search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
4k stars 833 forks source link

thumb指令钩子是能用的吗?thumb_labels为0,崩溃 #66

Closed lducsm closed 4 years ago

lducsm commented 4 years ago

安卓7,32位,顺便找个thumb的函数

ZzReplace FunctionInlineReplaceRouting::Dispatch InterceptRouting::Prepare GenRelocateCode gen_thumb_relocate_code Thumb1RelocateSingleInst Thumb2RelocateSingleInst LiteCollectionIterator::withCollection(thumb_labels);

到了withCollection,此时thumb_labels是0,怎么看出来呢

全局定义一个0,但我搜索没有任何地方给这个指针赋值??? LiteMutableArray *thumb_labels;

只有使用,但这不是赋值??? thumb_labels->pushObject

是0他就直接崩了

lducsm commented 4 years ago 
ZzReplace
    FunctionInlineReplaceRouting::Dispatch
        InterceptRouting::Prepare
            GenRelocateCode
                gen_thumb_relocate_code
                    Thumb1RelocateSingleInst
                    Thumb2RelocateSingleInst
                    LiteCollectionIterator::withCollection(thumb_labels);

上面格式没了,看这

lducsm commented 4 years ago

加个初始化就正常了,但thumb钩子还是不行,调不到回调就崩溃了

  LiteMutableArray tmp;
  thumb_labels = &tmp;
.text:0001E044                   EXPORT stat64
.text:0001E044                   stat64
.text:0001E044 0A 46             MOV             R2, R1                  ; Alternative name is 'stat'
.text:0001E046 01 46             MOV             R1, R0
.text:0001E048 6F F0 63 00       MOV             R0, #0xFFFFFF9C
.text:0001E04C 00 23             MOVS            R3, #0
.text:0001E04E 55 F0 9B BE       B.W             j_j_fstatat64
.text:0001E04E                   ; } // starts at 1E030
.text:0001E04E                   ; End of function stat64
libc.so:E935C044                   stat
libc.so:E935C044 0A 5F             LDRSH           R2, [R1,R4]
libc.so:E935C046 F8 00             LSLS            R0, R7, #3
libc.so:E935C048 F0 59             LDR             R0, [R6,R7]
libc.so:E935C04A 44 F1 E1 23       ADC.W           R3, R4, #0xE100E100
libc.so:E935C04E 55 F0 9B BE       B.W             j_fstatat
libc.so:E935C04E                   ; End of function stat

thumb上钩子我不太熟,啥情况?

jmpews commented 4 years ago

stat64 函数嘛?

(之前在忙, 最近开始处理 issue)

18712886438 commented 4 years ago 
2020-01-07 18:26:19.858 15039-15039/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 15039 (com.zzz.f22s4)
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: Build fingerprint: 'Samsung/aosp_klte/klte:7.1.2/N2G47H/ikrom03122133:userdebug/test-keys'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: Revision: '10'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: ABI: 'arm'
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: pid: 15039, tid: 15039, name: com.zzz.f22s4  >>> com.zzz.f22s4 <<<
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r0 b429a660  r1 b429a660  r2 00000000  r3 b42834ac
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r4 00000000  r5 b423ed30  r6 b4e2fb74  r7 be9bb4f8
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     r8 e9cd4813  r9 b4e2fb7c  sl 00000008  fp be9bb510
2020-01-07 18:26:19.923 15056-15056/? A/DEBUG:     ip b4ea0948  sp be9bb4f0  lr b4e79eb5  pc acefe514  cpsr 600b0030
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG: backtrace:
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 0 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #00 pc 00009514  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN22LiteCollectionIterator14withCollectionEPK14LiteCollection+35)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 1 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #01 pc 000081c7  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_Z23gen_thumb_relocate_codePvPijj+358)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 2 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #02 pc 00008707  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN16InterceptRouting7PrepareEv+46)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 3 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #03 pc 0000895d  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (_ZN28FunctionInlineReplaceRouting8DispatchEv+12)
2020-01-07 18:26:19.928 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 4 in victim thread, signal = 11
2020-01-07 18:26:19.928 15056-15056/? A/DEBUG:     #04 pc 000089dd  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (DobbyHook+108)
2020-01-07 18:26:19.929 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 5 in victim thread, signal = 11
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #05 pc 00008dbd  /data/app/com.zzz.f22s4-1/lib/arm/libdobby.so (JNI_OnLoad+64)
2020-01-07 18:26:19.929 15056-15056/? I/DEBUG: coredump_criteria: checking backtrace-frame 6 in victim thread, signal = 11
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #06 pc 0023c11d  /system/lib/libart.so (_ZN3art9JavaVMExt17LoadNativeLibraryEP7_JNIEnvRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEP8_jobjectP8_jstringPS9_+1844)
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #07 pc 0000315f  /system/lib/libopenjdkjvm.so (JVM_NativeLoad+178)
2020-01-07 18:26:19.929 15056-15056/? A/DEBUG:     #08 pc 73d8ac45  /data/dalvik-cache/arm/system@framework@boot.oat (offset 0x27ec000)

我这里应该也是类似问题,android7 32位,hook的open,

Soon-gz commented 4 years ago

vivo 5.1.1 64位 , 我也遇到这个问题啦,使用example的hook fopen那几个函数时,在调用LiteCollectionIterator::withCollection时,参数inCollection为NULL了,之后在LiteCollectionIterator::initWithCollection的inCollection->initIterator崩溃了,SIGSEGV (signal SIGSEGV: invalid address (fault address: 0x0))

stefan00lpf commented 4 years ago

同样问题,为啥没有早期的版本好用了