Unable to resolve Landroid/telephony/SmsManager;

[flankerhqd]

Hi thanks for the great tool! However I found I cannot hook functions like android.telephony.SmsManager.sendTextMessage. By turning the debug option in dalvik_hook.c (h->debug_me = 1), I found the reason is class android.telephony.SmsManager resolved to NULL

The log is:

E/hook-dexstuff(  238): dvmInitClass = 0x4075bd49
E/hook-dexstuff(  238):   _Z36dvmFindVirtualMethodHierByDescriptorPK11ClassObjectPKcS3_ = 0x4075c72d
E/hook-dexstuff(  238): _Z31dvmFindDirectMethodByDescriptorPK11ClassObjectPKcS3_ = 0x4075c7c1
E/hook-dexstuff(  238): _Z17dvmIsStaticMethodPK6Method = 0x40739fed
E/hook-dexstuff(  238): dvmAllocObject = 0x40746715
E/hook-dexstuff(  238): _Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list = 0x40751481
E/hook-dexstuff(  238): _Z14dvmCallMethodAP6ThreadPK6MethodP6ObjectbP6JValuePK6jvalue = 0x40751339
E/hook-dexstuff(  238): _Z22dvmAddToReferenceTableP14ReferenceTableP6Object = 0x40742995
E/hook-dexstuff(  238): _Z16dvmSetNativeFuncP6MethodPFvPKjP6JValuePKS_P6ThreadEPKt = 0x4075a637
E/hook-dexstuff(  238): _Z15dvmUseJNIBridgeP6MethodPv = 0x4073ef75
E/hook-dexstuff(  238): _Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x4073bc99
E/hook-dexstuff(  238): _Z21dvmLinearSetReadWriteP6ObjectPv = 0x4074004b
E/hook-dexstuff(  238): _Z22dvmGetCurrentJNIMethodv = 0x4073f169
E/hook-dexstuff(  238): _Z20dvmFindInstanceFieldPK11ClassObjectPKcS3_ = 0x4075c59d
E/hook-dexstuff(  238): _Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread = 0x4073ece1
E/hook-dexstuff(  238): _Z17dvmDumpAllClassesi = 0x4075a685
E/hook-dexstuff(  238): _Z12dvmDumpClassPK11ClassObjecti = 0x4075a681
E/hook-dexstuff(  238): _Z18dvmFindLoadedClassPKc = 0x4075a645
E/hook-dexstuff(  238): _Z16dvmHashTableLockP9HashTable = 0x4073a1a7
E/hook-dexstuff(  238): _Z18dvmHashTableUnlockP9HashTable = 0x4073a1ad
E/hook-dexstuff(  238): _Z14dvmHashForeachP9HashTablePFiPvS1_ES1_ = 0x407374a1
E/hook-dexstuff(  238): _Z13dvmInstanceofPK11ClassObjectS1_ = 0x40736025
E/hook-dexstuff(  238): gDvm = 0x4079c1a8
E/hook-dexstuff(  238): dalvik_hook: class Landroid/telephony/SmsManager;
E/hook-dexstuff(  238): class = 0x0
E/hook-dexstuff(  238): target_cls == 0
E/hook-dexstuff(  238): dalvik_hook: class Ljava/lang/String;
E/hook-dexstuff(  238): class = 0x40a060b8
E/hook-dexstuff(  238): equalsIgnoreCase((Ljava/lang/String;)Z) = 0x435fb6a8
E/hook-dexstuff(  238): nativeFunc 0
E/hook-dexstuff(  238): insSize = 0x2  registersSize = 0xe  outsSize = 0x2
E/hook-dexstuff(  238): shorty ZL
E/hook-dexstuff(  238): name equalsIgnoreCase
E/hook-dexstuff(  238): arginfo 0
E/hook-dexstuff(  238): noref 
E/hook-dexstuff(  238): access 1
E/hook-dexstuff(  238): access 101
E/hook-dexstuff(  238): patched equalsIgnoreCase to: 0x4a19e344

Why the class cannot be resolved? java.lang.String works fine.

[flankerhqd]

My hook code is like:

    dalvik_hook_setup(&dpdu, "Landroid/telephony/SmsManager;", "sendTextMessage", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V", 6, my_dispatch);
dalvik_hook(&d, &dpdu);

However my_dispatch will never get executed, since Landroid/telephony/SmsManager cannot be resolved in dalvik_hook_setup, thus dalvik_hook_setup fails.

[flankerhqd]

I'm using a 4.1.2 arm emulator in SDK.

[crmulliner]

I guess the class name is wrong, look at the internal classes such as: com.android.internal.telephony.....

[flankerhqd]

Can't find com.android.internal.telephony.SmsManager.sendTextMessage or com.android.internal.telephony.sendTextMessage, however one can find android.telephony.SmsManager.sendTextMessage at http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/4.1.2_r1/android/telephony/SmsManager.java#SmsManager.sendTextMessage%28java.lang.String%2Cjava.lang.String%2Cjava.lang.String%2Candroid.app.PendingIntent%2Candroid.app.PendingIntent%29

[crmulliner]

if you find android.telephony.SmsManager, you can call dalvik_dump_class(dexstuff_ptr, "android.telephony.SmsManager"); to show all methods of that class.

