Closed canyie closed 3 years ago
是使用的releases里的那个静态链接库,正在编译一个DOBBY_DEBUG=ON的库来测试,请稍等
extern bool targetFunction(int i) {
LOGI("target function %d", i);
int k = i;
for(int j = 0;j < i;++j) {
LOGI("for loop %d", j);
k += j;
k++;
}
i--;
k += i;
k--;
i++;
k -= i;
LOGI("After target function %d", k);
return false;
}
extern bool hook_target(int i) {
LOGI("Before target function: received param %d", i);
LOGI("Change param to %d", ++i);
bool result = orgi_target(i);
LOGI("After target function: result %s", B2S(result));
result = !result;
LOGI("Changed result to %s", B2S(result));
return result;
}
extern "C" JNIEXPORT void JNICALL
Java_com_canyie_nativehooktest_MainActivity_test(
JNIEnv* env,
jclass) {
LOGI(" ----- BEGIN HOOK ----- ");
void* fake = nullptr;
DobbyHook((void*) targetFunction, (void*) hook_target, &fake);
DobbyDestroy((void*) targetFunction);
LOGI(" ----- END HOOK -----");
bool result = targetFunction(1);
LOGI("target function returned %s", B2S(result));
}
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================================
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] Dobby
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================================
2021-02-07 20:32:07.126 28656-28656/com.canyie.nativehooktest I/Dobby: [*] dobby in debug log mode, disable with cmake flag "-DDOBBY_DEBUG=OFF"
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/native-lib: ----- BEGIN HOOK -----
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [DobbyHook] Initialize at 0xc325f1c5
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================ FunctionInlineReplaceRouting Start ================
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [trampoline] Generate trampoline buffer 0xc325f1c5 -> 0xc325f26d
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [insn relocate] origin 0xc325f1c4 - 8
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [insn relocate] relocated 0xe9ee0001 - 28
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] [intercept routing] Active patch 0xc325f1c4
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/Dobby: [*] ================ FunctionInlineReplaceRouting End ================
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest I/native-lib: ----- END HOOK -----
--------- beginning of crash
2021-02-07 20:32:07.159 28656-28656/com.canyie.nativehooktest A/libc: Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5 in tid 28656 (.nativehooktest), pid 28656 (.nativehooktest)
2021-02-07 20:32:07.185 28696-28696/? I/crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
2021-02-07 20:32:07.185 1145-1145/? I//system/bin/tombstoned: received crash request for pid 28656
2021-02-07 20:32:07.186 28696-28696/? I/crash_dump32: performing dump of process 28656 (target tid = 28656)
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: Build fingerprint: 'google/blueline/blueline:10/QQ3A.200605.001/6392402:user/release-keys'
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: Revision: 'MP1.0'
2021-02-07 20:32:07.192 28696-28696/? A/DEBUG: ABI: 'arm'
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: Timestamp: 2021-02-07 20:32:07+0800
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: pid: 28656, tid: 28656, name: .nativehooktest >>> com.canyie.nativehooktest <<<
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: uid: 10334
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5
2021-02-07 20:32:07.194 28696-28696/? A/DEBUG: Cause: null pointer dereference
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG: r0 00000001 r1 00000001 r2 8e942cbe r3 00000003
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG: r4 c326f011 r5 c326f0d2 r6 ed95ce00 r7 00000001
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG: r8 00000000 r9 ed95ce00 r10 ffeb47a0 r11 ed95ce00
2021-02-07 20:32:07.195 28696-28696/? A/DEBUG: ip c3276e10 sp ffeb4730 lr c325f3cf pc c325f1c4
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG: backtrace:
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG: #00 pc 0001e1c4 /data/app/com.canyie.nativehooktest-htjAVE6HXmSV5bY_DXAezg==/lib/arm/libdobby.so!libdobby.so (offset 0x1e000) (targetFunction(int)) (BuildId: d27a8dc3965672aaffc766e01580968879f6a1c7)
2021-02-07 20:32:07.304 28696-28696/? A/DEBUG: #01 pc 0001e1c3 /data/app/com.canyie.nativehooktest-htjAVE6HXmSV5bY_DXAezg==/lib/arm/libdobby.so!libdobby.so (offset 0x1e000) (zz::OSThread::SetThreadLocal(int, void*)+118) (BuildId: d27a8dc3965672aaffc766e01580968879f6a1c7)
================
fixed
设备:Redmi 5 Plus 系统:LineageOS 18.0 (Android 11) 代码:
在arm64下,一切正常;而arm32下,虽然能够hook到,但是destroy后再调用被hook的函数,发生崩溃: