search

asLody / SandHook

Android ART Hook/Native Inline Hook/Single Instruction Hook - support 4.4 - 11.0 32/64 bit - Xposed API Compat
Other
2.03k stars 443 forks source link

[bug]提交一个hook的bug #14

Closed javaeryang closed 5 years ago

javaeryang commented 5 years ago

hook应用: 微信 版本号: 1420
下载来源: weixin.qq.com bug描述: 只要hook以下方法,方法里不做任何事情都会导致微信闪退 复现步骤: hook 微信1420版本拷贝以下代码, 点击微信的-->支付必崩

XposedHelpers.findAndHookMethod("com.tencent.mm.plugin.wallet.balance.ui.WalletBalanceFetchUI",
                classLoader,
                "g",
                "com.tencent.mm.plugin.wallet.balance.ui.WalletBalanceFetchUI",
                new XC_MethodHook() {
                    @Override
                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                        try {

                        }catch (Throwable throwable){
                            XposedBridge.log(throwable);
                        }
                    }
                }
);
ganyao114 commented 5 years ago

请提供相关日志

javaeryang commented 5 years ago

@ganyao114 

05-17 17:49:01.381 26553-26553/com.tencent.mm E/AndroidRuntime: FATAL EXCEPTION: main
                                                                Process: com.tencent.mm, PID: 26553
                                                                java.lang.VerifyError: Rejecting class com.tencent.mm.plugin.mall.ui.MallIndexUI that attempts to sub-type erroneous class com.tencent.mm.plugin.mall.ui.MallIndexBaseUI (declaration of 'com.tencent.mm.plugin.mall.ui.MallIndexUI' appears in /data/app/com.tencent.mm-yZqDN8LOB5zQc6XnJXUjlw==/base.apk!classes5.dex)
                                                                    at java.lang.Class.classForName(Native Method)
                                                                    at java.lang.Class.forName(Class.java:453)
                                                                    at java.lang.Class.forName(Class.java:378)
                                                                    at com.tencent.mm.ui.d.aO(SourceFile:116)
                                                                    at com.tencent.mm.ui.d.a(SourceFile:43)
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:555)
                                                                    at android.app.Activity.startActivityForResult(Activity.java:4721)
                                                                    at android.support.v4.app.FragmentActivity.startActivityForResult(SourceFile:751)
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:548)
                                                                    at android.app.Activity.startActivity(Activity.java:5142)
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivity(SourceFile:542)
                                                                    at com.tencent.mm.bp.d$9.onDone(SourceFile:228)
                                                                    at com.tencent.mm.bp.d.a(SourceFile:805)
                                                                    at com.tencent.mm.bp.d.b(SourceFile:250)
                                                                    at com.tencent.mm.bp.d.a(SourceFile:144)
                                                                    at com.tencent.mm.bp.d.b(SourceFile:125)
                                                                    at com.tencent.mm.plugin.wallet_core.model.r.B(SourceFile:567)
                                                                    at com.tencent.mm.plugin.wallet_core.model.r$4.a(SourceFile:1157)
                                                                    at com.tencent.mm.sdk.b.a$b.a(SourceFile:82)
                                                                    at com.tencent.mm.sdk.b.a.m(SourceFile:221)
                                                                    at com.tencent.mm.ui.MoreTabUI.a(SourceFile:394)
                                                                    at com.tencent.mm.ui.base.preference.MMPreferenceFragment$2.onItemClick(SourceFile:251)
                                                                    at com.tencent.mm.ui.widget.listview.PullDownListView.onItemClick(SourceFile:814)
                                                                    at android.widget.AdapterView.performItemClick(AdapterView.java:321)
                                                                    at android.widget.AbsListView.performItemClick(AbsListView.java:1228)
                                                                    at android.widget.AbsListView$PerformClick.run(AbsListView.java:3228)
                                                                    at android.widget.AbsListView$3.run(AbsListView.java:4204)
                                                                    at android.os.Handler.handleCallback(Handler.java:891)
                                                                    at android.os.Handler.dispatchMessage(Handler.java:102)
                                                                    at android.os.Looper.loop(Looper.java:207)
                                                                    at android.app.ActivityThread.main(ActivityThread.java:7470)
                                                                    at java.lang.reflect.Method.invoke(Native Method)
                                                                    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:524)
                                                                    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:958)
                                                                 Caused by: java.lang.VerifyError: Rejecting class com.tencent.mm.plugin.mall.ui.MallIndexBaseUI that attempts to sub-type erroneous class com.tencent.mm.wallet_core.ui.WalletBaseUI (declaration of 'com.tencent.mm.plugin.mall.ui.MallIndexBaseUI' appears in /data/app/com.tencent.mm-yZqDN8LOB5zQc6XnJXUjlw==/base.apk!classes8.dex)
                                                                    at java.lang.Class.classForName(Native Method) 
                                                                    at java.lang.Class.forName(Class.java:453) 
                                                                    at java.lang.Class.forName(Class.java:378) 
                                                                    at com.tencent.mm.ui.d.aO(SourceFile:116) 
                                                                    at com.tencent.mm.ui.d.a(SourceFile:43) 
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:555) 
                                                                    at android.app.Activity.startActivityForResult(Activity.java:4721) 
                                                                    at android.support.v4.app.FragmentActivity.startActivityForResult(SourceFile:751) 
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:548) 
                                                                    at android.app.Activity.startActivity(Activity.java:5142) 
                                                                    at com.tencent.mm.ui.MMFragmentActivity.startActivity(SourceFile:542) 
                                                                    at com.tencent.mm.bp.d$9.onDone(SourceFile:228) 
                                                                    at com.tencent.mm.bp.d.a(SourceFile:805) 
                                                                    at com.tencent.mm.bp.d.b(SourceFile:250) 
                                                                    at com.tencent.mm.bp.d.a(SourceFile:144) 
                                                                    at com.tencent.mm.bp.d.b(SourceFile:125) 
                                                                    at com.tencent.mm.plugin.wallet_core.model.r.B(SourceFile:567) 
                                                                    at com.tencent.mm.plugin.wallet_core.model.r$4.a(SourceFile:1157) 
                                                                    at com.tencent.mm.sdk.b.a$b.a(SourceFile:82) 
                                                                    at com.tencent.mm.sdk.b.a.m(SourceFile:221) 
                                                                    at com.tencent.mm.ui.MoreTabUI.a(SourceFile:394) 
                                                                    at com.tencent.mm.ui.base.preference.MMPreferenceFragment$2.onItemClick(SourceFile:251) 
                                                                    at com.tencent.mm.ui.widget.listview.PullDownListView.onItemClick(SourceFile:814) 
                                                                    at android.widget.AdapterView.performItemClick(AdapterView.java:321) 
                                                                    at android.widget.AbsListView.performItemClick(AbsListView.java:1228) 
                                                                    at android.widget.AbsListView$PerformClick.run(AbsListView.java:3228) 
                                                                    at android.widget.AbsListView$3.run(AbsListView.java:4204) 
                                                                    at android.os.Handler.handleCallback(Handler.java:891) 
                                                                    at android.os.Handler.dispatchMessage(Handler.java:102) 
                                                                    at android.os.Looper.loop(Looper.java:207) 
                                                                    at android.app.ActivityThread.main(ActivityThread.java:7470) 
                                                                    at java.lang.reflect.Method.invoke(Native Method) 
                                                                    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:524) 
                                                                    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:958) 
05-17 17:49:01.382 26553-26553/com.tencent.mm E/uncaught: java.lang.VerifyError: Rejecting class com.tencent.mm.plugin.mall.ui.MallIndexUI that attempts to sub-type erroneous class com.tencent.mm.plugin.mall.ui.MallIndexBaseUI (declaration of 'com.tencent.mm.plugin.mall.ui.MallIndexUI' appears in /data/app/com.tencent.mm-yZqDN8LOB5zQc6XnJXUjlw==/base.apk!classes5.dex)
                                                              at java.lang.Class.classForName(Native Method)
                                                              at java.lang.Class.forName(Class.java:453)
                                                              at java.lang.Class.forName(Class.java:378)
                                                              at com.tencent.mm.ui.d.aO(SourceFile:116)
                                                              at com.tencent.mm.ui.d.a(SourceFile:43)
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:555)
                                                              at android.app.Activity.startActivityForResult(Activity.java:4721)
                                                              at android.support.v4.app.FragmentActivity.startActivityForResult(SourceFile:751)
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:548)
                                                              at android.app.Activity.startActivity(Activity.java:5142)
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivity(SourceFile:542)
                                                              at com.tencent.mm.bp.d$9.onDone(SourceFile:228)
                                                              at com.tencent.mm.bp.d.a(SourceFile:805)
                                                              at com.tencent.mm.bp.d.b(SourceFile:250)
                                                              at com.tencent.mm.bp.d.a(SourceFile:144)
                                                              at com.tencent.mm.bp.d.b(SourceFile:125)
                                                              at com.tencent.mm.plugin.wallet_core.model.r.B(SourceFile:567)
                                                              at com.tencent.mm.plugin.wallet_core.model.r$4.a(SourceFile:1157)
                                                              at com.tencent.mm.sdk.b.a$b.a(SourceFile:82)
