Failed to hook fopen on Android 10 arm64

shatyuka commented 3 years ago

backtrace:
      #00 pc 000000000001d5c4  libzhiliao.so (GenRelocateCodeAndBranch(void*, MemoryChunk*, MemoryChunk*)+180) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #01 pc 0000000000017fc0  libzhiliao.so (InterceptRouting::GenerateRelocatedCode()+192) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #02 pc 0000000000019eb0  libzhiliao.so (FunctionInlineReplaceRouting::BuildReplaceRouting()+136) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #03 pc 0000000000019e18  libzhiliao.so (FunctionInlineReplaceRouting::Dispatch()+56) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #04 pc 000000000001763c  libzhiliao.so (DobbyHook+500) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)

2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] [DobbyHook] Initialize at 0x78df27bfa0
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] ================ FunctionInlineReplaceRouting Start ================
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] [trampoline] Generate trampoline buffer 0x78df27bfa0 -> 0x77ea5852cc

    --------- beginning of crash
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao A/libc: Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x78df27bfa0 in tid 23332 (hatyuka.zhiliao), pid 23332 (hatyuka.zhiliao)

DobbyHook((void*)fopen, (void*)fake_fopen, (void**)&orig_fopen);

zhaozzw commented 2 years ago

你好，这个问题解决了吗

shatyuka commented 2 years ago

你好，这个问题解决了吗

mprotect

zhaozzw commented 2 years ago

有什么解决办法啊,我试了SandHook在Android10也不行

ccWuu commented 2 years ago

请问mprotect这个要怎么修改？

shatyuka commented 2 years ago

请问mprotect这个要怎么修改？

https://github.com/shatyuka/Zhiliao/blob/master/app/src/main/cpp/zhiliao.cpp

ccWuu commented 2 years ago

感谢回复，修改后，还是一样的崩溃=。=

zhaozzw commented 2 years ago

void addr = (void )DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

ccWuu commented 2 years ago

void addr = (void )DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

非常感谢，解决了～

zhaozzw commented 2 years ago

都应该感谢楼主~~

void addr = (void )DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

非常感谢，解决了～

都应该感谢楼主~~

jmpews / Dobby

Failed to hook fopen on Android 10 arm64 #132