Closed necuil closed 3 years ago
描述错误 将项目内的dumpDex实现移植到root模块下,对某游戏进行注入后脱壳时发现smali全是nop(但是没有其他异常,顺利执行),于是开启了fixCodeItem,但是开启后一脱壳直接就崩了
设备信息
运行日志 6:08:58.592 10495-10772/? E/CRASH: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0000007141ff7e80 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Build type 'Release', Scripting Backend 'il2cpp', CPU 'arm64-v8a' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Build fingerprint: 'Xiaomi/dipper/dipper:8.1.0/OPM1.171019.026/V10.0.6.0.OEACNFH:user/release-keys' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Revision: '0' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: pid: 10495, tid: 10772, name: pool-1-thread-1 >>> com.xxx.xxx <<< 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x0 000000710f7bc208 x1 0000007141ff7e80 x2 0000000000000018 x3 0000000000000030 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x4 000000711ffc0910 x5 00000071ddc25465 x6 0000000000000005 x7 000000000000fffd 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x8 000000710f7bc208 x9 000000000026ae64 x10 0000000000000000 x11 0000007141ff7e80 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x12 0000000000000018 x13 0000000000000018 x14 0000000000000000 x15 0000000000000000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x16 00000071412618c0 x17 00000071de6f6b90 x18 0000000012d2bcf8 x19 0000007115717000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x20 0000000000000000 x21 0000007115717000 x22 000000711ffc17fc x23 00000071ddc264c8 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x24 0000000000000010 x25 000000711ffc2588 x26 00000071157170a0 x27 0000000000000004 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x28 000000711ffc1530 x29 000000711ffc0eb0 x30 00000071411502c0 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: sp 000000711ffc0cb0 pc 00000071de6f6ba8 pstate 0000000020000000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: backtrace: 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #00 pc 000000000000068c [vdso] () 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #01 pc 0000000000001ba4 /system/lib64/libc.so () 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #02 pc 00000000000722bc () 这个就是dumpDex所在的so
其他说明
ida看了一下,崩在了fixCodeItem里最后那个memcpy上,看了下寄存器,应该是崩在了source地址,也就是new_code_item上
int64 fastcall fixCodeItem(main a1, const art_lkchan::DexFile a2, int64 a3) { int64 result; // x0 int64 v4; // x1 const char v5; // x4 void v6; // x1 const char v7; // [xsp+40h] [xbp-1C0h] _JNIEnv v8; // [xsp+50h] [xbp-1B0h] unsigned int v9; // [xsp+84h] [xbp-17Ch] __int64 v10; // [xsp+98h] [xbp-168h] size_t v11; // [xsp+B4h] [xbp-14Ch] void v12; // [xsp+B8h] [xbp-148h] ArtM v13; // [xsp+C0h] [xbp-140h] int64 v14; // [xsp+C8h] [xbp-138h] const char v15; // [xsp+D0h] [xbp-130h] int64 v16; // [xsp+D8h] [xbp-128h] int64 v17; // [xsp+F8h] [xbp-108h] const unsigned __int8 v18; // [xsp+100h] [xbp-100h] unsigned int16 *v19; // [xsp+108h] [xbp-F8h] unsigned int64 i; // [xsp+110h] [xbp-F0h] const void *v24; // [xsp+140h] [xbp-C0h] int64 v25[2]; // [xsp+160h] [xbp-A0h] BYREF char v26[24]; // [xsp+170h] [xbp-90h] BYREF char v27[24]; // [xsp+188h] [xbp-78h] BYREF char v28[72]; // [xsp+1A0h] [xbp-60h] BYREF int64 v29; // [xsp+1E8h] [xbp-18h]
