search

luoyesiqiu / dpt-shell

An android Dex protects shell implementation
MIT License
519 stars 190 forks source link

hook MapFileAtAddress出现function address is 0x0 #8

Closed AdenTk closed 2 years ago

AdenTk commented 2 years ago

问题: 自编译的dpt.jar以及shell-files文件可以正常编译成功,无出错,但是在进行使用时,在android8 pixel3 上运行发现MapFileAtAddress的hook无法成功,出现的日志为function address is 0x0,看情况是DobbySymbolResolver无法找到在libart.so的地址,请问这个要怎么解决。

环境:
win7
ndk版本为21.3.6528147
abi为arm64-v8a(经测试在armeabi-v7a中可以运行成功,MapFileAtAddress可以正常hook)

使用步骤:
set ANDROID_SDK_ROOT=/xxxx/xxx/xx/x
cd dpt-shell
gradlew :shell:assemble
gradlew :dpt:assemble

cd executable
java -jar dpt.jar xxx.apk

apk运行后的日志为

1970-05-15 14:09:42.471 854-2782/system_process I/ActivityManager: Start proc 19807:com.aden.dexmultitest/u0a119 for activity com.aden.dexmultitest/.MainActivity
1970-05-15 14:09:42.473 19807-19807/com.aden.dexmultitest I/zygote64: Late-enabling -Xcheck:jni
1970-05-15 14:09:42.487 854-1794/system_process D/AutofillManagerServiceImpl: Reset component for user 0
1970-05-15 14:09:42.660 19807-19812/com.aden.dexmultitest I/zygote64: Do partial code cache collection, code=30KB, data=22KB
1970-05-15 14:09:42.660 19807-19812/com.aden.dexmultitest I/zygote64: After code cache collection, code=30KB, data=22KB
1970-05-15 14:09:42.661 19807-19812/com.aden.dexmultitest I/zygote64: Increasing code cache capacity to 128KB
1970-05-15 14:09:42.671 19807-19807/com.aden.dexmultitest D/ProxyApplication: dpt attachBaseContext
1970-05-15 14:09:42.671 19807-19807/com.aden.dexmultitest D/ProxyApplication: attachBaseContext classloader = dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk"],nativeLibraryDirectories=[/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/lib/arm64, /data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!/lib/arm64-v8a, /system/lib64, /vendor/lib64]]]
1970-05-15 14:09:42.671 19807-19807/com.aden.dexmultitest D/ProxyApplication: ProxyApplication init
1970-05-15 14:09:42.674 19807-19807/com.aden.dexmultitest I/dpt_native: _init!
1970-05-15 14:09:42.719 19807-19807/com.aden.dexmultitest I/Dobby: [!] [/Users/runner/work/Dobby/Dobby/source/InterceptRouting/Routing/FunctionInlineReplace/FunctionInlineReplaceExport.cc:9:DobbyHook]: 
1970-05-15 14:09:42.719 19807-19807/com.aden.dexmultitest I/Dobby: [!] function address is 0x0
1970-05-15 14:09:42.732 19807-19807/com.aden.dexmultitest I/dpt_native: init_dpt!
1970-05-15 14:09:42.732 19807-19807/com.aden.dexmultitest I/dpt_native: JNI_OnLoad called!
1970-05-15 14:09:42.732 19807-19807/com.aden.dexmultitest D/dpt_native: init_app!
1970-05-15 14:09:42.742 19807-19807/com.aden.dexmultitest I/dpt_native: readCodeItem : version = 1 , dexCount = 2
1970-05-15 14:09:42.742 19807-19807/com.aden.dexmultitest I/dpt_native: readCodeItem : dexCodeIndex[0] = 12
1970-05-15 14:09:42.742 19807-19807/com.aden.dexmultitest D/dpt_native: readCodeItem : dexCodeOffset[0] = 12,methodCount[0] = 14
1970-05-15 14:09:42.742 19807-19807/com.aden.dexmultitest I/dpt_native: readCodeItem : dexCodeIndex[1] = 602
1970-05-15 14:09:42.742 19807-19807/com.aden.dexmultitest D/dpt_native: readCodeItem : dexCodeOffset[1] = 602,methodCount[1] = 60239
1970-05-15 14:09:42.815 19807-19807/com.aden.dexmultitest D/dpt_native: readCodeItem map size = 2
1970-05-15 14:09:42.816 19807-19807/com.aden.dexmultitest W/zygote64: Unsupported class loader
1970-05-15 14:09:42.818 19807-19807/com.aden.dexmultitest W/zygote64: Skipping duplicate class check due to unsupported classloader
1970-05-15 14:09:42.821 19807-19807/com.aden.dexmultitest D/dpt_native: mergeDexElements oldlen = 1 , newlen = 1
1970-05-15 14:09:42.821 19807-19807/com.aden.dexmultitest D/dpt_native: mergeDexElements success
1970-05-15 14:09:42.821 19807-19807/com.aden.dexmultitest D/ProxyApplication: dpt onCreate
1970-05-15 14:09:42.821 19807-19807/com.aden.dexmultitest D/ProxyApplication: onCreate() classLoader = dalvik.system.PathClassLoader[DexPathList[[zip file "/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk", zip file "/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk"],nativeLibraryDirectories=[/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/lib/arm64, /data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!/lib/arm64-v8a, /system/lib64, /vendor/lib64]]]
1970-05-15 14:09:42.823 19807-19807/com.aden.dexmultitest D/dpt_native: callRealApplicationAttach className androidx.multidex.MultiDexApplication -> androidx/multidex/MultiDexApplication
1970-05-15 14:09:42.823 19807-19807/com.aden.dexmultitest D/dpt_native: getApplicationInstance success!
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c5ba000,end = 0x7c788000
1970-05-15 14:09:42.824 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest I/MultiDex: VM with version 2.1.0 has multidex support
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest I/MultiDex: Installing application
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest I/MultiDex: VM has multidex support, MultiDex support library is disabled.
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest D/dpt_native: callRealApplicationAttach success!
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest D/dpt_native: callRealApplicationOnCreate className androidx.multidex.MultiDexApplication -> androidx/multidex/MultiDexApplication
