search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
3.93k stars 809 forks source link

Jni hook不能用 #70

Closed jpacg closed 4 years ago

jpacg commented 4 years ago

调用代码

jobject (*orig_CallStaticObjectMethodV)(JNIEnv*, jclass, jmethodID, va_list);
jobject fake_CallStaticObjectMethodV(JNIEnv* env, jclass clz, jmethodID methodID, va_list args) {
    log("fake_CallStaticObjectMethodV");
    jobject result = orig_CallStaticObjectMethodV(env, clz, methodID, args);
    return result;
}

ZzReplace((void*)(*env)->CallStaticObjectMethodV, (void*)fake_CallStaticObjectMethodV, (void**)&orig_CallStaticObjectMethodV);

错误调用栈

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/marlin/marlin:10/QP1A.191005.007.A1/5908163:user/release-keys'
Revision: '0'
ABI: 'arm'
Timestamp: 2019-11-26 12:45:37+0800
pid: 4230, tid: 4230, name: om.github.zero  >>> com.github.zero <<<
uid: 10222
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x84b08ab4
    r0  84b08ab4  r1  00000000  r2  84b08ab5  r3  00000000
    r4  84b08ab5  r5  e9ee2260  r6  00000000  r7  ffc12610
    r8  c97ab3b4  r9  c97a60a1  r10 84b08ab5  r11 ffc125e4
    ip  c97f9de8  sp  ffc125a0  lr  c97e6d9f  pc  c97e66b6
backtrace:
      #00 pc 0000c6b6  /data/data/com.github.zero/files/libhookzz.so (gen_thumb_relocate_code(void*, int*, unsigned int, unsigned int)+34) (BuildId: 43c3b93259ffa5e82697c0efd2f945c18df8c6a9)
      #01 pc 0000cd9b  /data/data/com.github.zero/files/libhookzz.so (InterceptRouting::Prepare()+62) (BuildId: 43c3b93259ffa5e82697c0efd2f945c18df8c6a9)
      #02 pc 0000cf41  /data/data/com.github.zero/files/libhookzz.so (FunctionInlineReplaceRouting::Dispatch()+12) (BuildId: 43c3b93259ffa5e82697c0efd2f945c18df8c6a9)
      #03 pc 0000cfcd  /data/data/com.github.zero/files/libhookzz.so (ZzReplace+120) (BuildId: 43c3b93259ffa5e82697c0efd2f945c18df8c6a9)
      #04 pc 000011c9  /data/data/com.github.zero/files/libnative-lib.so (JNI_OnLoad+224) (BuildId: 569d8bf04927fcb55f2b31c95c5f67a5f85a0f0d)
      #05 pc 0028a5f7  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::JavaVMExt::LoadNativeLibrary(_JNIEnv*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, _jobject*, _jclass*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*)+2498) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #06 pc 000039a9  /apex/com.android.runtime/lib/libopenjdkjvm.so (JVM_NativeLoad+248) (BuildId: d79a002b8a1b03a102d71b32a43da503)
      #07 pc 000b6661  /system/framework/arm/boot.oat (art_jni_trampoline+160) (BuildId: d8692156e5d96511087df9686d1fb909e08591b2)
      #08 pc 000d7bc5  /apex/com.android.runtime/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #09 pc 0042e0fb  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (art_quick_invoke_static_stub+246) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #10 pc 000dffcb  /apex/com.android.runtime/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+194) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #11 pc 002109f9  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+280) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #12 pc 0020c33b  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+774) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #13 pc 00425817  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+310) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #14 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #15 pc 000e25fa  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Runtime.nativeLoad+2)
      #16 pc 00425a6f  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+910) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #17 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #18 pc 000e29dc  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.Runtime.load0+36)
      #19 pc 00423509  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeVirtual+1148) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #20 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #21 pc 000e8034  /apex/com.android.runtime/javalib/core-oj.jar (java.lang.System.load+16)
      #22 pc 00425a6f  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+910) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #23 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #24 pc 0001a084  [anon:dalvik-classes2.dex extracted in memory from /data/app/com.github.zero-c7OUX-obthYWVHOIu-Oefw==/base.apk!classes2.dex] (com.github.zero.MainActivity$onCreate$1.onClick+212)
      #25 pc 004249a9  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeInterface+1432) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #26 pc 000d2a14  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_interface+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #27 pc 001a025a  /system/framework/framework.jar (android.view.View.performClick+34)
      #28 pc 00423509  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeVirtual+1148) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #29 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #30 pc 001a028e  /system/framework/framework.jar (android.view.View.performClickInternal+6)
      #31 pc 00425379  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeDirect+980) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #32 pc 000d2914  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_direct+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #33 pc 0019bc9c  /system/framework/framework.jar (android.view.View.access$3500)
      #34 pc 00425a6f  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+910) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #35 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #36 pc 0017c6d4  /system/framework/framework.jar (android.view.View$PerformClick.run+16)
      #37 pc 004249a9  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeInterface+1432) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #38 pc 000d2a14  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_interface+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #39 pc 002f5eac  /system/framework/framework.jar (android.os.Handler.handleCallback+4)
      #40 pc 00425a6f  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+910) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #41 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #42 pc 002f5d18  /system/framework/framework.jar (android.os.Handler.dispatchMessage+8)
