search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.93k stars 809 forks source link

在Android-9.0 arm64-v8a上hook系统libc中的函数崩溃 #60

Closed 0n1y3nd closed 3 years ago

0n1y3nd commented 5 years ago

崩溃堆栈如下:

07-25 11:48:14.676 14388 14388 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
07-25 11:48:14.676   840   840 I /system/bin/tombstoned: received crash request for pid 14363
07-25 11:48:14.677 14388 14388 I crash_dump64: performing dump of process 14363 (target tid = 14363)
07-25 11:48:14.681 14388 14388 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-25 11:48:14.681 14388 14388 F DEBUG   : Build fingerprint: 'HUAWEI/ELE-TL00/HWELE:9/HUAWEIELE-TL00/162C01:user/release-keys'
07-25 11:48:14.681 14388 14388 F DEBUG   : Revision: '0'
07-25 11:48:14.681 14388 14388 F DEBUG   : ABI: 'arm64'
07-25 11:48:14.681 14388 14388 F DEBUG   : Happend: 'Thu Jul 25 11:48:14 2019
07-25 11:48:14.681 14388 14388 F DEBUG   : '
07-25 11:48:14.681 14388 14388 F DEBUG   : SYSVMTYPE: Maple
07-25 11:48:14.681 14388 14388 F DEBUG   : APPVMTYPE: Art
07-25 11:48:14.681 14388 14388 F DEBUG   : pid: 14363, tid: 14363, name: om.example.prop  >>> com.example.prop <<<
07-25 11:48:14.681 14388 14388 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x80401010080401
07-25 11:48:14.681 14388 14388 F DEBUG   :     x0  0080401010080401  x1  0000007b0580695e  x2  0000007fee57c5dc  x3  0000000000000100
07-25 11:48:14.681 14388 14388 F DEBUG   :     x4  0000007fee57c638  x5  0000007fee57a62b  x6  68646e617362696c  x7  00000004691cc533
07-25 11:48:14.681 14388 14388 F DEBUG   :     x8  0000000000000002  x9  0000007b8bfa0098  x10 0000007b0580695e  x11 0000000000000000
07-25 11:48:14.681 14388 14388 F DEBUG   :     x12 6b6f6f68646e6173  x13 526f2e00006f732e  x14 00006f732e6b6f6f  x15 0000000000003e98
07-25 11:48:14.681 14388 14388 F DEBUG   :     x16 0000007b88934f40  x17 0000007b87433924  x18 0000000000000008  x19 0000007fee57c5dc
07-25 11:48:14.681 14388 14388 F DEBUG   :     x20 0000007b8bfa0098  x21 0000007b0580695e  x22 0000007fee57d78c  x23 0000007b8c24d5e0
07-25 11:48:14.681 14388 14388 F DEBUG   :     x24 0000007fee57c5dc  x25 0000007b8c24d5e0  x26 0000007b05a15ca0  x27 0000007b8c24d5e0
07-25 11:48:14.681 14388 14388 F DEBUG   :     x28 0000000000000000  x29 0000007fee57c590
07-25 11:48:14.681 14388 14388 F DEBUG   :     sp  0000007fee57c570  lr  0000007ae9807994  pc  0000007b87424b44
07-25 11:48:14.758 14388 14388 F DEBUG   : 
07-25 11:48:14.758 14388 14388 F DEBUG   : backtrace:
07-25 11:48:14.758 14388 14388 F DEBUG   :     #00 pc 0000000000021b44  /system/lib64/libc.so (SystemProperties::Get(char const*, char*)+44)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #01 pc 0000000000000990  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/lib/arm64/libnative-lib.so (fake__system_property_get(char const*, char*)+36)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #02 pc 000000000000dedc  /system/lib64/libcutils.so (property_get_int32+80)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #03 pc 00000000003d32e0  /system/lib64/libart.so (art::DexFile_Hotfix(char const*)+88)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #04 pc 0000000000003f7c  /system/lib64/libopenjdkjvm.so (JVM_NativeLoad+120)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #05 pc 000000000013bbc8  /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Runtime.nativeLoad [DEDUPED]+200)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #06 pc 00000000001d005c  /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Runtime.loadLibrary0+188)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #07 pc 00000000001d5d20  /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.System.loadLibrary+96)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #08 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #09 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #10 pc 0000000000283fa8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #11 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #12 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #13 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #14 pc 00000000001b0200  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.SandHookConfig$1.loadLib+12)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #15 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #16 pc 000000000025d7a8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #17 pc 000000000027df94  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #18 pc 000000000053fa14  /system/lib64/libart.so (MterpInvokeInterface+1392)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #19 pc 0000000000561814  /system/lib64/libart.so (ExecuteMterpImpl+14740)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #20 pc 00000000001b0bb0  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.SandHook.<clinit>+32)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #21 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #22 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #23 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #24 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #25 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #26 pc 000000000012c00c  /system/lib64/libart.so (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2196)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #27 pc 0000000000117470  /system/lib64/libart.so (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+192)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #28 pc 0000000000284040  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+496)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #29 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #30 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #31 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #32 pc 00000000001b59bc  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.xposedcompat.hookstub.HookStubManager.<clinit>)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #33 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #34 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #35 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #36 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #37 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #38 pc 000000000012c00c  /system/lib64/libart.so (art::ClassLinker::InitializeClass(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+2196)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #39 pc 0000000000117470  /system/lib64/libart.so (art::ClassLinker::EnsureInitialized(art::Thread*, art::Handle<art::mirror::Class>, bool, bool)+192)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #40 pc 0000000000284040  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+496)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #41 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #42 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #43 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #44 pc 00000000001bf1f0  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.swift.sandhook.xposedcompat.methodgen.DynamicBridge.hookMethod+204)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #45 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #46 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #47 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #48 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #49 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #50 pc 0000000000283fa8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #51 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #52 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #53 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #54 pc 00000000001c3972  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedBridge.hookMethodNative+10)