v29 = (_QWORD )(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); for ( i = 0LL; ; ++i ) { result = art_lkchan::DexFile::NumClassDefs(a2); if ( i >= (unsigned int)result ) break; v19 = (unsigned int16 )art_lkchan::DexFile::GetClassDef(a2, (unsigned int16)i); v18 = (const unsigned int8 )art_lkchan::DexFile::GetClassData(a2, v19); v17 = art_lkchan::DexFile::GetTypeId(a2, v19); v10 = art_lkchan::DexFile::GetTypeDescriptor(a2, v17); std::string::basic_string<decltype(nullptr)>(v27, v10); if ( v18 ) { art_lkchan::ClassDataItemIterator::ClassDataItemIterator((art_lkchan::ClassDataItemIterator )v28, a2, v18); art_lkchan::ClassDataItemIterator::SkipAllFields((art_lkchan::ClassDataItemIterator )v28); while ( (art_lkchan::ClassDataItemIterator::HasNextMethod(v28) & 1) != 0 ) { v9 = art_lkchan::ClassDataItemIterator::GetMemberIndex(v28); v16 = art_lkchan::DexFile::GetMethodId(a2, v9); v15 = (const char )art_lkchan::DexFile::GetMethodName(a2, v16); v25[0] = art_lkchan::DexFile::GetMethodSignature(a2, v16); v25[1] = v4; art_lkchan::Signature::ToString(v25); v8 = (_JNIEnv )sub_73268(v27); v7 = (const char )sub_73268(v26); v14 = main::findMethod(a1, v8, v15, v7, v5); if ( v14 ) { v13 = (ArtM )ArtM::GetArtMethod(a1, v14); v12 = (void )art_lkchan::ClassDataItemIterator::GetMethodCodeItem(v28); if ( (unsigned int)art_lkchan::ClassDataItemIterator::GetMethodCodeItemOffset(v28) ) { if ( v12 ) { v11 = (*(int64 (__fastcall )(const art_lkchan::DexFile , void ))((_QWORD )a2 + 48LL))(a2, v12); v24 = (const void )(a3 + (unsigned int)ArtM::GetArtMethodDexCodeItemOffset(v13, v6)); memcpy(v12, v24, v11); //崩在了这里** } } } else { _JNIEnv::ExceptionClear((_JNIEnv )a1); } art_lkchan::ClassDataItemIterator::Next((art_lkchan::ClassDataItemIterator *)v28); std::string::~string(v26); } } std::string::~string(v27); } _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); return result; }
请发送游戏下载地址提供测试。
fixCodeItem挂掉可能鉴于多种情况,后续我再优化下看看吧
http://static.benghuai.com/Download/v8_3/Original.StripResource_8.3.8_293_unsign.signed_QKXs.apk
描述错误 将项目内的dumpDex实现移植到root模块下,对某游戏进行注入后脱壳时发现smali全是nop(但是没有其他异常,顺利执行),于是开启了fixCodeItem,但是开启后一脱壳直接就崩了
设备信息
运行日志 6:08:58.592 10495-10772/? E/CRASH: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0000007141ff7e80 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Build type 'Release', Scripting Backend 'il2cpp', CPU 'arm64-v8a' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Build fingerprint: 'Xiaomi/dipper/dipper:8.1.0/OPM1.171019.026/V10.0.6.0.OEACNFH:user/release-keys' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: Revision: '0' 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: pid: 10495, tid: 10772, name: pool-1-thread-1 >>> com.xxx.xxx <<< 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x0 000000710f7bc208 x1 0000007141ff7e80 x2 0000000000000018 x3 0000000000000030 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x4 000000711ffc0910 x5 00000071ddc25465 x6 0000000000000005 x7 000000000000fffd 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x8 000000710f7bc208 x9 000000000026ae64 x10 0000000000000000 x11 0000007141ff7e80 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x12 0000000000000018 x13 0000000000000018 x14 0000000000000000 x15 0000000000000000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x16 00000071412618c0 x17 00000071de6f6b90 x18 0000000012d2bcf8 x19 0000007115717000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x20 0000000000000000 x21 0000007115717000 x22 000000711ffc17fc x23 00000071ddc264c8 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x24 0000000000000010 x25 000000711ffc2588 x26 00000071157170a0 x27 0000000000000004 