      #43 pc 00423509  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeVirtual+1148) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #44 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #45 pc 0031a3d6  /system/framework/framework.jar (android.os.Looper.loop+466)
      #46 pc 00425a6f  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeStatic+910) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #47 pc 000d2994  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_static+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #48 pc 0018948a  /system/framework/framework.jar (android.app.ActivityThread.main+194)
      #49 pc 001ec275  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.1678810448002216699+192) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #50 pc 001f0a59  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+124) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #51 pc 00417b59  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (artQuickToInterpreterBridge+808) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #52 pc 000dc5a1  /apex/com.android.runtime/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #53 pc 000d7bc5  /apex/com.android.runtime/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #54 pc 0042e0fb  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (art_quick_invoke_static_stub+246) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #55 pc 000dffcb  /apex/com.android.runtime/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+194) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #56 pc 0036fda7  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e4000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+54) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #57 pc 003710ab  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e4000) (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned int)+850) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #58 pc 0031e38b  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e4000) (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobjectArray*)+30) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #59 pc 000bb82f  /system/framework/arm/boot.oat (art_jni_trampoline+110) (BuildId: d8692156e5d96511087df9686d1fb909e08591b2)
      #60 pc 000d7bc5  /apex/com.android.runtime/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #61 pc 0042dfe7  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (art_quick_invoke_stub+250) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #62 pc 000dffb7  /apex/com.android.runtime/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+174) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #63 pc 002109f9  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+280) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #64 pc 0020c33b  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (bool art::interpreter::DoCall<false, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+774) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #65 pc 004232b9  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (MterpInvokeVirtual+556) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #66 pc 000d2814  /apex/com.android.runtime/lib/libart.so (mterp_op_invoke_virtual+20) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #67 pc 0034c30a  /system/framework/framework.jar (com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run+22)
      #68 pc 001ec275  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.1678810448002216699+192) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #69 pc 001f0a59  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::interpreter::EnterInterpreterFromEntryPoint(art::Thread*, art::CodeItemDataAccessor const&, art::ShadowFrame*)+124) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #70 pc 00417b59  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (artQuickToInterpreterBridge+808) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #71 pc 000dc5a1  /apex/com.android.runtime/lib/libart.so (art_quick_to_interpreter_bridge+32) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #72 pc 008225bf  /system/framework/arm/boot-framework.oat (com.android.internal.os.ZygoteInit.main+1758) (BuildId: 43237c53d6a470eaa808245a4480f7bee0d45f95)
      #73 pc 000d7bc5  /apex/com.android.runtime/lib/libart.so (art_quick_invoke_stub_internal+68) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #74 pc 0042e0fb  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x377000) (art_quick_invoke_static_stub+246) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #75 pc 000dffcb  /apex/com.android.runtime/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+194) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #76 pc 0036fda7  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e4000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+54) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #77 pc 0036fbe7  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x2e4000) (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+290) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #78 pc 002bc929  /apex/com.android.runtime/lib/libart.so!libart.so (offset 0x1d6000) (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+460) (BuildId: 71c71d3389a2e6b48c870366df51ee04)
      #79 pc 0007d351  /system/lib/libandroid_runtime.so!libandroid_runtime.so (offset 0x7d000) (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+28) (BuildId: 784d4918245fc23d3aa6551cc034ab51)
      #80 pc 0007f79f  /system/lib/libandroid_runtime.so!libandroid_runtime.so (offset 0x7d000) (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+490) (BuildId: 784d4918245fc23d3aa6551cc034ab51)
      #81 pc 000022ff  /system/bin/app_process32 (main+698) (BuildId: b7640725a5fa47f6112372bb01078877)
      #82 pc 000598f9  /apex/com.android.runtime/lib/bionic/libc.so (__libc_init+68) (BuildId: 68c87e04526a60689ecb5deb329804a0)
      #83 pc 0000202f  /system/bin/app_process32 (_start_main+38) (BuildId: b7640725a5fa47f6112372bb01078877)
      #84 pc 00004456  <anonymous:ece11000>
jmpews commented 4 years ago

系统版本?

(之前在忙, 最近开始处理 issue)

jpacg commented 4 years ago

@jmpews 系统是Android 10