search

RusJJ / ARMPatch

Just a hook for ARM applications based on @4x11's ARMhook (i think he made it?), on Cydia's Substrate and on Rprop's And64InlineHook
MIT License
32 stars 11 forks source link

crashing arm64 #1

Closed liettua closed 2 years ago

liettua commented 2 years ago

all im trying to do:

uintptr_t lib = ARMPatch::getLib("libgrowtopia.so");

ARMPatch::hook(dlsym((void*)lib, "_ZN7BaseApp4DrawEv"), &hooks::BaseAppDraw, &oBaseAppDraw);

but it crashes on arm64, works on arm

what do i do to debug this?

edit i do have the hook and original setup setup:

using BaseAppDraw = void (*)(int);
inline BaseAppDraw oBaseAppDraw;
void hooks::BaseAppDraw(int a1) {
    oBaseAppDraw(a1);
}
RusJJ commented 2 years ago

ARMPatch::getLib returns base address of the requested library, but dlsym requires library handle (which containts a bit more information). So you need to do something like that:

void* lib = dlopen("libgrowtopia.so", RTLD_LAZY); ARMPatch::hook(dlsym(lib, "_ZN7BaseApp4DrawEv"), &hooks::BaseAppDraw, &oBaseAppDraw);

ARMPatch::getLib can be used for manual patching just like changing a single byte from 0 to 1

liettua commented 2 years ago

ARMPatch::getLib returns base address of the requested library, but dlsym requires library handle (which containts a bit more information). So you need to do something like that:

void* lib = dlopen("libgrowtopia.so", RTLD_LAZY); ARMPatch::hook(dlsym(lib, "_ZN7BaseApp4DrawEv"), &hooks::BaseAppDraw, &oBaseAppDraw);

ARMPatch::getLib can be used for manual patching just like changing a single byte from 0 to 1

ah thats how i was doing it on arm32 with pure substrate i will try it now thanks

liettua commented 2 years ago

update: it still crashes idk why but i put LOGI and it prints it out at the hooked function but it crashes before returning.

how can i debug it

void hooks::BaseAppDraw(int a1) {
    LOGI("start"); // this gets printed out!
    menu::EndScene(); //Imgui happens here
    oBaseAppDraw(a1);
    LOGI("do we pass here"); // this doesnt print out meaning the line before failed
}

even if i remove the imgui init code it crashes on original function call

RusJJ commented 2 years ago

Haven't experienced that thing while i was testing it. Better to check full debug log that shows crash and what happens. Maybe that's memory violation or something like that

liettua commented 2 years ago

Haven't experienced that thing while i was testing it. Better to check full debug log that shows crash and what happens. Maybe that's memory violation or something like that

how do i do that

RusJJ commented 2 years ago

Check logcat

liettua commented 2 years ago

Check logcat

from which application should i filter it?

i tried:

adb logcat AndroidRuntime:V *:S
adb logcat Growtopia:V *:S // base app log tag
adb logcat INZERNAL:V *:S // internal cheat log tag

i dont get any useful info

RusJJ commented 2 years ago

it's tag should be "debug"

liettua commented 2 years ago

it's tag should be "debug"

doesnt return a single message like that

liettua commented 2 years ago

it's tag should be "debug"

