A crash after hook:The object's current state invalidates the operation

[yangboyd]

Hook some obfuscated dll methods.

.Net 4.0.30319 Harmony 2.2.0 Windows x64 process x86

original method in dnSpy. public bool IsFormalVer() { object obj = (object)this; MethodBase currentMethod = MethodBase.GetCurrentMethod(); uint num = 123324U; if (!true) { } int num2 = 140; if (!true) { } if (!true) { } if (false) { } uint num3 = 123292U; if (false) { } if (false) { } if (false) { } \u0011\u0008\u000B\u000C\u0014\u000A.\u001C\u001B\u001B\u0017\u0007\u0003 u001C_u001B_u001B_u0017_u0007_u = \u0011\u0008\u000B\u000C\u0014\u000A.\u0018\u000B\u0009\u0010\u0011\u0008(obj, currentMethod, num, num2, num3, 32U, 302037U, 218692U, 45); object[] array = new object[1]; if (!true) { } if (false) { } array[0] = this; return (bool)u001C_u001B_u001B_u0017_u0007_u.\u0005\u0001\u0004\u0004\u0005\u0003\u0005\u0004\u0005\u0001\u0004\u0003\u0002\u0003(this, array); }

Crash CallStack: 2024-02-05 21:56:51.756[错误] [SMR]PID:2 PName:d9994b75-1-133516149926149467TID:10 dsName:() sessionid:(f0hnw0bhwfradvesj2hpfhgc)errmsg:sense: 对象的当前状态使该操作无效(The object's current state invalidates the operation)。 类:XXXX.X.XX.Login.Service.dll  方法:  (System.Object, System.Reflection.MethodBase, UInt32, Int32, UInt32, UInt32, UInt32, UInt32, Int32) 类:XXXX.X.XX.Login.Service.dll 方法:Boolean XXXX.X.XX.Login.Service.YYYWrapperService.IsFormalVer_Patch2(XXXX.X.XX.Login.Service.YYYWrapperService) 类:XXXX.X.XX.Login.Interface.dll IYYYWrapper 方法:Boolean IsFormalVer() 类:XXXX.X.XX.Login.UIP.dll LoginManager 方法:System.Object GetVersionType();XXXX.X.XX.Login.Service.YYYWrapperService.IsFormalVer traceid:[e231afb4-4540-4417-a9bf-cec9693a7a12] ` CallStack: 在 ZZZ.Z.ZZZ.Logging.LogImp.getLogString(String style, Object message, Exception exception) 在 ZZZ.Z.ZZZ.Logging.LogImp.Error(Object message) 在 ZZZ.Z.ZZZ.Aop.Util.ServiceMethodResvol.logStrace(ILog log, Exception e, String extenError) 在 ZZZ.Z.ZZZ.Aop.Util.ServiceMethodResvol.InvokeNormalMethod(ServiceMethod smAttribute, MethodInfo m, Object instance, Object[] args) 在 ZZZ.Z.ZZZ.Aop.Dynamic.LocalCallDynamicProxyImpl.NormalInvoke(MethodBase method, Object[] args, Boolean needFreeCuid) 在 ZZZ.Z.ZZZ.Aop.Dynamic.LocalCallDynamicProxyImpl.Invoke(IMessage message) 在 System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) 在 XXXX.X.XX.Login.Interface.IYYYWrapper.IsFormalVer() 在 XXXX.X.XX.Login.UIP.LoginManager.GetVersionType() 在 System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) 在 System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) 在 System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) 在 System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters) 在 AjaxPro.AjaxProcHelper.Run() 在 AjaxPro.AjaxSyncHttpHandler.ProcessRequest(HttpContext context) 在 System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) 在 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 在 System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error) 在 System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) 在 System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) 在 System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr) 在 System.Web.HttpRuntime.ProcessRequest(HttpWorkerRequest wr) 在 Mono.WebServer.MonoWorkerRequest.ProcessRequest() 在 Mono.WebServer.BaseApplicationHost.ProcessRequest(MonoWorkerRequest mwr) 在 Mono.WebServer.FastCgi.ApplicationHost.ProcessRequest(Responder responder) 在 System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs) 在 System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg) 在 System.Runtime.Remoting.Messaging.ServerObjectTerminatorSink.SyncProcessMessage(IMessage reqMsg) 在 System.Runtime.Remoting.Messaging.ServerContextTerminatorSink.SyncProcessMessage(IMessage reqMsg) 在 System.Runtime.Remoting.Channels.CrossContextChannel.SyncProcessMessageCallback(Object[] args) 在 System.Threading.Thread.CompleteCrossContextCallback(InternalCrossContextDelegate ftnToCall, Object[] args) 在 System.Threading.Thread.InternalCrossContextCallback(Context ctx, IntPtr ctxID, Int32 appDomainID, InternalCrossContextDelegate ftnToCall, Object[] args) 在 System.Runtime.Remoting.Channels.CrossContextChannel.SyncProcessMessage(IMessage reqMsg) 在 System.Runtime.Remoting.Channels.ChannelServices.SyncDispatchMessage(IMessage msg) 在 System.Runtime.Remoting.Channels.CrossAppDomainSink.DoDispatch(Byte[] reqStmBuff, SmuggledMethodCallMessage smuggledMcm, SmuggledMethodReturnMessage& smuggledMrm) 在 System.Runtime.Remoting.Channels.CrossAppDomainSink.DoTransitionDispatchCallback(Object[] args) 在 System.Threading.Thread.CompleteCrossContextCallback(InternalCrossContextDelegate ftnToCall, Object[] args)

Harmony.log

Harmony id=com.company.project, version=2.2.2.0, location=C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\tplus\29011d3f\92bb07db\assembly\dl3\d3dba100\009847f2_8a9bd801\0Harmony.dll, env/clr=4.0.30319.42000, platform=Win32NT, ptrsize:runtime/env=4/Bits64, Windows

Started from static System.Int32 TestDLL.Class1::PatchSomeMethods(System.Reflection.Assembly selectAssembly, System.String TestParam), location C:\Windows\system32\config\systemprofile\AppData\Local\assembly\dl3\DBZDR2EJ.NQR\7OCKAQCQ.A99\2295b166\df6551bd_3458da01\TestDLL.dll

At 2024-02-05 09.56.38

Patch: virtual System.Boolean XXXX.X.XX.Login.Service.YYYWrapperService::IsFormalVer()

Replacement: static System.Boolean XXXX.X.XX.Login.Service.YYYWrapperService::XXXX.X.XX.Login.Service.YYYWrapperService.IsFormalVer_Patch2(XXXX.X.XX.Login.Service.YYYWrapperService this)

IL_0000: Local var 0: System.Object[] IL_0000: Local var 1: System.Object[] IL_0000: Local var 2: System.Boolean IL_0000: Local var 3: System.Boolean IL_0000: ldc.i4 0 IL_0005: stloc 2 (System.Boolean) IL_0009: ldc.i4 0 IL_000E: stloc 3 (System.Boolean) IL_0012: ldc.i4.1 IL_0013: stloc 3 (System.Boolean) IL_0017: ldloc 3 (System.Boolean) IL_001B: brfalse => Label1 IL_0020: ldloca 2 (System.Boolean) IL_0024: call static System.Boolean TestDLL.PatchYYYWrapperService::IsFormalVerPrefix(System.Boolean& __result) IL_0029: stloc 3 (System.Boolean) IL_002D: Label1 IL_002D: nop IL_002E: ldloc 3 (System.Boolean) IL_0032: brfalse => Label0 IL_0037: // start original IL_0037: ldarg.0 IL_0038: castclass System.Object IL_003D: call static System.Reflection.MethodBase System.Reflection.MethodBase::GetCurrentMethod() IL_0042: ldc.i4 123324 IL_0047: br => Label2 IL_004C: Label28 IL_004C: br => Label3 IL_0051: ldind.r8 IL_0052: ldind.i IL_0053: Label18 IL_0053: ldc.i4 32 IL_0058: ldc.i4 302037 IL_005D: ldc.i4 218692 IL_0062: ldc.i4 45 IL_0067: call static loader. loader. :: (System.Object , System.Reflection.MethodBase  , System.UInt32
, System.Int32 

