search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.89k stars 798 forks source link

Segfault hooking function on arm64 #160

Closed neobenedict closed 1 year ago

neobenedict commented 3 years ago

07-06 03:19:23.820 25030 25057 D AvalonHook: DEBUG: WebviewServer Method 0x7173f33ffc

07-06 04:07:48.478 28000 28027 E CRASH   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0000007173f34000
07-06 04:07:48.478 28000 28027 E CRASH   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-06 04:07:48.478 28000 28027 E CRASH   : Build type 'Release', Scripting Backend 'il2cpp', CPU 'arm64-v8a'
07-06 04:07:48.478 28000 28027 E CRASH   : Build fingerprint: 'google/sargo/sargo:S/SPB1.210331.013/7333779:user/release-keys'
07-06 04:07:48.479 28000 28027 E CRASH   : Revision: 'MP1.0'
07-06 04:07:48.479 28000 28027 E CRASH   : pid: 28000, tid: 28027, name: shift.betterfgo  >>> io.rayshift.betterfgo <<<
07-06 04:07:48.479 28000 28027 E CRASH   :     x0   0000007173f33ffc  x1   0000007230748f70  x2   000000000000000c  x3   0000000000000010
07-06 04:07:48.479 28000 28027 E CRASH   :     x4   0000007230748f7c  x5   0000007173f34008  x6   9117d231b00719b1  x7   d61f02209117d231
07-06 04:07:48.479 28000 28027 E CRASH   :     x8   0000007173f33ffc  x9   0000000000000ffc  x10  00000074b192aee0  x11  ffffffffffffffff
07-06 04:07:48.479 28000 28027 E CRASH   :     x12  ffffffffffffffff  x13  0000007230748f70  x14  000000000000000c  x15  001c657c8335341e
07-06 04:07:48.479 28000 28027 E CRASH   :     x16  0000007182305228  x17  00000074b192b760  x18  0000007181602000  x19  0000007182206cb0
07-06 04:07:48.479 28000 28027 E CRASH   :     x20  00000074b1991314  x21  0000007182206cb0  x22  0000000000006d60  x23  0000000000006d60
07-06 04:07:48.479 28000 28027 E CRASH   :     x24  0000007182206cb0  x25  0000007182206cb0  x26  0000007182206ff8  x27  00000000000fc000
07-06 04:07:48.479 28000 28027 E CRASH   :     x28  000000718210e000  x29  0000007182206b50  x30  00000071822707a0
07-06 04:07:48.479 28000 28027 E CRASH   :     sp   00000071822069b0  pc   00000074b192b650  pstate 0000000020000000
07-06 04:07:48.479 28000 28027 E CRASH   : backtrace:
07-06 04:07:48.514 28000 28027 E CRASH   :      #00  pc 00000000000008ac  [vdso] ()
07-06 04:07:48.514 28000 28027 E CRASH   :      #01  pc 000000000000f64c  /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+92)
07-06 04:07:48.514 28000 28027 E CRASH   :      #02  pc 000000000006579c  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (CodePatch+228)
07-06 04:07:48.514 28000 28027 E CRASH   :      #03  pc 0000000000063b50  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (_ZN16InterceptRouting6ActiveEv+120)
07-06 04:07:48.514 28000 28027 E CRASH   :      #04  pc 0000000000063b90  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (_ZN16InterceptRouting6CommitEv+28)
07-06 04:07:48.514 28000 28027 E CRASH   :      #05  pc 0000000000062d74  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (DobbyHook+452)
07-06 04:07:48.514 28000 28027 E CRASH   :      #06  pc 000000000005d758  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (_Z9changeUrlv+232)
07-06 04:07:48.514 28000 28027 E CRASH   :      #07  pc 000000000005df18  /data/app/~~SVxCS9IvqkCgFDZnpAMYtg==/io.rayshift.betterfgo-0LrVjh1RHkZRHra2wW7c8Q==/lib/arm64/libavalon.so (_Z9hook_loopPv+1176)
07-06 04:07:48.514 28000 28027 E CRASH   :      #08  pc 0000000000075354  /apex/com.android.runtime/lib64/bionic/libc.so (_ZL15__pthread_startPv+64)
07-06 04:07:48.514 28000 28027 E CRASH   :      #09  pc 00000000000152d8  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64)
il2cpp:000000000171AFFC ; System_String_o *__fastcall NetworkManager__GetWebServerSetting_24227836(System_String_o *type, const MethodInfo *method)
il2cpp:000000000171AFFC NetworkManager$$GetWebServerSetting_24227836