[flankerhqd]

Thanks for your kind reply. The problem is the class "android.telephony.SmsManager" cannot be resolved or found in ddi's world, dalvik_dump_class(&d, "Landroid/telephony/SmsManager;"); output nothing and I think there is no problem with spelling.

[crmulliner]

What process are you hooking?

On May 8, 2014 9:03:41 PM EDT, flankerhqd notifications@github.com wrote:

Thanks for your kind reply. The problem is "android.telephony.SmsManager" cannot be resolved or found in ddi's world, dalvik_dump_class(dexstuff_ptr, "android.telephony.SmsManager"); output nothing.

---

Reply to this email directly or view it on GitHub: https://github.com/crmulliner/ddi/issues/3#issuecomment-42624206

[flankerhqd]

Tried com.android.phone, com.android.mms and a custom application calling sendTextMessage, none succeeded in resolving and hooking Landroid/telephony/SmsManager; . Lcom/android/internal/telephony/SMSDispatcher; and Ljava/lang/String are OK.

[crmulliner]

can you try the system_server?

[flankerhqd]

Tried system_server without luck, still cannot resolve

E/hook-dexstuff(  149): dalvik_hook: class Landroid/telephony/SmsManager;
E/hook-dexstuff(  149): class = 0x0
E/hook-dexstuff(  149): target_cls == 0

[flankerhqd]

source pasted here: https://gist.github.com/flankerhqd/afbe1a40531837d09f32

[VirtualBim]

I came here to add an issue and found this, its describes my problem exactly. Has this been resolved in anyway?

[crmulliner]

can you try to see what classes are present in .phone/.mms ? using dalvik_dump_class(XX, NULL); <- dumps all loaded classes in a process. My guess is that there is just some renaming or name mangle going on.

example:

static int my_epoll_wait(int epfd, struct epoll_event _events, int maxevents, int timeout) { int (_orig_epoll_wait)(int epfd, struct epoll_event _events, int maxevents, int timeout); orig_epollwait = (void)eph.orig; // remove hook for epoll_wait hook_precall(&eph); // resolve symbols from DVM dexstuff_resolv_dvm(&d);

// dump all classes dalvik_dump_class(&d, 0);

// call original function int res = orig_epoll_wait(epfd, events, maxevents, timeout);
return res; }

[VirtualBim]

I have tried this several times now. each time the emulator disconnects. I have captured the logcat which covers the time frame, upto the point where the interface is reset. It shows an error in the m.android.phone caused by the call to dalvik_dump_class as seen in dexdump.c. I also tested doing the class dump on SmsDispatch and on SmsManager. Dispatch returned a full list of the methods available and Manager returned nothing, not even the header section.

[flankerhqd]

Class dump pasted here: https://gist.github.com/flankerhqd/c47916dc61386cd9f6e4, no sign of SMS

[VirtualBim]

to avoid the problem of SmsManager not being available I have attempted to hook the SmsDispatcher. I have added: dalvik_hook_setup(&srpdu, "Lcom/android/internal/telephony/SMSDispatcher;", "sendRawPdu", "([B[BLandroid/app/PendingIntent;Landroid/app/PendingIntent;Ljava/lang/String;)V", 6, my_sendRawPdu); dalvik_hook(&d, &srpdu); log ("hooked srpdu\n")

to the example smsdipatch.c provided, however this causes the hooks to fail and the log file remains empty. I have taken the method name and signature directly from the output of dalvik dump. Is there something I have missed?

[crmulliner]

sendRawPdu is only available on a few HTC devices. Are you sure your phone supports this?

the class name and method + signature look good.

is your "my_sendRawPdu" function called at all?

[flankerhqd]

@VirtualBim try dalvik_dump_class(&d, ""); 0 a.k.a NULL will cause SF on strlen, thus crashing the process

[VirtualBim]

No, I am not certain, I am using the Emulator and trying to catch all the Sms leaving the device. Following the code it looked as though all sms went through sendRawPdu on their way to sendSms. With those 2 (hook setup & hook) calls that I added the hooks do not run at all. i.e. it seems the epoll function does not complete. So no, my function is definitely not called.

I assumed that sendRawPdu being in the dalivk dump meant it was available.

My only real question is where should I hook to catch the sms leaving the machine? given that SmsManager is not available.

Thanks for all your help btw :)

@flankerhqd thank you, i'll try that.

[VirtualBim]

I have discovered that most if not all messages go through the call SendSMS in the dispatcher class, however as this is abstract you have to catch the calls to it in gsmDispatcher and cmdaDispatcher. I have hooked on there and caught calls sent through smsManager. Unfortunately the smsbody needs pulling out of the tracker which I have not yet solved. I can get the address string but the hashmap is proving resilient.

[hardikjoshi]

Hello,

I am facing same issue. I found some how below mentioned dalvik symbol not hooking method. ddi/dalvikhook/jni/dalvik_hook.c

dex->dvmUseJNIBridge_fnPtr(h->method, h->native_func);

I want to know how to debug into the line.

Thanks & Regards Hardik Joshi