbreak. Aborting.

Hi, after last update Core Utilities (8.29-1) it stopped working again. Now md5sum is not found. What now? Thanks

iPhone:~/bfinject root# bash bfinject -p 1566 -L test
[+] Electra detected.
bfinject: line 172: md5sum: command not found
bfinject: line 173: md5sum: command not found
cp: '/electra/usr/local/bin/bfinject4realz' and '/electra/usr/local/bin/bfinject4realz' are the same file
bfinject: line 184: tail: command not found
bfinject: line 184: cut: command not found
[+] Injecting into ''
[+] Getting Team ID from target application...
bfinject: line 199: tail: command not found
bfinject: line 199: cut: command not found
bfinject: line 199: cut: command not found
[+] WARNING: No Team ID found. Continuing regardless, but expect weird stuff to happen.
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID and platform entitlements...
jtool /electra/usr/local/bin/ signing error. barfing.

If the binary name contains a space, the script fails.

BINARY=`ps` -o pid,command $PID|tail -n1|sed 's/^\ *//g'|cut -f2 -d\ `

This cuts off the name after a space :-(

Hi, I tried that on my phone(Jailbroken using Electra 1.0.4 iOS 11.1.2).When I try to decrypt Facebook IPA I get this(Image below)

https://66.media.tumblr.com/bfe85c35905af729eb94a904a37ad082/tumblr_pgcyvkhJjL1xpfagko1_1280.png

How to fix?Thanks in advance.

Using latest commit on i7 11.1, with LiberiOS 11.0.3:

bash bfinject -p 813 -l /jb/bfinject/test.dylib
[+] Injecting into '/var/containers/Bundle/Application/E7C4881E-DA00-4DE0-83B1-463896AECD42/Twitter.app/Twitter'
[+] Getting Team ID from target application...
[+] Signing injectable .dylib with Team ID N66CZ3Y3BX and platform entitlements...
[+] Injecting /jb/bfinject/test.dylib into target application, PID 813
[+] LiberiOS assumed. Using Bishop Fox bfinject to inject the dylib
[bfinject] Getting tfp.
[bfinject] Creating new remote thread
[bfinject] Thread ID: 3075 (0xc03)
[bfinject] Looking for RET gadget in the target app...
gadget candidate: 0x104f27db8 ... Found @ 0x104f27db8
[bfinject] Fake stack frame is 536870912 bytes at 0x11536c000 in remote proc
[bfinject] Looking for '_pthread_set_self' in the target process...
[bfinject] Desired function '_pthread_set_self' is at 0x185ee3804
[bfinject] Setting registers with destination function
[bfinject] New CPU state:
$pc = 0x185ee3804
$sp = 0x12d36c000
$x0 = 0x0
$x1 = 0x0
$x2 = 0x0
$x3 = 0x0
[bfinject] Resuming thread with hijacked regs
[bfinject] Waiting for thread to hit the infinite loop gadget...
[bfinject] We hit the infinite loop, call complete. Restoring stack and registers.
[bfinject] Looking for 'dlopen' in the target process...
[bfinject] Desired function 'dlopen' is at 0x185ca3460
[bfinject] Setting registers with destination function
[bfinject] New CPU state:
$pc = 0x185ca3460
$sp = 0x12d36c000
$x0 = 0x11536c000
$x1 = 0xa
$x2 = 0x0
$x3 = 0x0
[bfinject] Resuming thread with hijacked regs
[bfinject] Waiting for thread to hit the infinite loop gadget...
[bfinject] We hit the infinite loop, call complete. Restoring stack and registers.
[bfinject] dlopen() returned 0x0 (FAILURE)
[bfinject] Looking for 'dlerror' in the target process...
[bfinject] Desired function 'dlerror' is at 0x185ca32b0
[bfinject] Setting registers with destination function
[bfinject] New CPU state:
$pc = 0x185ca32b0
$sp = 0x12d36c000
$x0 = 0x0
$x1 = 0x0
$x2 = 0x0
$x3 = 0x0
[bfinject] Resuming thread with hijacked regs
[bfinject] Waiting for thread to hit the infinite loop gadget...
[bfinject] We hit the infinite loop, call complete. Restoring stack and registers.
[bfdecrypt] dlerror() returned: dlopen(/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib, 10): no suitable image found. Did find:
/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib: code signature invalid for '/System/Library/Frameworks/ec5c0d1e8fc4688149972a6c2426cb34.framework/ec5c0d1e8fc4688149972a6c2426cb34.dylib'

