search

lasting-yang / frida_hook_libart

Frida hook some jni functions
MIT License
1.48k stars 484 forks source link

Process crashed: Bad access due to invalid address #16

Closed brunoaduarte closed 5 months ago

brunoaduarte commented 6 months ago 
frida -U -f com.app--pause --exit-on-error --kill-on-exit -l .\hook_artmethod.js
     ____
    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to SM-G960N (id=127.0.0.1:5565)
Spawning `com.app`...
android_dlopen_ext: 0xc7f2d8f0 dlopen: 0xc7f2d9f0
_ZN3art9ArtMethod6InvokeEPNS_6ThreadEPjjPNS_6JValueEPKc
...
...
...
ArtMethod Invoke:sun.nio.ch.FileChannelImpl.write  called from:
0xc32a85b7 libart.so!_ZN3art11interpreter34ArtInterpreterToCompiledCodeBridgeEPNS_6ThreadEPNS_9ArtMethodEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0x127
0xc32a0458 libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x268
0xc36082af libart.so!MterpInvokeVirtual+0x2cf
0xc30869a2 libart.so!ExecuteMterpImpl+0x37a2
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1
0xc32a043c libart.so!_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+0x24c
0xc3609f7f libart.so!MterpInvokeStatic+0x19f
0xc3086b22 libart.so!ExecuteMterpImpl+0x3922
0xc3270eb9 libart.so!_ZN3art11interpreterL7ExecuteEPNS_6ThreadEPKNS_7DexFile8CodeItemERNS_11ShadowFrameENS_6JValueEb+0x1e9
0xc3278701 libart.so!_ZN3art11interpreter33ArtInterpreterToInterpreterBridgeEPNS_6ThreadEPKNS_7DexFile8CodeItemEPNS_11ShadowFrameEPNS_6JValueE+0xc1

Process crashed: Bad access due to invalid address

***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/android_x86/x86:7.1.2/N2G48B/327:user/release-keys'
Revision: '0'
ABI: 'x86'
pid: 3574, tid: 3599, name: .15(596040118))  >>> **com.app<<<**
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4
    eax 00000000  ebx 00000df6  ecx 00000e0f  edx 0000000b
    esi 95980c4c  edi 959809f0
    xcs 00000073  xds 0000007b  xes 0000007b  xfs 0000003b  xss 0000007b
    eip c7f28c10  ebp 95980a70  esp 95980988  flags 00000296

backtrace:
    #00 pc 00000c10  [vdso:c7f28000] (__kernel_vsyscall+16)
    #01 pc 0007ac08  /system/bin/linker (offset 0x5000)
***
azwpayne commented 5 months ago

@brunoaduarte This is an accidental question from Frida, please consult Frida's official。CC @lasting-yang