09-25 20:50:38.092 12982 12982 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-25 20:50:38.092 12982 12982 F DEBUG   : Build fingerprint: 'Xiaomi/apollo_eea/apollo:11/RKQ1.200826.002/V12.5.5.0.RJDEUXM:user/release-keys'
09-25 20:50:38.092 12982 12982 F DEBUG   : Revision: '0'
09-25 20:50:38.092 12982 12982 F DEBUG   : ABI: 'arm64'
09-25 20:50:38.092 12982 12982 F DEBUG   : Timestamp: 2021-09-25 20:50:38+0300
09-25 20:50:38.092 12982 12982 F DEBUG   : pid: 12753, tid: 12780, name: GLThread 21231  >>> com.rtsoft.growtopia <<<
09-25 20:50:38.092 12982 12982 F DEBUG   : uid: 10459
09-25 20:50:38.092 12982 12982 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xef748088
09-25 20:50:38.092 12982 12982 F DEBUG   :     x0  000000789fd7c1d0  x1  00000078f7cf5350  x2  000000789fd7c1e8  x3  0000000000000884
09-25 20:50:38.092 12982 12982 F DEBUG   :     x4  0000000000000438  x5  00000078ee648c48  x6  0000000000000438  x7  00000078fc6e6680
09-25 20:50:38.092 12982 12982 F DEBUG   :     x8  fb4f66b4acda3621  x9  fb4f66b4acda3621  x10 000000789fd7c1e8  x11 0000000000000000
09-25 20:50:38.092 12982 12982 F DEBUG   :     x12 0000000000000884  x13 0000000000000438  x14 0000000000000000  x15 0000000000000000
09-25 20:50:38.092 12982 12982 F DEBUG   :     x16 000000789fbf5f38  x17 000000789eae9120  x18 00000078fc62d31a  x19 00000000ef748000
09-25 20:50:38.092 12982 12982 F DEBUG   :     x20 00000078a2cc2e68  x21 000000001303b598  x22 00000078f7cf6000  x23 000000789fd7c1d0
09-25 20:50:38.092 12982 12982 F DEBUG   :     x24 0000000000000000  x25 00000000130088f8  x26 0000000000000001  x27 0000000000000000
09-25 20:50:38.092 12982 12982 F DEBUG   :     x28 0000000000000000  x29 00000078f7cf5600
09-25 20:50:38.092 12982 12982 F DEBUG   :     lr  000000789eaede94  sp  00000078f7cf5310  pc  000000789eaede94  pst 0000000060001000
09-25 20:50:38.190 12982 12982 F DEBUG   : backtrace:
09-25 20:50:38.190 12982 12982 F DEBUG   :       #00 pc 00000000008d0e94  /data/app/~~_kXEW-Hhei3AZft71KUiyQ==/com.rtsoft.growtopia-7sqgoTbVU16G5X5bjlo5Pw==/lib/arm64/libgrowtopia.so!libgrowtopia.so (offset 0x8d0000) (BaseApp::Draw()+96) (BuildId: 5131af948973464d3c30d6b90d8951194e3435bb)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #01 pc 000000000005469c  /data/app/~~_kXEW-Hhei3AZft71KUiyQ==/com.rtsoft.growtopia-7sqgoTbVU16G5X5bjlo5Pw==/lib/arm64/libINZERNAL.so (hooks::BaseAppDraw(int)+60) (BuildId: d94ab2ac6b09fb2bd7ee5a364aae1a9b4c3a3c70)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #02 pc 000000000098a2b4  /data/app/~~_kXEW-Hhei3AZft71KUiyQ==/com.rtsoft.growtopia-7sqgoTbVU16G5X5bjlo5Pw==/lib/arm64/libgrowtopia.so!libgrowtopia.so (offset 0x98a000) (App::Draw()+52) (BuildId: 5131af948973464d3c30d6b90d8951194e3435bb)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #03 pc 00000000000321d0  /data/app/~~_kXEW-Hhei3AZft71KUiyQ==/com.rtsoft.growtopia-7sqgoTbVU16G5X5bjlo5Pw==/oat/arm64/base.odex (art_jni_trampoline+144)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #04 pc 0000000002000b48  /memfd:jit-cache (deleted) (offset 0x2000000) (com.rtsoft.growtopia.AppRenderer.onDrawFrame+392)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #05 pc 0000000000636d04  /system/framework/arm64/boot-framework.oat (android.opengl.GLSurfaceView$GLThread.guardedRun+3668) (BuildId: b67e99ffc467cf14b038145ca57758b34e4d4089)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #06 pc 00000000006374f0  /system/framework/arm64/boot-framework.oat (android.opengl.GLSurfaceView$GLThread.run+224) (BuildId: b67e99ffc467cf14b038145ca57758b34e4d4089)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #07 pc 0000000000133564  /apex/com.android.art/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: d9d09da4285f1f09feadb805782797e4)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #08 pc 00000000001a8a78  /apex/com.android.art/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200) (BuildId: d9d09da4285f1f09feadb805782797e4)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #09 pc 0000000000555ac4  /apex/com.android.art/lib64/libart.so (art::JValue art::InvokeVirtualOrInterfaceWithJValues<art::ArtMethod*>(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, art::ArtMethod*, jvalue const*)+460) (BuildId: d9d09da4285f1f09feadb805782797e4)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #10 pc 00000000005a4e60  /apex/com.android.art/lib64/libart.so (art::Thread::CreateCallback(void*)+1308) (BuildId: d9d09da4285f1f09feadb805782797e4)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #11 pc 00000000000eb868  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*)+64) (BuildId: a790cdbd8e44ea8a90802da343cb82ce)
09-25 20:50:38.190 12982 12982 F DEBUG   :       #12 pc 000000000008ba88  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: a790cdbd8e44ea8a90802da343cb82ce)

how am i supposed to understand this:(

RusJJ commented 2 years ago

That's really weird. So it works on ARMv7 only?

liettua commented 2 years ago

That's really weird. So it works on ARMv7 only?