07-25 11:48:14.758 14388 14388 F DEBUG   :     #55 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #56 pc 000000000025d7a8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #57 pc 000000000027df94  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #58 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #59 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #60 pc 00000000001c36aa  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedBridge.hookMethod+298)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #61 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #62 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #63 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #64 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #65 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #66 pc 0000000000283fa8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #67 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #68 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #69 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #70 pc 00000000001c3f02  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (de.robv.android.xposed.XposedHelpers.findAndHookMethod+62)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #71 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #72 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #73 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #74 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #75 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #76 pc 0000000000283fa8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #77 pc 000000000027dfb0  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #78 pc 000000000053ff9c  /system/lib64/libart.so (MterpInvokeStatic+204)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #79 pc 0000000000561794  /system/lib64/libart.so (ExecuteMterpImpl+14612)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #80 pc 00000000001afc90  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.javahooker.HookHelper.doHook+316)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #81 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #82 pc 000000000025d7a8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #83 pc 000000000027df94  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #84 pc 0000000000541adc  /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #85 pc 0000000000565394  /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #86 pc 00000000001af830  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.javahooker.AndroidSysClassHK.main+20)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #87 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #88 pc 000000000025d7a8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #89 pc 000000000027df94  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #90 pc 0000000000541adc  /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #91 pc 0000000000565394  /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #92 pc 00000000001ad132  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.MainActivity.working+26)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #93 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #94 pc 000000000025d7a8  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #95 pc 000000000027df94  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #96 pc 0000000000541adc  /system/lib64/libart.so (MterpInvokeVirtualQuick+584)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #97 pc 0000000000565394  /system/lib64/libart.so (ExecuteMterpImpl+29972)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #98 pc 00000000001ad082  /data/app/com.example.prop-1d6nRbUTFKUR6ThajQ0arQ==/oat/arm64/base.vdex (com.example.prop.MainActivity.onCreate+126)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #99 pc 0000000000257cb4  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.4019025862+488)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #100 pc 000000000052aa88  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #101 pc 00000000005780fc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #102 pc 0000000000b66c48  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.Activity.performCreate+232)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #103 pc 0000000000818b60  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.Instrumentation.callActivityOnCreate+240)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #104 pc 000000000094726c  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.performLaunchActivity+2428)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #105 pc 000000000094e0f4  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.handleLaunchActivity+1364)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #106 pc 0000000000b71834  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.LaunchActivityItem.execute+372)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #107 pc 000000000083c9e4  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.TransactionExecutor.executeCallbacks+708)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #108 pc 000000000083c6a8  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.servertransaction.TransactionExecutor.execute+280)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #109 pc 0000000000934bd0  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread$H.handleMessage+1536)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #110 pc 0000000000baf614  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.os.Handler.dispatchMessage+180)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #111 pc 0000000000bb2a80  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.os.Looper.loop+1472)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #112 pc 0000000000945b54  /system/framework/arm64/boot-framework.oat (offset 0x415000) (android.app.ActivityThread.main+1236)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #113 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #114 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #115 pc 0000000000472fd4  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #116 pc 0000000000474a28  /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #117 pc 00000000004043ac  /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #118 pc 00000000001456d4  /system/framework/arm64/boot.oat (offset 0x13b000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #119 pc 0000000000edc9a8  /system/framework/arm64/boot-framework.oat (offset 0x415000) (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+136)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #120 pc 0000000000ee39cc  /system/framework/arm64/boot-framework.oat (offset 0x415000) (com.android.internal.os.ZygoteInit.main+2540)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #121 pc 000000000056f24c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #122 pc 00000000000d4224  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #123 pc 0000000000472fd4  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #124 pc 0000000000472c34  /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #125 pc 0000000000367254  /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #126 pc 00000000000b9600  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+120)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #127 pc 00000000000bc378  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+780)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #128 pc 0000000000002368  /system/bin/app_process64 (main+1444)
07-25 11:48:14.759 14388 14388 F DEBUG   :     #129 pc 00000000000ae78c  /system/lib64/libc.so (offset 0x31000) (__libc_init+88)
07-25 11:48:14.840   776   849 E dubaid  : [CpuHandler.cpp] findUidEntry# Uid(10719) has not package, maybe it's already uninstalled
07-25 11:48:14.840   776   849 E dubaid  : [CpuHandler.cpp] setUidCpuTime# Failed to find uid entry
07-25 11:48:14.841   776   849 E dubaid  : [CpuHandler.cpp] findUidEntry# Uid(10718) has not package, maybe it's already uninstalled
07-25 11:48:14.841   776   849 E dubaid  : [CpuHandler.cpp] setUidCpuTime# Failed to find uid entry
07-25 11:48:14.863   840   840 E /system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_06
07-25 11:48:14.864  1253  1354 I BootReceiver: Copying /data/tombstones/tombstone_06 to DropBox (SYSTEM_TOMBSTONE)
07-25 11:48:14.865  1253 14391 W ActivityManager:   finishTopCrashedActivityLocked Force finishing activity com.example.prop/.MainActivity
07-25 11:48:14.865  1253 14391 V ActivityManager: positionChild stackId=0 to top.