                                                              at com.tencent.mm.sdk.b.a.m(SourceFile:221)
                                                              at com.tencent.mm.ui.MoreTabUI.a(SourceFile:394)
                                                              at com.tencent.mm.ui.base.preference.MMPreferenceFragment$2.onItemClick(SourceFile:251)
                                                              at com.tencent.mm.ui.widget.listview.PullDownListView.onItemClick(SourceFile:814)
                                                              at android.widget.AdapterView.performItemClick(AdapterView.java:321)
                                                              at android.widget.AbsListView.performItemClick(AbsListView.java:1228)
                                                              at android.widget.AbsListView$PerformClick.run(AbsListView.java:3228)
                                                              at android.widget.AbsListView$3.run(AbsListView.java:4204)
                                                              at android.os.Handler.handleCallback(Handler.java:891)
                                                              at android.os.Handler.dispatchMessage(Handler.java:102)
                                                              at android.os.Looper.loop(Looper.java:207)
                                                              at android.app.ActivityThread.main(ActivityThread.java:7470)
                                                              at java.lang.reflect.Method.invoke(Native Method)
                                                              at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:524)
                                                              at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:958)
                                                           Caused by: java.lang.VerifyError: Rejecting class com.tencent.mm.plugin.mall.ui.MallIndexBaseUI that attempts to sub-type erroneous class com.tencent.mm.wallet_core.ui.WalletBaseUI (declaration of 'com.tencent.mm.plugin.mall.ui.MallIndexBaseUI' appears in /data/app/com.tencent.mm-yZqDN8LOB5zQc6XnJXUjlw==/base.apk!classes8.dex)
                                                              at java.lang.Class.classForName(Native Method) 
                                                              at java.lang.Class.forName(Class.java:453) 
                                                              at java.lang.Class.forName(Class.java:378) 
                                                              at com.tencent.mm.ui.d.aO(SourceFile:116) 
                                                              at com.tencent.mm.ui.d.a(SourceFile:43) 
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:555) 
                                                              at android.app.Activity.startActivityForResult(Activity.java:4721) 
                                                              at android.support.v4.app.FragmentActivity.startActivityForResult(SourceFile:751) 
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivityForResult(SourceFile:548) 
                                                              at android.app.Activity.startActivity(Activity.java:5142) 
                                                              at com.tencent.mm.ui.MMFragmentActivity.startActivity(SourceFile:542) 
                                                              at com.tencent.mm.bp.d$9.onDone(SourceFile:228) 
                                                              at com.tencent.mm.bp.d.a(SourceFile:805) 
                                                              at com.tencent.mm.bp.d.b(SourceFile:250) 
                                                              at com.tencent.mm.bp.d.a(SourceFile:144) 
                                                              at com.tencent.mm.bp.d.b(SourceFile:125) 
                                                              at com.tencent.mm.plugin.wallet_core.model.r.B(SourceFile:567) 
                                                              at com.tencent.mm.plugin.wallet_core.model.r$4.a(SourceFile:1157) 
                                                              at com.tencent.mm.sdk.b.a$b.a(SourceFile:82) 
                                                              at com.tencent.mm.sdk.b.a.m(SourceFile:221) 
                                                              at com.tencent.mm.ui.MoreTabUI.a(SourceFile:394) 
                                                              at com.tencent.mm.ui.base.preference.MMPreferenceFragment$2.onItemClick(SourceFile:251) 
                                                              at com.tencent.mm.ui.widget.listview.PullDownListView.onItemClick(SourceFile:814) 
                                                              at android.widget.AdapterView.performItemClick(AdapterView.java:321) 
                                                              at android.widget.AbsListView.performItemClick(AbsListView.java:1228) 
                                                              at android.widget.AbsListView$PerformClick.run(AbsListView.java:3228) 
                                                              at android.widget.AbsListView$3.run(AbsListView.java:4204) 
                                                              at android.os.Handler.handleCallback(Handler.java:891) 
                                                              at android.os.Handler.dispatchMessage(Handler.java:102) 
                                                              at android.os.Looper.loop(Looper.java:207) 
                                                              at android.app.ActivityThread.main(ActivityThread.java:7470) 
                                                              at java.lang.reflect.Method.invoke(Native Method) 
                                                              at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:524) 
                                                              at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:958)
ganyao114 commented 5 years ago

