search

salvogiangri / KnoxPatch

LSPosed module to get Samsung apps/features working again in your rooted Galaxy device.
GNU General Public License v3.0
688 stars 31 forks source link

SIGSEGV when loading app that has STEALIEN AppSuit #38

Closed brandonros closed 11 months ago

brandonros commented 11 months ago

https://www.stealien.com/en/products/series AppSuit

----part 2 start----
[ 2023-08-03T21:55:18.451        0:   691:   714 I/LSPosedLogcat   ] New log file: /data/adb/lspd/log/verbose_2023-08-03T21:55:18.451266.log
[ 2023-08-03T21:55:20.830    10239:  2280:  2280 I/LSPosed         ] Loading xposed for com.redacted.redacted/10239
[ 2023-08-03T21:55:20.846    10239:  2280:  2280 I/LSPosed-Bridge  ] Loading module io.mesalabs.knoxpatch from /data/app/~~y1_DjPFxD7TDnZncD41wXw==/io.mesalabs.knoxpatch-1TD3K_RPRGvDG-Axx3Gxgw==/base.apk
[ 2023-08-03T21:55:20.868    10239:  2280:  2280 I/LSPosed-Bridge  ]   Loading class io.mesalabs.knoxpatch.MainHook_YukiHookXposedInit
[ 2023-08-03T21:55:22.603    10239:  2280:  2355 F/libc            ] Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8 in tid 2355 (RenderThread), pid 2280 (o.redacted)
[ 2023-08-03T21:55:23.060    10239:  2405:  2405 F/DEBUG           ] *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
[ 2023-08-03T21:55:23.060    10239:  2405:  2405 F/DEBUG           ] Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS4CWG4:user/release-keys'
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Revision: '0'
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] ABI: 'arm'
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Processor: '1'
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Timestamp: 2023-08-03 21:55:22.719014235-0400
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Process uptime: 3s
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Cmdline: com.redacted.redacted
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] pid: 2280, tid: 2355, name: RenderThread  >>> com.redacted.redacted <<<
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] uid: 10239
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x00000008
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] Cause: null pointer dereference
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]     r0  10000000  r1  355458a3  r2  80000000  r3  00000000
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]     r4  deab8b68  r5  f4a86f4f  r6  f5069f08  r7  f17937c0
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]     r8  00000000  r9  f17937c0  r10 f6966158  r11 f4a766a6
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]     ip  0000003b  sp  deab8ac8  lr  f4ee8d27  pc  f4ee8e1a
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ] backtrace:
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #00 pc 004d0e1a  /system/lib/libhwui.so (GrSkSLFP::Impl::emitCode(GrFragmentProcessor::ProgramImpl::EmitArgs&)+502) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #01 pc 0050ac75  /system/lib/libhwui.so (GrGLSLProgramBuilder::writeFPFunction(GrFragmentProcessor const&, GrFragmentProcessor::ProgramImpl&)+968) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #02 pc 0050abf9  /system/lib/libhwui.so (GrGLSLProgramBuilder::writeFPFunction(GrFragmentProcessor const&, GrFragmentProcessor::ProgramImpl&)+844) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #03 pc 0050a45b  /system/lib/libhwui.so (GrGLSLProgramBuilder::emitAndInstallProcs()+2410) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #04 pc 0050644d  /system/lib/libhwui.so (GrGLProgramBuilder::CreateProgram(GrDirectContext*, GrProgramDesc const&, GrProgramInfo const&, GrGLPrecompiledProgram const*)+364) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #05 pc 004fd56d  /system/lib/libhwui.so (GrGLGpu::ProgramCache::findOrCreateProgramImpl(GrDirectContext*, GrProgramDesc const&, GrProgramInfo const&, GrThreadSafePipelineBuilder::Stats::ProgramCacheResult*)+264) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.061    