hook代码:

int (*orig__system_property_get)(const char *name, char *value);

int fake__system_property_get(const char *name, char *value) {
    int t = orig__system_property_get(name, value);
    LOGE("### fake: __system_property_get(%s, %s) == 0x%x", name, value, t);
    return t;
}

void hook___system_property_get() {
    ZzReplace((void *) __system_property_get, (void *) fake__system_property_get,
                  (void **) &orig__system_property_get);
}
hnyaoqingping commented 4 years ago

估计这个库只是用于ios, 对android没做测试.

jmpews commented 4 years ago

华为真机?

hnyaoqingping notifications@github.com 于2019年9月17日周二 下午3:40写道:

估计这个库只是用于ios, 对android没做测试.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jmpews/HookZz/issues/60?email_source=notifications&email_token=ABDSANIERDVTLP6WQIDIZL3QKCCXLA5CNFSM4IGWUT7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD63TV5I#issuecomment-532101877, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDSANLBZ3XT7KIF6YA4RR3QKCCXLANCNFSM4IGWUT7A .

0n1y3nd commented 4 years ago

我今天用最新版测试了下,还是有问题。 设备信息:pixel2,android Q
尝试hook libc的free函数,(代码在6.0版本上运行成功) 崩溃信息: image

华为真机? hnyaoqingping notifications@github.com 于2019年9月17日周二 下午3:40写道: 估计这个库只是用于ios, 对android没做测试. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#60?email_source=notifications&email_token=ABDSANIERDVTLP6WQIDIZL3QKCCXLA5CNFSM4IGWUT7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD63TV5I#issuecomment-532101877>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDSANLBZ3XT7KIF6YA4RR3QKCCXLANCNFSM4IGWUT7A .

foundkey commented 4 years ago

Mix 2s(Android 9) 同样是这个问题,测试代码:

int (*origin_remove)(const char *path);

int fake_remove(const char *path) {
    __android_log_print(ANDROID_LOG_DEBUG, "hook remove", "arg: %s", path);
    return origin_remove(path);
}

extern "C"
JNIEXPORT void JNICALL
Java_com_example_hookzzdemo_MainActivity_startHook(JNIEnv *env, jobject thiz) {
    __android_log_print(ANDROID_LOG_DEBUG, "hook begin", "remove(): %p", fake_remove);
    int result = ZzReplace((void *)remove, (void *)fake_remove, (void **)&origin_remove);
    __android_log_print(ANDROID_LOG_DEBUG, "hook begin", "result: %d", result);

}

crash dump:

2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: Build fingerprint: 'Xiaomi/polaris/polaris:9/PKQ1.180729.001/9.5.17:user/release-keys'
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: Revision: '0'
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: ABI: 'arm64'
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: pid: 9625, tid: 9625, name: mple.hookzzdemo  >>> com.example.hookzzdemo <<<
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG: signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x1f022058000011
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x0  0000006f56aa9000  x1  0000007fdaf8d060  x2  0000000000000000  x3  0000006f5d31fd86
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x4  0000007fdaf8d048  x5  0000000000000000  x6  60694b16ff3a666d  x7  7f7f7f7f7f7f7f7f
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x8  4bfcf13cb68351a7  x9  4bfcf13cb68351a7  x10 0000000000430000  x11 0000000000000004
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x12 0000006f5da0d688  x13 0000006f5d30d8c0  x14 0000006f5d30d920  x15 0000000000000000
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x16 0000006f57894430  x17 d61f022058000011  x18 0000000000000008  x19 0000006f5dae8460
2019-11-07 18:17:23.352 9683-9683/? A/DEBUG:     x20 0000000000000075  x21 0000006f56aa9000  x22 0000007fdaf8d400  x23 0000000072c3e6df
2019-11-07 18:17:23.353 9683-9683/? A/DEBUG:     x24 0000000000000008  x25 0000006fe33955e0  x26 0000006f5da14ca0  x27 0000000000000002
2019-11-07 18:17:23.353 9683-9683/? A/DEBUG:     x28 0000000000000001  x29 0000007fdaf8d130
2019-11-07 18:17:23.353 9683-9683/? A/DEBUG:     sp  0000007fdaf8d110  lr  0000006f57864974  pc  001f022058000011
2019-11-07 18:17:23.489 743-743/? V/DisplayFeatureHal: dataCallback value=< 227.9070,   0.0000,   0.0000>,time=1729048902288455, sensor=5, temperature(K)=   0.0000
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG: backtrace:
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #00 pc 001f022058000011  <unknown>
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #01 pc 000000000001f970  /system/lib64/libopenjdk.so (Java_java_io_UnixFileSystem_delete0+92)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #02 pc 0000000000317df8  /system/framework/arm64/boot-core-oj.oat (offset 0x2dc000) (java.lang.invoke.VarHandle.compareAndSet [DEDUPED]+152)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #03 pc 000000000055c988  /system/lib64/libart.so (art_quick_invoke_stub+584)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #04 pc 00000000000d0520  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #05 pc 0000000000280b90  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #06 pc 000000000027aba4  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #07 pc 000000000052d684  /system/lib64/libart.so (MterpInvokeDirect+296)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #08 pc 000000000054f194  /system/lib64/libart.so (ExecuteMterpImpl+14484)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #09 pc 00000000000cae74  /system/framework/boot-core-oj.vdex (java.io.UnixFileSystem.delete+34)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #10 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #11 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #12 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #13 pc 000000000052c344  /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #14 pc 000000000054f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #15 pc 00000000000bc510  /system/framework/boot-core-oj.vdex (java.io.File.delete+42)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #16 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #17 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #18 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #19 pc 000000000052c344  /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #20 pc 000000000054f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #21 pc 000000000011dc34  /dev/ashmem/dalvik-classes.dex extracted in memory from /data/app/com.example.hookzzdemo-wKbAarXpsOZJ9MVghjn0pg==/base.apk (deleted) (com.example.hookzzdemo.MainActivity$1.onClick+32)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #22 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #23 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #24 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #25 pc 000000000052d2c0  /system/lib64/libart.so (MterpInvokeInterface+1392)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #26 pc 000000000054f294  /system/lib64/libart.so (ExecuteMterpImpl+14740)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #27 pc 0000000000d5d2fe  /system/framework/boot-framework.vdex (android.view.View.performClick+34)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #28 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #29 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #30 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #31 pc 000000000052c344  /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #32 pc 000000000054f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #33 pc 0000000000d5d324  /system/framework/boot-framework.vdex (android.view.View.performClickInternal+6)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #34 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #35 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #36 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #37 pc 000000000052d684  /system/lib64/libart.so (MterpInvokeDirect+296)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #38 pc 000000000054f194  /system/lib64/libart.so (ExecuteMterpImpl+14484)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #39 pc 0000000000d59af8  /system/framework/boot-framework.vdex (android.view.View.access$3100)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #40 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #41 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #42 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #43 pc 000000000052d848  /system/lib64/libart.so (MterpInvokeStatic+204)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #44 pc 000000000054f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #45 pc 0000000000d3f544  /system/framework/boot-framework.vdex (android.view.View$PerformClick.run+4)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #46 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #47 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #48 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #49 pc 000000000052d2c0  /system/lib64/libart.so (MterpInvokeInterface+1392)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #50 pc 000000000054f294  /system/lib64/libart.so (ExecuteMterpImpl+14740)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #51 pc 0000000000bb85b2  /system/framework/boot-framework.vdex (android.os.Handler.handleCallback+4)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #52 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #53 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #54 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #55 pc 000000000052d848  /system/lib64/libart.so (MterpInvokeStatic+204)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #56 pc 000000000054f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #57 pc 0000000000bb843c  /system/framework/boot-framework.vdex (android.os.Handler.dispatchMessage+8)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #58 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #59 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #60 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #61 pc 000000000052c344  /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #62 pc 000000000054f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #63 pc 0000000000bcaf8c  /system/framework/boot-framework.vdex (android.os.Looper.loop+422)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #64 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #65 pc 000000000025a39c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*, art::JValue*)+216)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #66 pc 000000000027ab88  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+940)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #67 pc 000000000052d848  /system/lib64/libart.so (MterpInvokeStatic+204)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #68 pc 000000000054f214  /system/lib64/libart.so (ExecuteMterpImpl+14612)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #69 pc 0000000000426862  /system/framework/boot-framework.vdex (android.app.ActivityThread.main+214)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #70 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #71 pc 000000000051cbf8  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #72 pc 0000000000565afc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #73 pc 000000000055cc4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #74 pc 00000000000d0540  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #75 pc 000000000045f2bc  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #76 pc 0000000000460d10  /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1440)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #77 pc 00000000003f072c  /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+52)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #78 pc 000000000078eed4  /system/framework/arm64/boot-core-oj.oat (offset 0x2dc000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #79 pc 000000000055c988  /system/lib64/libart.so (art_quick_invoke_stub+584)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #80 pc 00000000000d0520  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+200)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #81 pc 0000000000280b90  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
2019-11-07 18:17:23.567 9683-9683/? A/DEBUG:     #82 pc 000000000027aba4  /system/lib64/libart.so (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+968)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #83 pc 000000000052c344  /system/lib64/libart.so (MterpInvokeVirtual+588)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #84 pc 000000000054f094  /system/lib64/libart.so (ExecuteMterpImpl+14228)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #85 pc 000000000128e9e8  /system/framework/boot-framework.vdex (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+22)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #86 pc 00000000002548a8  /system/lib64/libart.so (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEb.llvm.223931584+488)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #87 pc 000000000051cbf8  /system/lib64/libart.so (artQuickToInterpreterBridge+1020)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #88 pc 0000000000565afc  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #89 pc 00000000024790ac  /system/framework/arm64/boot-framework.oat (offset 0xa37000) (com.android.internal.os.ZygoteInit.main+2172)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #90 pc 000000000055cc4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #91 pc 00000000000d0540  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+232)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #92 pc 000000000045f2bc  /system/lib64/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #93 pc 000000000045ef1c  /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+424)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #94 pc 0000000000363440  /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+652)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #95 pc 00000000000bf6c4  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+120)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #96 pc 00000000000c21f0  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+928)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #97 pc 0000000000002304  /system/bin/app_process64 (main+1392)
2019-11-07 18:17:23.568 9683-9683/? A/DEBUG:     #98 pc 00000000000acec0  /system/lib64/libc.so (offset 0x7d000) (__libc_init+88)
foundkey commented 4 years ago

