search

PAGalaxyLab / YAHFA

Yet Another Hook Framework for ART
GNU General Public License v3.0
1.56k stars 350 forks source link

Android R上当App被dex2oat优化过后 getThread会空指针 #144

Closed Art-Chen closed 3 years ago

Art-Chen commented 3 years ago

02-27 16:59:30.246 6552 6552 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x81 02-27 16:59:30.246 6552 6552 F DEBUG : Cause: null pointer dereference 02-27 16:59:30.246 6552 6552 F DEBUG : x0 0000007d8b414c00 x1 0000007d8b414c00 x2 00000000706869a0 x3 0000000000000002 02-27 16:59:30.246 6552 6552 F DEBUG : x4 0000007fff724c6c x5 0000000000000001 x6 0000000000000001 x7 0000000000000010 02-27 16:59:30.246 6552 6552 F DEBUG : x8 000000000000007d x9 0000000000080100 x10 0000000000430000 x11 000000000608c608 02-27 16:59:30.246 6552 6552 F DEBUG : x12 0000000000371168 x13 0000000000645d00 x14 000000000051cd00 x15 ffffffffffffffff 02-27 16:59:30.246 6552 6552 F DEBUG : x16 0000007d04f32298 x17 0000007c95149e64 x18 0000007d8c300000 x19 0000007d8b414c00 02-27 16:59:30.246 6552 6552 F DEBUG : x20 000000009bd210a4 x21 000000001325a4f8 x22 00000000132588a8 x23 0000000013258880 02-27 16:59:30.246 6552 6552 F DEBUG : x24 000000009ed8b850 x25 0000007d8b84c000 x26 00000000132588a8 x27 00000000706bd9e0 02-27 16:59:30.246 6552 6552 F DEBUG : x28 00000000706bebb8 x29 0000007fff724c90 02-27 16:59:30.246 6552 6552 F DEBUG : lr 0000007d04f322b8 sp 0000007fff724c60 pc 0000007d04f3233c pst 0000000060000000 02-27 16:59:30.341 6552 6552 F DEBUG : backtrace: 02-27 16:59:30.341 6552 6552 F DEBUG : #00 pc 000000000061d33c /apex/com.android.art/lib64/libart.so (art::GoToRunnable(art::Thread)+68) (BuildId: e816044f5c15e759551cfa0804943935) 02-27 16:59:30.341 6552 6552 F DEBUG : #01 pc 000000000061d2b4 /apex/com.android.art/lib64/libart.so (art::JniMethodEnd(unsigned int, art::Thread)+28) (BuildId: e816044f5c15e759551cfa0804943935) 02-27 16:59:30.341 6552 6552 F DEBUG : #02 pc 00000000000d40b4 /data/dalvik-cache/arm64/system@system_ext@priv-app@MiuiSystemUI@MiuiSystemUI.apk@classes.dex (art_jni_trampoline+164) 02-27 16:59:30.341 6552 6552 F DEBUG : #03 pc 00000000006588a4 [anon:dalvik-main space (region space)]

安装app后root执行cmd package bg-dexopt-job 后 重启手机或者重启程序可复现

Art-Chen commented 3 years ago

给getThread加上attribute((naked))后 这样了 清除dalvik-cache后一切正常 02-27 17:38:48.347 12186 12186 E YAHFA: failed to find libart.so handle 02-27 17:38:48.347 12186 12186 E YAHFA: failed to find symbols: classLinker 0x0, MakeInitializedClassesVisiblyInitialized 0x0

rk700 commented 3 years ago

getThread的jni方法里面只是在移动寄存器,单纯这个方法应该不会引起异常,不知道是否是编译优化做了什么处理

Art-Chen commented 3 years ago

getThread的jni方法里面只是在移动寄存器,单纯这个方法应该不会引起异常,不知道是否是编译优化做了什么处理

现在是拿不到libart了,getThread那个是我的问题。目前只能想办法禁用dexopt优化,拿不到libart之后Make Visibility那个操作就做不了,然后kAccNative那个flag一设,直接炸了。就算加一个变量去动态设置那个flag,也还会hook不到static方法...

ghost commented 3 years ago

可以试试禁用dex2oat,具体参考EdXposed相关禁用dex2oat的源码,保持JIT编译模式

Art-Chen commented 3 years ago

可以试试禁用dex2oat,具体参考EdXposed相关禁用dex2oat的源码,保持JIT编译模式

目前已经通过hook framework层禁用了对应包名的dexopt,EdXposed的禁用似乎是用Inline Hook实现的 会导致EdXposed hook本应用的时候冲突