Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thumb指令钩子是能用的吗?thumb_labels为0,崩溃 #66

Closed
lducsm opened this issue Nov 7, 2019 · 6 comments
Closed

thumb指令钩子是能用的吗?thumb_labels为0,崩溃 #66

lducsm opened this issue Nov 7, 2019 · 6 comments

Comments

@lducsm
Copy link

lducsm commented Nov 7, 2019

安卓7,32位,顺便找个thumb的函数

ZzReplace
FunctionInlineReplaceRouting::Dispatch
InterceptRouting::Prepare
GenRelocateCode
gen_thumb_relocate_code
Thumb1RelocateSingleInst
Thumb2RelocateSingleInst
LiteCollectionIterator::withCollection(thumb_labels);

到了withCollection,此时thumb_labels是0,怎么看出来呢

全局定义一个0,但我搜索没有任何地方给这个指针赋值???
LiteMutableArray *thumb_labels;

只有使用,但这不是赋值???
thumb_labels->pushObject

是0他就直接崩了
@lducsm
Copy link
Author

lducsm commented Nov 7, 2019 

ZzReplace
	FunctionInlineReplaceRouting::Dispatch
		InterceptRouting::Prepare
			GenRelocateCode
				gen_thumb_relocate_code
					Thumb1RelocateSingleInst
					Thumb2RelocateSingleInst
					LiteCollectionIterator::withCollection(thumb_labels);

上面格式没了,看这

@lducsm
Copy link
Author

lducsm commented Nov 7, 2019

加个初始化就正常了,但thumb钩子还是不行,调不到回调就崩溃了

  LiteMutableArray tmp;
  thumb_labels = &tmp;

.text:0001E044                   EXPORT stat64
.text:0001E044                   stat64
.text:0001E044 0A 46             MOV             R2, R1                  ; Alternative name is 'stat'
.text:0001E046 01 46             MOV             R1, R0
.text:0001E048 6F F0 63 00       MOV             R0, #0xFFFFFF9C
.text:0001E04C 00 23             MOVS            R3, #0
.text:0001E04E 55 F0 9B BE       B.W             j_j_fstatat64
.text:0001E04E                   ; } // starts at 1E030
.text:0001E04E                   ; End of function stat64

libc.so:E935C044                   stat
libc.so:E935C044 0A 5F             LDRSH           R2, [R1,R4]
libc.so:E935C046 F8 00             LSLS            R0, R7, #3
libc.so:E935C048 F0 59             LDR             R0, [R6,R7]
libc.so:E935C04A 44 F1 E1 23       ADC.W           R3, R4, #0xE100E100
libc.so:E935C04E 55 F0 9B BE       B.W             j_fstatat
libc.so:E935C04E                   ; End of function stat

thumb上钩子我不太熟,啥情况?

@jmpews
Copy link
Owner

jmpews commented Dec 23, 2019

stat64 函数嘛?

(之前在忙, 最近开始处理 issue)

@jmpews jmpews closed this as completed Dec 23, 2019
@jmpews jmpews reopened this Dec 23, 2019
@18712886438
Copy link 

2020-01-07 18:26:19.858 15039-15039/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 15039 (com.zzz.f22s4)
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: Build fingerprint: 'Samsung/aosp_klte/klte:7.1.2/N2G47H/ikrom03122133:userdebug/test-keys'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: Revision: '10'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: ABI: 'arm'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: pid: 15039, tid: 15039, name: com.zzz.f22s4  >>> com.zzz.f22s4 <<<
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r0 b429a660  r1 b429a660  r2 00000000  r3 b42834ac
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r4 00000000  r5 b423ed30  r6 b4e2fb74  r7 be9bb4f8
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r8 e9cd4813  r9 b4e2fb7c  sl 00000008  fp be9bb510
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     ip b4ea0948  sp be9bb4f0  lr b4e79eb5  pc acefe514  cpsr 600b0030
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG: backtrace:
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 0 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #00 pc 00009514  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN22LiteCollectionIterator14withCollectionEPK14LiteCollection+35)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 1 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #01 pc 000081c7  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_Z23gen_thumb_relocate_codePvPijj+358)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 2 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #02 pc 00008707  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN16InterceptRouting7PrepareEv+46)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 3 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #03 pc 0000895d  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN28FunctionInlineReplaceRouting8DispatchEv+12)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 4 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #04 pc 000089dd  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (DobbyHook+108)
2020-01-07 18:26:19.929 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 5 in victim thread, signal = 11
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #05 pc 00008dbd  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (JNI_OnLoad+64)
2020-01-07 18:26:19.929 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 6 in victim thread, signal = 11
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #06 pc 0023c11d  /system/lib/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8_jstringPS9_+1844)
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #07 pc 0000315f  /system/lib/libopenjdkjvm.so (JVM_NativeLoad+178)
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #08 pc 73d8ac45  /data/dalvik-cache/arm/system@framework@boot.oat (offset 0x27ec000)

我这里应该也是类似问题,android7 32位,hook的open,

@Soon-gz
Copy link

Soon-gz commented Jan 13, 2020

vivo 5.1.1 64位 , 我也遇到这个问题啦,使用example的hook fopen那几个函数时,在调用LiteCollectionIterator::withCollection时,参数inCollection为NULL了,之后在LiteCollectionIterator::initWithCollection的inCollection->initIterator崩溃了,SIGSEGV (signal SIGSEGV: invalid address (fault address: 0x0))

@stefan00lpf
Copy link

同样问题,为啥没有早期的版本好用了

@jmpews jmpews closed this as completed Aug 19, 2020
@Lamfi Lamfi mentioned this issue Dec 8, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@18712886438 @jmpews @Soon-gz @lducsm @stefan00lpf