il2cpp:000000000171AFFC                                         ; CODE XREF: NetworkManager$$SetServerSetting_24231320:loc_171BF78↓p
il2cpp:000000000171AFFC                                         ; ServerSettingMenu$$OnChangeServerInputType+180↓p ...
il2cpp:000000000171AFFC
il2cpp:000000000171AFFC var_10          = -0x10
il2cpp:000000000171AFFC var_s0          =  0
il2cpp:000000000171AFFC
il2cpp:000000000171AFFC ; __unwind {
il2cpp:000000000171AFFC                 STR             X19, [SP,#-0x10+var_10]!
il2cpp:000000000171B000                 STP             X29, X30, [SP,#0x10+var_s0]
il2cpp:000000000171B004                 ADD             X29, SP, #0x10
il2cpp:000000000171B008                 ADRP            X19, #byte_3960617@PAGE
il2cpp:000000000171B00C                 LDRB            W8, [X19,#byte_3960617@PAGEOFF]
il2cpp:000000000171B010                 TBNZ            W8, #0, loc_171B02C
il2cpp:000000000171B014                 ADRP            X8, #off_3788150@PAGE
il2cpp:000000000171B018                 LDR             X8, [X8,#off_3788150@PAGEOFF]
il2cpp:000000000171B01C                 LDR             W0, [X8]
il2cpp:000000000171B020                 BL              sub_B394CC
il2cpp:000000000171B024                 MOV             W8, #1
il2cpp:000000000171B028                 STRB            W8, [X19,#byte_3960617@PAGEOFF]
il2cpp:000000000171B02C
il2cpp:000000000171B02C loc_171B02C                             ; CODE XREF: NetworkManager$$GetWebServerSetting_24227836+14↑j
il2cpp:000000000171B02C                 ADRP            X19, #off_3763120@PAGE
il2cpp:000000000171B030                 LDR             X19, [X19,#off_3763120@PAGEOFF]
il2cpp:000000000171B034                 LDR             X0, [X19] ; ManagerConfig_TypeInfo
il2cpp:000000000171B038                 LDRB            W8, [X0,#0x127]
il2cpp:000000000171B03C                 TBZ             W8, #1, loc_171B050
il2cpp:000000000171B040                 LDR             W8, [X0,#0xD8]
il2cpp:000000000171B044                 CBNZ            W8, loc_171B050
il2cpp:000000000171B048                 BL              il2cpp_runtime_class_init_0
il2cpp:000000000171B04C                 LDR             X0, [X19] ; ManagerConfig_TypeInfo
il2cpp:000000000171B050
il2cpp:000000000171B050 loc_171B050                             ; CODE XREF: NetworkManager$$GetWebServerSetting_24227836+40↑j
il2cpp:000000000171B050                                         ; NetworkManager$$GetWebServerSetting_24227836+48↑j
il2cpp:000000000171B050                 LDR             X8, [X0,#0xB8]
il2cpp:000000000171B054                 LDP             X29, X30, [SP,#0x10+var_s0]
il2cpp:000000000171B058                 LDR             X0, [X8,#0xA0]
il2cpp:000000000171B05C                 LDR             X19, [SP+0x10+var_10],#0x20
il2cpp:000000000171B060                 RET
il2cpp:000000000171B060 ; } // starts at 171AFFC
il2cpp:000000000171B060 ; End of function NetworkManager$$GetWebServerSetting_24227836

Strangely has no issues hooking the function above it, which is very similar. The memory addresses for hooking are correct.

Code was working until the latest game update. Only broken on arm64, 32-bit is fine. All other hooks work fine. Just something about this particular function doesn't work any more.

Any clue what is going on?

    if (DobbyHook((void *)webviewServer->methodPointer, (void *) changeView, (void **)&changeViewHooked) == RS_SUCCESS) {
        LOGI("Successfully hooked %s", webviewServer->name);
    }
    else {
        LOGW("Error code hooking %s", webviewServer->name);
        return;
    }
yujincheng08 commented 3 years ago

same as #132

mskmkt0704 commented 2 years ago

161 may work for you.

neobenedict commented 1 year ago

Seems fixed with above patches