@0n1y3nd 找到问题了, /HookZz/srcxx/core/modules/codegen/codegen-arm64.cc的CodeGen::LiteralLdrBranch()方法中,使用了PseudoLabel生成patch字节码。PseudoLabel会在bind时,修复bind前相关的ldr指令, 见TurboAssembler::PseudoBind():

  void PseudoBind(PseudoLabel *label) {
    const addr_t bound_pc = buffer_->getSize();
    label->bind_to(bound_pc);
    // If some instructions have been wrote, before the label bound, we need link these `confused` instructions
    if (label->has_confused_instructions()) {
      label->link_confused_instructions(reinterpret_cast<CodeBuffer *>(this->GetCodeBuffer()));
    }
  }

在PseudoLabel::link_confused_instructions()方法中执行修复操作:

    PseudoLabelInstruction *instruction;
    LiteCollectionIterator *iter = LiteCollectionIterator::withCollection(&instructions_);
    while ((instruction = reinterpret_cast<PseudoLabelInstruction *>(iter->getNextObject())) != NULL) {
        //...
    }

这里会使用迭代器遍历需要修复的指令,问题就出在这里。迭代器初始化有问题,导致无法访问元素,修复循环无法被执行。

查看迭代器初始化代码:

bool LiteCollectionIterator::initWithCollection(const LiteCollection *inCollection) {
  collection        = inCollection;
  innerIterator     = 0;
  // 这里申请了迭代器内存,但是未初始化。
  int *iterIndexPtr = (int *)LiteMemOpt::alloc(sizeof(int));
  innerIterator     = (void *)iterIndexPtr;
  return true;
}

使用容器提供的初始化方法,初始化迭代器:

inCollection->initIterator(innerIterator);