, System.UInt32  , System.UInt32 , System.UInt32 , System.UInt32 
, System.Int32   ) IL_006C: ldarg.0 IL_006D: ldc.i4 1 IL_0072: newarr System.Object IL_0077: dup IL_0078: br => Label4 IL_007D: Label10 IL_007D: dup IL_007E: ldc.i4 0 IL_0083: ldarg 0 IL_0087: stelem.ref IL_0088: callvirt System.Object loader.::

(System.Object  , System.Object[] 

) IL_008D: unbox.any System.Boolean IL_0092: br => Label29 IL_0097: Label3 IL_0097: ldc.i4.1 IL_0098: brtrue => Label5 IL_009D: ldc.i4.0 IL_009E: pop IL_009F: Label5 IL_009F: br => Label6 IL_00A4: Label13 IL_00A4: br => Label7 IL_00A9: neg IL_00AA: Label4 IL_00AA: Label16 IL_00AA: ldc.i4.1 IL_00AB: brtrue => Label8 IL_00B0: ldc.i4.1 IL_00B1: pop IL_00B2: Label8 IL_00B2: br => Label9 IL_00B7: Label26 IL_00B7: br => Label10 IL_00BC: Label6 IL_00BC: ldc.i4.1 IL_00BD: brtrue => Label11 IL_00C2: ldc.i4.m1 IL_00C3: pop IL_00C4: Label11 IL_00C4: br => Label12 IL_00C9: ldc.i4.5 IL_00CA: stloc.2 IL_00CB: Label24 IL_00CB: br => Label13 IL_00D0: Label7 IL_00D0: ldc.i4.0 IL_00D1: brfalse => Label14 IL_00D6: ldc.i4.1 IL_00D7: pop IL_00D8: Label14 IL_00D8: br => Label15 IL_00DD: ldloc.0 IL_00DE: ldind.r4 IL_00DF: Label19 IL_00DF: Label22 IL_00DF: br => Label16 IL_00E4: Label21 IL_00E4: ldc.i4.0 IL_00E5: brfalse => Label17 IL_00EA: ldc.i4.5 IL_00EB: pop IL_00EC: Label17 IL_00EC: br => Label18 IL_00F1: br => Label19 IL_00F6: Label15 IL_00F6: ldc.i4.0 IL_00F7: brfalse => Label20 IL_00FC: ldc.i4.3 IL_00FD: pop IL_00FE: Label20 IL_00FE: br => Label21 IL_0103: br => Label22 IL_0108: Label12 IL_0108: ldc.i4.0 IL_0109: brfalse => Label23 IL_010E: ldc.i4.5 IL_010F: pop IL_0110: Label23 IL_0110: ldc.i4 123292 IL_0115: br => Label24 IL_011A: Label9 IL_011A: ldc.i4.0 IL_011B: brfalse => Label25 IL_0120: ldc.i4.1 IL_0121: pop IL_0122: Label25 IL_0122: stloc.0 IL_0123: br => Label26 IL_0128: Label2 IL_0128: ldc.i4.1 IL_0129: brtrue => Label27 IL_012E: ldc.i4.3 IL_012F: pop IL_0130: Label27 IL_0130: ldc.i4 140 IL_0135: br => Label28 IL_013A: // end original IL_013A: Label29 IL_013A: stloc 2 (System.Boolean) IL_013E: Label0 IL_013E: ldloca 2 (System.Boolean) IL_0142: call static System.Void TestDLL.PatchYYYWrapperService::IsFormalVerPostfix(System.Boolean& __result) IL_0147: ldloc 2 (System.Boolean) IL_014B: ret DONE

[pardeike]

It looks like you are patching inside a web container. Web containers can have extra protection that prevents code execution across appdomains. The stack trace and the Harmony log show that the method was patched correctly and I don’t know what I could fix as Harmony seems to do its job just fine.

[yangboyd]

Thanks

It looks like you are patching inside a web container. Web containers can have extra protection that prevents code execution across appdomains. The stack trace and the Harmony log show that the method was patched correctly and I don’t know what I could fix as Harmony seems to do its job just fine.