目测和微信热修复相关,你清除数据看看

javaeryang commented 5 years ago

怎么清除微信的数据,这个微信是安装在你的虚拟环境里

javaeryang commented 5 years ago

而且这个微信是刚新安装的,应该没有热更新.

ganyao114 commented 5 years ago

虚拟环境的话那就可能是 classloader 的问题,微信使用了插件化,钱包是插件,可能你加载 hook 方法的 classloader 不对

ganyao114 commented 5 years ago

能理解吧,先想办法拿到钱包插件的 classloader

javaeryang commented 5 years ago

这个知道,不过应该不是这个问题,一般会报错找不到此类

ganyao114 commented 5 years ago

我知道你拿到了 method,但是你可能没拿到正确的 this 类型。

javaeryang commented 5 years ago

动态加载的类,我都会拿到那个classloader,再去hook,报错不会是这个, 同样的hook这个方法,在原版xposed是正常hook的,也就是说你的底层hook实现可能有问题.

ganyao114 commented 5 years ago

另外我近期把所有参数改成 Object.class 试试

ganyao114 commented 5 years ago

虚拟环境里面是不一样的,另外你确定一下sanvxp是不是最新的代码

javaeryang commented 5 years ago

好的,感谢 直接clone的你的最新的代码 微信截图_20190517181654

ganyao114 commented 5 years ago

master 分支?

ganyao114 commented 5 years ago

因为我近期有改动 classloader

javaeryang commented 5 years ago

对就是主分支clone的

ganyao114 commented 5 years ago

我看了一下发现 sandvxp 我有代码没有提交上去,关于 classloader的,你把 sandhook 的版本升级成 3.6.0,包括 xposedcompat 试试看

javaeryang commented 5 years ago

升级成3.6.0 hook还是一样会导致闪退 微信截图_20190517184700

ganyao114 commented 5 years ago

升级成3.6.0 hook还是一样会导致闪退 微信截图_20190517184700

试一下新分支