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: x28 000000711ffc1530 x29 000000711ffc0eb0 x30 00000071411502c0 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: sp 000000711ffc0cb0 pc 00000071de6f6ba8 pstate 0000000020000000 2021-06-17 06:08:58.592 10495-10772/? E/CRASH: backtrace: 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #00 pc 000000000000068c [vdso] () 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #01 pc 0000000000001ba4 /system/lib64/libc.so () 2021-06-17 06:08:58.619 10495-10772/? E/CRASH: #02 pc 00000000000722bc () 这个就是dumpDex所在的so
其他说明
ida看了一下,崩在了fixCodeItem里最后那个memcpy上,看了下寄存器,应该是崩在了source地址,也就是new_code_item上
int64 fastcall fixCodeItem(main a1, const art_lkchan::DexFile a2, int64 a3) { int64 result; // x0 int64 v4; // x1 const char v5; // x4 void v6; // x1 const char v7; // [xsp+40h] [xbp-1C0h] _JNIEnv v8; // [xsp+50h] [xbp-1B0h] unsigned int v9; // [xsp+84h] [xbp-17Ch] __int64 v10; // [xsp+98h] [xbp-168h] size_t v11; // [xsp+B4h] [xbp-14Ch] void v12; // [xsp+B8h] [xbp-148h] ArtM v13; // [xsp+C0h] [xbp-140h] int64 v14; // [xsp+C8h] [xbp-138h] const char v15; // [xsp+D0h] [xbp-130h] int64 v16; // [xsp+D8h] [xbp-128h] int64 v17; // [xsp+F8h] [xbp-108h] const unsigned __int8 v18; // [xsp+100h] [xbp-100h] unsigned int16 *v19; // [xsp+108h] [xbp-F8h] unsigned int64 i; // [xsp+110h] [xbp-F0h] const void *v24; // [xsp+140h] [xbp-C0h] int64 v25[2]; // [xsp+160h] [xbp-A0h] BYREF char v26[24]; // [xsp+170h] [xbp-90h] BYREF char v27[24]; // [xsp+188h] [xbp-78h] BYREF char v28[72]; // [xsp+1A0h] [xbp-60h] BYREF int64 v29; // [xsp+1E8h] [xbp-18h]
v29 = (_QWORD )(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40); for ( i = 0LL; ; ++i ) { result = art_lkchan::DexFile::NumClassDefs(a2); if ( i >= (unsigned int)result ) break; v19 = (unsigned int16 )art_lkchan::DexFile::GetClassDef(a2, (unsigned int16)i); v18 = (const unsigned int8 )art_lkchan::DexFile::GetClassData(a2, v19); v17 = art_lkchan::DexFile::GetTypeId(a2, v19); v10 = art_lkchan::DexFile::GetTypeDescriptor(a2, v17); std::string::basic_string<decltype(nullptr)>(v27, v10); if ( v18 ) { art_lkchan::ClassDataItemIterator::ClassDataItemIterator((art_lkchan::ClassDataItemIterator )v28, a2, v18); art_lkchan::ClassDataItemIterator::SkipAllFields((art_lkchan::ClassDataItemIterator )v28); while ( (art_lkchan::ClassDataItemIterator::HasNextMethod(v28) & 1) != 0 ) { v9 = art_lkchan::ClassDataItemIterator::GetMemberIndex(v28); v16 = art_lkchan::DexFile::GetMethodId(a2, v9); v15 = (const char )art_lkchan::DexFile::GetMethodName(a2, v16); v25[0] = art_lkchan::DexFile::GetMethodSignature(a2, v16); v25[1] = v4; art_lkchan::Signature::ToString(v25); v8 = (_JNIEnv )sub_73268(v27); v7 = (const char )sub_73268(v26); v14 = main::findMethod(a1, v8, v15, v7, v5); if ( v14 ) { v13 = (ArtM )ArtM::GetArtMethod(a1, v14); v12 = (void )art_lkchan::ClassDataItemIterator::GetMethodCodeItem(v28); if ( (unsigned int)art_lkchan::ClassDataItemIterator::GetMethodCodeItemOffset(v28) ) { if ( v12 ) { v11 = (*(int64 (__fastcall )(const art_lkchan::DexFile , void ))((_QWORD )a2 + 48LL))(a2, v12); v24 = (const void )(a3 + (unsigned int)ArtM::GetArtMethodDexCodeItemOffset(v13, v6)); memcpy(v12, v24, v11); //崩在了这里** } } } else { _JNIEnv::ExceptionClear((_JNIEnv )a1); } art_lkchan::ClassDataItemIterator::Next((art_lkchan::ClassDataItemIterator *)v28); std::string::~string(v26); } } std::string::~string(v27); } _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)); return result; }