Closed ndl1302732 closed 3 years ago
补充下:已经pull了最新的代码
@jmpews
在builtin-plugins目录下有个例子 attribute((constructor)) static void ctor() { void lib = dlopen("/usr/lib/libMobileGestalt.dylib", RTLD_NOW); void MGCopyAnswer_addr = DobbySymbolResolver("libMobileGestalt.dylib", "MGCopyAnswer");
dobby_enable_near_branch_trampoline(); DobbyInstrument((void *)MGCopyAnswer_addr, common_handler); dobby_disable_near_branch_trampoline(); }
请教下怎么调用 dobby_enable_near_branch_trampoline() 和 dobby_disable_near_branch_trampoline
dobby.h没有导出这两个函数
free 是敏感函数. 内部流程会使用到 free 所以会造成递归, 请选择其他函数。
dobby.h
只在 IA64 下导出这两个函数.
thanks
一 dobby编译脚本DDynamicBinaryInstrument=ON make .. \ -DCMAKE_TOOLCHAIN_FILE=$ANDROID_NDK/build/cmake/android.toolchain.cmake \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_SYSTEM_NAME=Android \ -DCMAKE_ANDROID_ARCH_ABI="armeabi-v7a" \ -DCMAKE_ANDROID_NDK=$ANDROID_NDK \ -DCMAKE_SYSTEM_VERSION=21 \ -DANDROID_TOOLCHAIN=clang \ -DCMAKE_ANDROID_NDK_TOOLCHAIN_VERSION=clang \ -DDynamicBinaryInstrument=ON \ -DNearBranch=ON \ -DPlugin.SymbolResolver=ON make -j4
二、编译成静态库,在apk中使用,然后使用DobbyInstrument hook free 函数
三、测试代码如下
void free_callback(RegisterContext reg_ctx, const HookEntryInfo info){
}
static void hook(){ DobbyInstrument((void *)free, free_callback); }
补充说明:free_callback中的代码即使全部注释掉,还是会奔溃。
四 崩溃日志如下: (测试机器Android10 PixelXL,在OPPO R9S上也会崩溃,但是抓不到详细奔溃日志,所以只贴上PixelXL的日志)
2020-08-19 16:31:54.429 8391-8391/com.xx.xx.xx A/libc: Fatal signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xeec0004c in tid 8391 (com.xx.xx.xx), pid 8391 (com.xx.xx.xx) 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: Build fingerprint: 'google/marlin/marlin:10/QP1A.190711.020/5800535:user/release-keys' 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: Revision: '0' 2020-08-19 16:31:54.485 8430-8430/? A/DEBUG: ABI: 'arm' 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: Timestamp: 2020-08-19 16:31:54+0800 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: pid: 8391, tid: 8391, name: com.xx.xx.xx >>> com.xx.xx.xx <<< 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: uid: 10176 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xeec0004c (*pc=0xffffffff) 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r0 ffde4797 r1 ffde4700 r2 00000000 r3 ffde479f 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r4 00000001 r5 ffde4710 r6 00000000 r7 7fffffff 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: r8 00000001 r9 ffde4664 r10 c5d32557 r11 edc92260 2020-08-19 16:31:54.486 8430-8430/? A/DEBUG: ip 00000000 sp ffde4110 lr edc6a0a1 pc eec0004c 2020-08-19 16:31:54.580 8430-8430/? A/DEBUG: backtrace: 2020-08-19 16:31:54.580 8430-8430/? A/DEBUG: #00 pc 0000004c
2020-08-19 16:31:54.581 8430-8430/? A/DEBUG: #01 pc 0008e09d /apex/com.android.runtime/lib/bionic/libc.so!libc.so (offset 0x2a000) (__vfprintf+6344) (BuildId: 68c87e04526a60689ecb5deb329804a0)
2020-08-19 16:31:54.581 8430-8430/? A/DEBUG: #02 pc 645f3ce3