Msf services crashes of QQ 9.0.60

[kmod-midori]

Steps to reproduce/复现步骤

1. Patch QQ 9.0.60 6478 with integrated mode, without any module.
2. Launch the patched application and attempt to login.

Expected behaviour/预期行为

Application should launch and run without any issues (just like in upstream LSPatch)

Actual behaviour/实际行为

Application launches, but logging into any account fails:

com.tencent.mobileqq.msf.service.MsfService timeout

Xposed Module List/Xposed 模块列表

N/A

LSPatch version/LSPatch 版本

CI build b409cd3 (debug)

Android version/Android 版本

14 with August Google system update (QPR3)

Shizuku version/Shizuku 版本

N/A

Version requirement/版本要求

• [X] I am using latest debug CI version of LSPatch and enable verbose log/我正在使用最新 CI 调试版本且启用详细日志

Apk file/Apk 文件

No response

Logs/日志

qq_filtered.log

[JingMatrix]

Could you please try some other builds in the GitHub Actions and tell me if some of them work fine with you?

[kmod-midori]

Which versions shoud I try? Currently I know that the libart.so on my device is stripped and incompatible with upstream LSPlant.

[JingMatrix]

This one please: https://github.com/JingMatrix/LSPatch/actions/runs/10236530167

[kmod-midori]

qq_b8c4664_filt.log No initial crash (the first launch works), but still can't login due to that native crash.

[JingMatrix]

Please try the latest build to see if the issue still exists.

[kmod-midori]

44f5a12 does not launch at all :(

qq_44f5a12_filt_no_mod.log

[JingMatrix]

44f5a12 does not launch at all :(

This seems to be a build bug of CI, see https://github.com/JingMatrix/LSPosed/issues/30. My local build works well.

[mario6714]

44f5a12 does not launch at all :(

This seems to be a build bug of CI, see JingMatrix/LSPosed#30. My local build works well.

Can you share your local build apk? thanks, for test

[JingMatrix]

@mario6714 Here is a local build from my machine. localDebug.zip

[mario6714]

@mario6714 Here is a local build from my machine. localDebug.zip

Can you share also the "release" version?

[mario6714]

@mario6714 Here is a local build from my machine. localDebug.zip

Thanks

[JingMatrix]

The build bug should be fixed by the latest commit. Please try it from GitHub Actions.

[mario6714]

The build bug should be fixed by the latest commit. Please try it from GitHub Actions.

Sorry but is not working, the app open fine now but is like dont have the module inside, is like i installed the original apk

[JingMatrix]

@mario6714 check that you patch and embed modules correctly. If you still have the problem, open a new issues with logs (you may ask Google or AI about how to use adb to save logs.) Current issue is not related to your problem.

[kmod-midori]

2681111 has the exact same error. qq_2681111_filt.log

[JingMatrix]

@kmod-midori Are you sure that you didn't embed any modules? From the log, it seems that you at least used a module using native_api. You are using QAuxiliary, I guess.

[kmod-midori]

qq_2681111_filt2.log No difference with or without a module.

[JingMatrix]

@kmod-midori Could you please try TIM to see if LSPatch works with it ?

[kmod-midori]

tim_2681111_filt.log No luck, crashes in the same way (and more).

[JingMatrix]

This bug should be related to the signature by pass

09-13 14:51:18.935 16480 16480 D LSPosed : elf_util.cpp:365#Elf64_Addr SandHook::ElfImg::getSymbOffset(std::string_view, uint32_t, uint32_t) const: found __openat 0xaefc0 in /apex/com.android.runtime/lib64/bionic/libc.so in symtab by linear lookup
09-13 14:51:18.936 16480 16480 D LSPosed : native_api.h:62#int lspd::HookInline(void *, void *, void **): Dobby hooking (unknown symbol) (0x7b5eb1afc0) from /apex/com.android.runtime/lib64/bionic/libc.so (0x7b5ea6c000)
09-13 14:51:18.936 16480 16480 D LSPosed : bypass_sig.cpp:49#void lspd::Java_org_lsposed_lspd_nativebridge_SigBypass_enableOpenatHook(JNIEnv *, jclass, jstring, jstring): apkPath %s
09-13 14:51:18.936 16480 16480 D LSPosed : bypass_sig.cpp:50#void lspd::Java_org_lsposed_lspd_nativebridge_SigBypass_enableOpenatHook(JNIEnv *, jclass, jstring, jstring): redirectPath %s
09-13 14:51:18.936 16480 16480 I LSPatch : LSPatch bootstrap completed

The crash happens after

09-13 14:51:19.331 16480 16480 D LSPatch-SigBypass: Replace signature info for `com.tencent.mobileqq` (method 1)

It should be that __openat function is not correctly hooked.

[JingMatrix]

@kmod-midori Please upload your libc.so file using

adb pull /apex/com.android.runtime/lib64/bionic/libc.so

GitHub might require you to zip it first.

[JingMatrix]

If there is a LSPatch version that works with QQ, please also upload the logs of it. Did you claim that the upstream LSPatch works for you?

[kmod-midori]

libc.zip Upstream LSPatch only worked before the ART system update, I have it available on another OneUI device, but I can't clear data or remove modules because it is in use, do you still need the log?

On the device I'm currently testing, I have no working LSPatch.

[JingMatrix]

I see. To temporarily solve this problem, when you patch QQ, please chose a different signature bypass level. Currently, the signature bypass level 2 doesn't work properly.

[JingMatrix]

I have pushed new commits, please try it from the latest CI and post your logs. Thanks!

[JingMatrix]

I see. To temporarily solve this problem, when you patch QQ, please chose a different signature bypass level. Currently, the signature bypass level 2 doesn't work properly.

I tried signature bypass level 1, and it works with TIM login.

[kmod-midori]

qq_2325e7a_filt_no_mod.log qq_2325e7a_filt_no_mod_lv1.log

Lv1 does not work for QQ. The paths does not look wrong to me. My concern is that if they are really reading the APK file for security reasons, could this pose a risk to users' accounts?

[JingMatrix]

I think they are using new ways of checking signature, which are not handled by LSPatch yet. I recommend you to use the QQ from Google Play store, which works well with LSPatch as I tested.

[JingMatrix]

Wait, this is not a bug of LSPatch. The crash of MSF services happens even with the original APK.

Please change your QQ version.

[kmod-midori]

Well, it seem that the ART update broke QQ instead of LSPatch...