[+] So long and thanks for all the fish.

I keep getting this error along with "bfinject: line 43: wc: command not found." I am using Electra, made sure the "Tweaks" option was disabled and rebooted beforehand. Is there anything I'm missing?
Thank you.

-bash-3.2# wget https://github.com/BishopFox/bfinject/raw/master/bfinject.tar
-bash: wget: command not found

Getting this error on i7 11.1, running LiberiOS 11.0.3:

-bash-3.2# bash bfinject -p 813 -l /jb/bfinject/test.dylib
[+] Injecting into '/var/containers/Bundle/Application/E7C4881E-DA00-4DE0-83B1-463896AECD42/Twitter.app/Twitter'
[+] Getting Team ID from target application...
[+] Signing injectable .dylib with Team ID com.atebits.Tweetie2 and platform entitlements...
jtool dylib signing error. barfing.
total 264
-rwxr-xr-x  1 root  wheel  133216 Jan 23 16:56 bffd24d9a145056f32ee3b9599c3a3c8.dylib

When trying to load into SpringBoard it says

A-iP6S:/var/mobile/Documents/bfinject root# bash bfinject -P SpringBoard -L cycript
[!] "SpringBoard" was not uniquely found, please check your criteria.

Is this intentional? Perhaps write a note on the README and shortly explain why might be a good idea? Just a suggestion though.

[bfinject4realz] Calling dlopen() at 0x180cdee7c... [bfinject4realz] Returned from 'dlopen' [bfinject4realz] ERROR: dlopen() failed to load the dylib.returned 0x0 (FAILURE) [bfinject4realz] Calling dlerror() at 0x180cdeccc... [bfinject4realz] Returned from 'dlerror' 4bd5fbead65852c23bb3956d335cfa55 -(4117,0x1b358ab40) malloc: *** mach_vm_map(size=6123749376) failed (error code=3) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug [bfinject4realz] dlerror() returned: (null)
App: https://itunes.apple.com/de/app/sparkasse-ihre-mobile-filiale/id320599923?mt=8
App only opens if Tweak Mode is disabled

Error is in the title. It happens no matter what app I try it on and I’ve tried restarting, rejailbreaking, all that jazz, none of its helped. The command I’m running is “bash bfinject -P Reddit.app -L test”. Any idea as to what’s up?

Platform: Electra Latest (With all updates and dev tools from the repo)

The issue I am getting is the following

$ root# bash bfinject -P BAFlights -L decrypt
Æ!Å Unknown jailbreak. Aborting.

When will ios12.0 be supported

This error gets thrown while I try to decrypt applications. I believe this issue is due to the .dylib not being signed.

[+] Injecting into '/var/containers/Bundle/Application/D98C23B4-8B41-49E8-9858-B46B77D770DD/Reddit.app/Reddit'
[+] Getting Team ID from target application...
[+] Signing injectable .dylib with Team ID com.reddit.Reddit and platform entitlements...
jtool dylib signing error. barfing.

Upon reviewing the code, line 159 : jtool --sign platform --ent entitlements.xml --inplace --teamid $TEAMID $DYLIB_PATH > /dev/null 2>&1 is where the error occurs. Specifically, the platform and --teamid are what cause the errors. tool doesn't recognize those two arguments.

jtool /bootstrap/usr/local/bin/ signing error. barfing.