Yes it works on ARMv7 but i need to port it to ARMv8 because in ARMv7 some structs return wrong sizeof(struct) if there is refernce to another struct inside ex:

struct Tile {
    TileExtra* tile_extra; // this is 8 on windows version and arm64 but 4 on armv7
}

Was this hooking tested on android 11 because thats what im using

Also do you have any idea about hooking apps that are built with android::extractnativelibs set to false

RusJJ commented 2 years ago

Also do you have any idea about hooking apps that are built with android::extractnativelibs set to false

Is there any difference? Should be the same

Pointers on 64bit systems should be 8 bytes, that's correct. I dont really know what's wrong with that hook :(

liettua commented 2 years ago

Also do you have any idea about hooking apps that are built with android::extractnativelibs set to false

Is there any difference? Should be the same

Pointers on 64bit systems should be 8 bytes, that's correct. I dont really know what's wrong with that hook :(

it doesnt find the lib when doing dlopen i think idk if android::extractnativelibs is false

also did you test it on android 11?

RusJJ commented 2 years ago

Yes, i have Android 11 and it worked for me

liettua commented 2 years ago

Yes, i have Android 11 and it worked for me

interesting i've seen others having issues with dlsym hooking aswell

check comment: https://github.com/AwangDani123/Android-Mod-Menu/commit/a5a22c8d3adc728ff3eed247fcfebd7f57e77e40

RusJJ commented 2 years ago

That's a different issue. You're experiencing a crash on executing default function

liettua commented 2 years ago

That's a different issue. You're experiencing a crash on executing default function

#01 pc 000000000005469c /data/app/~~_kXEW-Hhei3AZft71KUiyQ==/com.rtsoft.growtopia-7sqgoTbVU16G5X5bjlo5Pw==/lib/arm64/libINZERNAL.so (hooks::BaseAppDraw(int)+60) (BuildId: d94ab2ac6b09fb2bd7ee5a364aae1a9b4c3a3c70)

isnt it in hooks::BaseAppDraw?

RusJJ commented 2 years ago

00 is the latest function in Stack Trace that was executed. That's where that happens.

liettua commented 2 years ago

0 is the latest function in Stack Trace that was executed. That's where that happens.

just tried using another hooking software: https://github.com/jmpews/Dobby

and again works on armv7 and crashes on armv8 i dont even understand if its app that is preventing it or what

RusJJ commented 2 years ago

May be an issue with app itself. Maybe it accepts more arguments or, what i think of, the first argument should be LONG int? To fix those things you can use void. Change it's type to void at it'll fix the issue. Let me know!

liettua commented 2 years ago

LONG int

changing it to void* did nothing but freeze the whole app but changing argument to long int made it work! thank you!

can you tell me how did you figure it out?

RusJJ commented 2 years ago

sizeof(int) on 32 and 64 bit is 4 (4 bytes to save the variable) and you can use int to save the pointer. The first argument is a pointer to a variable of type BaseClass (app->Draw() changes to Draw(app) on ARM). But there's a problem: 64bit apps are using 8 bits for pointers. So when we we're using int as a pointer, it cuts our variable "in half": for example pointer of 0xABCD has been cutted to a pointer of 0xCD. But there's no saved variable of a type BaseApp. Application tries to read a memory of that broken pointer but it's not available for reading. That's how SEGV_MAPERR appeared. I think you can change int/long to uintptr_t, this is a type definition (typedef) for pointer that will be defined automatically somewhere inside stdtypes.h include (as i remember it's name).

liettua commented 2 years ago

sizeof(int) on 32 and 64 bit is 4 (4 bytes to save the variable) and you can use int to save the pointer. The first argument is a pointer to a variable of type BaseClass (app->Draw() changes to Draw(app) on ARM). But there's a problem: 64bit apps are using 8 bits for pointers. So when we we're using int as a pointer, it cuts our variable "in half": for example pointer of 0xABCD has been cutted to a pointer of 0xCD. But there's no saved variable of a type BaseApp. Application tries to read a memory of that broken pointer but it's not available for reading. That's how SEGV_MAPERR appeared. I think you can change int/long to uintptr_t, this is a type definition (typedef) for pointer that will be defined automatically somewhere inside stdtypes.h include (as i remember it's name).

now that im checking, some of the other hooks are working fine with int should i change them aswell?

RusJJ commented 2 years ago

Possibly they are not trying to get any values from "this" pointer. Just set those arguments to uintptr_t (and also include stdint.h) and it'll be always fine

liettua commented 2 years ago

Possibly they are not trying to get any values from "this" pointer. Just set those arguments to uintptr_t (and also include stdint.h) and it'll be always fine

big thanks for all your help,

kind of out of topic but im getting null pointer dereference when trying to return something with orig_func()->example

struct example {
    bool exampl;
    anotherexample* example;
}

if i try return ((example*)oFunction())->example it null pointer dereference but on windows platform it works

ex:

    static auto address = (example * (__cdecl*)()) sigs::get(sig::function);
    return address()->example;

is it possible to do something like this with ARMPatch

RusJJ commented 2 years ago

lol idk