10239:  2405:  2405 F/DEBUG           ]       #06 pc 004fd3e1  /system/lib/libhwui.so (GrGLGpu::ProgramCache::findOrCreateProgram(GrDirectContext*, GrProgramInfo const&)+84) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #07 pc 004f776f  /system/lib/libhwui.so (GrGLGpu::flushGLState(GrRenderTarget*, bool, GrProgramInfo const&)+66) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #08 pc 004a86f9  /system/lib/libhwui.so (GrOpsRenderPass::bindPipeline(GrProgramInfo const&, SkRect const&)+80) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #09 pc 005258fd  /system/lib/libhwui.so ((anonymous namespace)::FillRectOpImpl::onExecute(GrOpFlushState*, SkRect const&)+180) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #10 pc 005320df  /system/lib/libhwui.so (skgpu::v1::OpsTask::onExecute(GrOpFlushState*)+702) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #11 pc 0049c81b  /system/lib/libhwui.so (GrDrawingManager::flush(SkSpan<GrSurfaceProxy*>, SkSurface::BackendSurfaceAccess, GrFlushInfo const&, GrBackendSurfaceMutableState const*)+1770) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #12 pc 0049cc67  /system/lib/libhwui.so (GrDrawingManager::flushSurfaces(SkSpan<GrSurfaceProxy*>, SkSurface::BackendSurfaceAccess, GrFlushInfo const&, GrBackendSurfaceMutableState const*)+96) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #13 pc 00497641  /system/lib/libhwui.so (GrDirectContextPriv::flushSurfaces(SkSpan<GrSurfaceProxy*>, SkSurface::BackendSurfaceAccess, GrFlushInfo const&, GrBackendSurfaceMutableState const*)+160) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #14 pc 00594bb1  /system/lib/libhwui.so (SkSurface_Gpu::onFlush(SkSurface::BackendSurfaceAccess, GrFlushInfo const&, GrBackendSurfaceMutableState const*)+84) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #15 pc 0059615d  /system/lib/libhwui.so (SkSurface::flushAndSubmit(bool)+40) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #16 pc 00286f3b  /system/lib/libhwui.so (android::uirenderer::skiapipeline::SkiaOpenGLPipeline::draw(android::uirenderer::renderthread::Frame const&, SkRect const&, SkRect const&, android::uirenderer::LightGeometry const&, android::uirenderer::LayerUpdateQueue*, android::uirenderer::Rect const&, bool, android::uirenderer::LightInfo const&, std::__1::vector<android::sp<android::uirenderer::RenderNode>, std::__1::allocator<android::sp<android::uirenderer::RenderNode> > > const&, android::uirenderer::FrameInfoVisualizer*)+394) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #17 pc 0028c58b  /system/lib/libhwui.so (android::uirenderer::renderthread::CanvasContext::draw()+1210) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #18 pc 0028d047  /system/lib/libhwui.so (android::uirenderer::renderthread::CanvasContext::prepareAndDraw(android::uirenderer::RenderNode*)+194) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #19 pc 0029a0b1  /system/lib/libhwui.so (std::__1::__function::__func<android::uirenderer::renderthread::RenderThread::frameCallback(long long, long long, long long, long long)::$_0, std::__1::allocator<android::uirenderer::renderthread::RenderThread::frameCallback(long long, long long, long long, long long)::$_0>, void ()>::operator()() (.bccef1b46f85814f8e4c81f39aa5434c)+108) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #20 pc 002821e9  /system/lib/libhwui.so (android::uirenderer::WorkQueue::process()+384) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #21 pc 00299999  /system/lib/libhwui.so (android::uirenderer::renderthread::RenderThread::threadLoop()+308) (BuildId: 8e7c27a62a24ccfb539073590f59ece0)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #22 pc 0000d759  /system/lib/libutils.so (android::Thread::_threadLoop(void*)+264) (BuildId: 4aae4a9e055a7bad5f9bcea4e1b72b1c)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #23 pc 000ad483  /apex/com.android.runtime/lib/bionic/libc.so (__pthread_start(void*)+40) (BuildId: d105e2cb0f203ee587c2ececbdbab690)