1970-05-15 14:09:42.825 19807-19807/com.aden.dexmultitest W/dpt_native: callRealApplicationOnCreate success!
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest D/dpt_native: mprotect start = 0x7c787000,end = 0x7c9f3000
1970-05-15 14:09:42.854 19807-19807/com.aden.dexmultitest E/dpt_native: mprotect fail,code = -1,/data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/base.apk!classes2.dex
1970-05-15 14:09:42.855 19807-19807/com.aden.dexmultitest A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7c7c80c9bc in tid 19807 (en.dexmultitest), pid 19807 (en.dexmultitest)
1970-05-15 14:09:42.905 19825-19825/? I/crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
1970-05-15 14:09:42.905 621-621/? I//system/bin/tombstoned: received crash request for pid 19807
1970-05-15 14:09:42.907 19825-19825/? I/crash_dump64: performing dump of process 19807 (target tid = 19807)
1970-05-15 14:09:42.907 19825-19825/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG: Build fingerprint: 'Android/aosp_bullhead/bullhead:8.1.0/OPM3.171019.014/zhangt12141100:userdebug/test-keys'
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG: Revision: 'rev_1.0'
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG: ABI: 'arm64'
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG: pid: 19807, tid: 19807, name: en.dexmultitest  >>> com.aden.dexmultitest <<<
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7c7c80c9bc
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x0   0000007c7c80c9bc  x1   0000007c7cf34714  x2   0000000000000008  x3   0000000000000003
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x4   0000007c7cf3471c  x5   0000007c7c80c9c4  x6   000e000000031070  x7   000e000000031070
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x8   0000007c7c80c9bc  x9   0000000000000008  x10  0000007c7cf34714  x11  0000000000000001
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x12  0000007fd2e04e08  x13  0000000000000000  x14  ffffffffffffffff  x15  0032f5054bdcefca
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x16  0000007c7d170c40  x17  0000007d166b02f0  x18  000000000000a1c7  x19  0000000012ff2060
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x20  0000007fd2e055ec  x21  0000007c92ca6160  x22  0000007c92cee2c0  x23  0000000000000000
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x24  0000007fd2e054c8  x25  0000007d14c80a18  x26  0000000000000000  x27  00000000ffffffff
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     x28  0000007fd2e054f0  x29  0000007fd2e05440  x30  0000007c7d12724c
1970-05-15 14:09:42.908 19825-19825/? A/DEBUG:     sp   0000007fd2e052c0  pc   0000007d166b0350  pstate 0000000060000000
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG: backtrace:
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #00 pc 0000000000000350  /system/lib64/libc.so (offset 0x1c000)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #01 pc 0000000000025248  /data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/lib/arm64/libdpt.so (LoadMethod(void*, void*, void const*, void const*, void const*, void*, void*)+916)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #02 pc 00000000000256dc  /data/app/com.aden.dexmultitest-XjPcP8Pm6tzmn0FnNkvKhA==/lib/arm64/libdpt.so (LoadMethod_OP(void*, void const*, void const*, void*, void*)+64)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #03 pc 0000000000131df0  /system/lib64/libart.so (art::ClassLinker::LoadClassMembers(art::Thread*, art::DexFile const&, unsigned char const*, art::Handle<art::mirror::Class>)+964)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #04 pc 000000000012c5ec  /system/lib64/libart.so (art::ClassLinker::DefineClass(art::Thread*, char const*, unsigned long, art::Handle<art::mirror::ClassLoader>, art::DexFile const&, art::DexFile::ClassDef const&)+628)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #05 pc 000000000012bf04  /system/lib64/libart.so (art::ClassLinker::FindClassInBaseDexClassLoaderClassPath(art::ScopedObjectAccessAlreadyRunnable&, char const*, unsigned long, art::Handle<art::mirror::ClassLoader>)+756)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #06 pc 000000000012b9ac  /system/lib64/libart.so (art::ClassLinker::FindClassInBaseDexClassLoader(art::ScopedObjectAccessAlreadyRunnable&, art::Thread*, char const*, unsigned long, art::Handle<art::mirror::ClassLoader>, art::ObjPtr<art::mirror::Class>*)+580)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #07 pc 00000000002b40b4  /system/lib64/libart.so (offset 0x10e000)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #08 pc 00000000002cdc88  /system/framework/arm64/boot-core-libart.oat (offset 0xd5000) (java.lang.VMClassLoader.findLoadedClass+200)
1970-05-15 14:09:42.950 19825-19825/? A/DEBUG:     #09 pc 0000000000417e4c  /system/lib64/libart.so (offset 0x10e000)
1970-05-15 14:09:43.162 621-621/? E//system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_48
1970-05-15 14:09:43.164 854-19830/system_process W/ActivityManager:   Force finishing activity com.aden.dexmultitest/.MainActivity
luoyesiqiu commented 2 years ago

libart.so发一下

AdenTk commented 2 years ago

libart.so.gz

luoyesiqiu commented 2 years ago

刚更新了一下符号,重新编译试试

AdenTk commented 2 years ago

可以了,非常感谢