search

0NullBit0 / NullTrace-Injector

Inject shared libraries into processes on Android (real/emulator device supported)
Apache License 2.0
69 stars 22 forks source link

error path restrictions #4

Open bapanxd opened 7 months ago

bapanxd commented 7 months ago

This is the first error i got by using /data/local/tmp path

~ $ su :/data/data/com.termux/files/home # cd /data/local/tmp :/data/local/tmp # ./NullInject -p com.dts.freefireth -lib /data/local/tmp/libhwui.so Found target process Starting Injection [NullTrace] Starting library injection [NullTrace] LIBC Malloc Address: 78dfe89bf0 LIBC Free Address: 78dfe89b28 LIBDL Dlopen Address: 78e0dbb018 LIBDL Dlsym Address: 78e0dbb048 [NullTrace] Allocated memory for string at Address: 0x77efaa6460 [NullTrace] Successfully written string into allocated memory [NullTrace] Allocated Path: 2F 64 61 74 61 2F 6C 6F 63 61 6C 2F 74 6D 70 2F 6C 69 62 68 77 75 69 2E 73 6F 00 libLR as : libRS.so [NullTrace] libLR base: 7853a63000 [NullTrace] failed injection 0x0 [NullTrace] DlError message: dlopen failed: couldn't map "/data/local/tmp/libhwui.so" segment 1: Permission denied

This is the 2nd error i've got after using the home directory of termux

ject -p com.dts.freefireth -lib /data/data/com.termux/libhwui.so < Found target process Starting Injection [NullTrace] Starting library injection [NullTrace] LIBC Malloc Address: 78dfe89bf0 LIBC Free Address: 78dfe89b28 LIBDL Dlopen Address: 78e0dbb018 LIBDL Dlsym Address: 78e0dbb048 [NullTrace] Allocated memory for string at Address: 0x7765f4e7c0 [NullTrace] Successfully written string into allocated memory [NullTrace] Allocated Path: 2F 64 61 74 61 2F 64 61 74 61 2F 63 6F 6D 2E 74 65 72 6D 75 78 2F 6C 69 62 68 77 75 69 2E 73 6F 00 libLR as : libRS.so [NullTrace] libLR base: 7853a63000 [NullTrace] failed injection 0x0 [NullTrace] DlError message: dlopen failed: library "/data/data/com.termux/libhwui.so" not found

I think that the problem is because of some path restrictions cause if i use any device under Android 11 it works perfectly my device Android version is 11 and i'm getting this error the device is rooted

0NullBit0 commented 7 months ago

I once had a similar issue for /data/local/tmp. Giving the library permissions fixed it, can you try doing chmod 777 libhwui.so and tell me how it goes?

bapanxd commented 7 months ago

Yeah i did granted 777 permission but i faced that error but if use any other path like /dev/ i got the error DlError message: dlopen failed: library "/dev/libhwui.so" not found and i tryed to figure out the reason and i got it there have some restrictions in device so i used mmap to allocate the path to our own process then i tryed and it works i fixed it but still i'm getting freezing issues in the target process currently i'm currently trying to fix that

This is the code i'm using instead of remoteString

    int fd = open(path.c_str(), O_RDONLY);
    if (fd == -1) {
        std::cerr << "Failed to open library file: " << strerror(errno) << std::endl;
        return nullptr;
    }

    struct stat fileStat;
    if (fstat(fd, &fileStat) == -1) {
        std::cerr << "Failed to get file information: " << strerror(errno) << std::endl;
        close(fd);
        return nullptr;
    }

    void* addr = mmap(nullptr, fileStat.st_size, PROT_READ | PROT_EXEC, MAP_PRIVATE, fd, 0);
    if (addr == MAP_FAILED) {
        std::cerr << "Failed to map library file into memory: " << strerror(errno) << std::endl;
        close(fd);
        return nullptr;
    }

If i use this code instead of the remoteString then i'm getting injection successful message but the problem is if i use this code i'm getting stuck in the game so i think in the remoteString there has a code that is getting the file data in byte and converting that into hex then it writing into memory and we are not using that in here is that could be a reason of the game stuck?? Cause i don't have any idea if you clarify me the reason maybe i can make it work in my device.

0NullBit0 commented 7 months ago

The code snippet you provided will map the whole library in the LOCAL process and will therefore have no effect in the target process.. Malloc will work fine so i dont think thats the problem since we already saw that the path got written successfully: [NullTrace] Allocated Path: 2F 64 61 74 61 2F 64 61 74 61 2F 63 6F 6D 2E 74 65 72 6D 75 78 2F 6C 69 62 68 77 75 69 2E 73 6F 00

Could you please do this on the library and send a screenshot ls -l libhwui.so

bapanxd commented 7 months ago

IMG_20240401_085440_914

Let me clear one thing i've tested with the same lib and the game in a virtual and it works fine i'm only getting this problem in rooted devices not only mine i've tested on my other rooted device they all have same problem the Android version is 11 and 12

BryanGIG commented 7 months ago

Let me clear one thing i've tested with the same lib and the game in a virtual and it works fine i'm only getting this problem in rooted devices not only mine i've tested on my other rooted device they all have same problem the Android version is 11 and 12

A virtual app is like having two memory in the same parent pid. mmap may work in this case. But, when injecting in root method, it is two completely different pid & owners, so it should not be possible to mmap in your own process than expect it to just work on the target process

0NullBit0 commented 6 months ago

@bapanxd I have updated the repository completely now and i might have an idea on why this is happening it might be due to library/system/app architecture mismatch. Can you run these two commands please and send a screenshot of the outputs? Make sure the libraries architecture is supported by the app and matches 

getprop ro.product.cpu.abi

and

file (libraryname).so