crash bug while hook an arm64 function

[supernghia89]

ShadowHook Version

1.0.4

Android OS Version

9

Android ABIs

arm64-v8a

Device Manufacturers and Models

LDPlayer 9

Describe the Bug

I got a crash bug while hooking this function

another function is working well but this function got a crash

I'm using an android emulator called LDPlayer 9, the latest build

tombstone: tombstone_00.zip

Thanks!

[caikelun]

Thanks for the feedback.

Analysis from tombstone: the direct cause of the crash is that the hook uses a 16-bytes long jump (LDR + BR + 8-bytes absolute address), so the instruction overwriting operation during the hook is not atomic, and there is a certain probability of a crash. In addition, the hooked function is only 12-bytes, so this kind of hook must be problematic.

memory near pc (/data/app/com.lixgames.tianlong2.mobile-evVLD1ZjWV6nlIW2_otrSQ==/lib/arm64/libunity.so):
    000000000359d330 b94d0100f0007a28 f0007a28d65f03c0  (z....M..._.(z..
    000000000359d340 d65f03c0f9468500 d61f022058000051  ..F..._.Q..X ...
    000000000359d350 00007ffff301f070 350000e839745108  p........Qt9...5

d61f022058000051:
LDR X17, #8
BR X17

00007ffff301f070:
the absolute address of the proxy function 

There are two doubts:

1. Why does libunity.so have no rwx permissions displayed in maps? shadowhook will retain the memory permission as rwx after hooking.

00000000'0328c000-00000000'04412fff r-x         0   1187000  /data/app/com.lixgames.tianlong2.mobile-evVLD1ZjWV6nlIW2_otrSQ==/lib/arm64/libunity.so (BuildId: dc55bf6d6e7b221212e95062206bc39732191327)
00000000'04413000-00000000'04422fff r--         0     10000
00000000'04423000-00000000'04468fff r--   1187000     46000  /data/app/com.lixgames.tianlong2.mobile-evVLD1ZjWV6nlIW2_otrSQ==/lib/arm64/libunity.so (BuildId: dc55bf6d6e7b221212e95062206bc397321913)
00000000'04469000-00000000'04483fff rw-   11cd000     1b000  /data/app/com.lixgames.tianlong2.mobile-evVLD1ZjWV6nlIW2_otrSQ==/lib/arm64/libunity.so (BuildId: dc55bf6d6e7b221212e95062206bc397321913)

2. Why didn't shadowhook use libunity.so's ELF gap as a trampoline to do a 4-bytes short jump (B)? This is the safest way to hook. Maybe you can provide the libunity.so's program header and section header information (llvm-readelf -Shl libunity.so).

These two doubts may be related to the simulator. shadowhook is not widely used in the simulator, and there are some other known problems in the simulator.

In addition, you can also provide the logcat information of shadowhook (turn on the debug switch during initialization, logcat tag: shadowhook_tag)

[supernghia89]

Thanks for your very detailed explanation.

I have attached libunity.so, elfdump and the shadowhook logcat here: libunity.zip

Have a nice day and thank you!

[caikelun]

@supernghia89 According to the logcat info, I found a bug in the sh_exit module, which should be the cause of the failure to create the trampoline in the ELF gap.

here is the patch: 56be626

and a new alpha version in MavenCentral: 1.0.5-alpha.0

Can you test this version? In addition, please provide the logcat of shadowhook again at the same time, thank you~

[supernghia89]

It works like a charm !!!

Thank you for the great work

I have attached the new logcat: logcat_new.txt

Have a nice day!

[caikelun]

It works like a charm !!!

Thank you for the great work

I have attached the new logcat: logcat_new.txt

Have a nice day!

As seen from the logcat, this bug has been fixed, and now it should use a 4-bytes relative jump.
I will publish a new official version later. It's fine if you keep using 1.0.5-alpha.0.
Thanks again!

[caikelun]

The fix for this bug has been included in version v1.0.5.