search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.89k stars 798 forks source link

Crash when calling certain il2cpp functions (get_height, get_width) only on NOX emulator #121

Open neobenedict opened 3 years ago

neobenedict commented 3 years ago

Version: Latest master For whatever reason my code crashes after hooking UnityEngine.Screen$$get_width (and also get_height) and then calling the original hooked function.

How to cause the crash:

1) Use literally any unity game (even your own barebones one). 2) Hook the UnityEngine.Screen$$get_width() function, that calls the original function eg:

int32_t (*getScreenResolutionWidthHooked)();
int32_t getScreenResolutionWidth() {
    LOGI("Crashes here:");
    return getScreenResolutionWidthHooked();
}

uintptr_t getScreenWidth = 0x9f012e0;
DobbyHook((void *)getScreenWidth, (void *)getScreenResolutionWidth, (void**) &getScreenResolutionWidthHooked);

3) Observe crash

I/Dobby   ( 4661): [*] [DobbyHook] Initialize at 0x9f012e0
I/Dobby   ( 4661): [*] ================ FunctionInlineReplaceRouting Start ================
I/Dobby   ( 4661): [*] [trampoline] Generate trampoline buffer 0x9f012e0 -> 0xca45475
I/Dobby   ( 4661): [*] [insn relocate] origin 0x9f012e0 - 8
I/Dobby   ( 4661): [*] [insn relocate] relocated 0xb2cdf078 - 24
E/CRASH   ( 4452): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr ffdeba84
E/CRASH   ( 4452): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/CRASH   ( 4452): Build type 'Release', Scripting Backend 'il2cpp', CPU 'armeabi-v7a'
E/CRASH   ( 4452): Build fingerprint: 'google/google Pixel 2/x86:5.1.1/LMY47I/500190910:user/release-keys'
E/CRASH   ( 4452): Revision: '0'
E/CRASH   ( 4452): pid: 4452, tid: 4478, name: UnityMain  >>> io.rayshift.xxx <<<
E/CRASH   ( 4452):     r0 00e3f9b0  r1 ffdeba84  r2 90b27048  r3 00000000
E/CRASH   ( 4452):     r4 00000a00  r5 08533ce8  r6 9b49abd0  r7 b3cdec84
E/CRASH   ( 4452):     r8 9f2f6b48  r9 00000000  sl 9f2f6d2c  fp 9f2f6a80
E/CRASH   ( 4452):     ip 0ad00b00  sp 9f2f6a78  lr 09a8b0d4  pc 09f012f0  cpsr 9f2f6740
E/CRASH   ( 4452):
E/CRASH   ( 4452): backtrace:
E/CRASH   ( 4452):      #00  pc 000002f0  /data/app/io.rayshift.xxx-1/lib/arm/libil2cpp.so
E/CRASH   ( 4452):      #01  pc 00533cf8  /data/app/io.rayshift.xxx-1/lib/arm/libil2cpp.so
E/CRASH   ( 4452):      #02  pc 003c2f78  /data/app/io.rayshift.xxx-1/lib/arm/libil2cpp.so

PC 09f012f0 - 0x8000000 = 0x1F012F0

Fails to branch to a memory address of 0xffdeba84.

This crash only happens on my emulator (NOX 6.3.0.8) and not real devices in either armeabi-v7a or arm64-v8, so I cannot step through with a debugger to find the problem. Maybe you know the reason? Perhaps NOX is also trying to hook this function?

For now I have a workaround (reimplement this function myself instead of calling the old function).

jmpews commented 3 years ago

So if real device, also crashed?

neobenedict commented 3 years ago

So if real device, also crashed?

No. Only on Nox.