[ 2023-08-03T21:55:23.062    10239:  2405:  2405 F/DEBUG           ]       #24 pc 0006459d  /apex/com.android.runtime/lib/bionic/libc.so (__start_thread+30) (BuildId: d105e2cb0f203ee587c2ececbdbab690)
[ 2023-08-03T21:55:23.680    10239:  2436:  2436 I/LSPosed         ] Loading xposed for com.redacted.redacted/10239
[ 2023-08-03T21:55:23.698    10239:  2436:  2436 I/LSPosed-Bridge  ] Loading module io.mesalabs.knoxpatch from /data/app/~~y1_DjPFxD7TDnZncD41wXw==/io.mesalabs.knoxpatch-1TD3K_RPRGvDG-Axx3Gxgw==/base.apk
[ 2023-08-03T21:55:23.721    10239:  2436:  2436 I/LSPosed-Bridge  ]   Loading class io.mesalabs.knoxpatch.MainHook_YukiHookXposedInit
[ 2023-08-03T21:55:25.634    10239:  2436:  2473 F/libc            ] Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf757269e in tid 2473 (o.redacted), pid 2436 (o.redacted)
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS4CWG4:user/release-keys'
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Revision: '0'
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] ABI: 'arm'
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Processor: '6'
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Timestamp: 2023-08-03 21:55:25.744945158-0400
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Process uptime: 3s
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] Cmdline: com.redacted.redacted
[ 2023-08-03T21:55:26.102    10239:  2510:  2510 F/DEBUG           ] pid: 2436, tid: 2473, name: o.redacted  >>> com.redacted.redacted <<<
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ] uid: 10239
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ] signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf757269e
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]     r0  f757c3d8  r1  00000001  r2  00000000  r3  00000000
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]     r4  0000000a  r5  f6513680  r6  f651369c  r7  f757c3d8
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]     r8  00000078  r9  f757269f  r10 00000000  r11 00000000
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]     ip  f650085c  sp  e3cccb80  lr  f64f3ef7  pc  f757269e
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ] backtrace:
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]       #00 pc 0000369e  [anon:thread signal stack]
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]       #01 pc 000afef5  /apex/com.android.runtime/lib/bionic/libc.so (__cxa_finalize+196) (BuildId: d105e2cb0f203ee587c2ececbdbab690)
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]       #02 pc 000a5f13  /apex/com.android.runtime/lib/bionic/libc.so (exit+10) (BuildId: d105e2cb0f203ee587c2ececbdbab690)
[ 2023-08-03T21:55:26.103    10239:  2510:  2510 F/DEBUG           ]       #03 pc 000188ed  /data/app/~~t_LCslN8WkWynm4HA8sECg==/com.redacted.redacted-7yFmtNPA3swcGUBGuvZOtw==/lib/arm/libAppSuit.so
salvogiangri commented 11 months ago

This isn't an issue with the module directly as it seems the app is detecting root or Zygisk/LSPosed. Did you install Shamiko and enabled the app in Magisk's DenyList? Make sure to not enable "Enforce DenyList" for Shamiko to work correctly.

brandonros commented 11 months ago

That worked. Thank you very much.

brandonros commented 11 months ago

@BlackMesa123 if you have to add an app to Magisk's DenyList, is there a way to still blend it with LSPosed/Xposed hooks or not really? It's all or nothing?

salvogiangri commented 11 months ago

@BlackMesa123 if you have to add an app to Magisk's DenyList, is there a way to still blend it with LSPosed/Xposed hooks or not really? It's all or nothing?

Enabling an app in the DenyList will make sure Magisk disables itself completely for that specific app to avoid root detection (Shamiko actually does the job in this case as it hides every Magisk/Zygisk/LSPosed traces to the apps in the list), so you can’t do that unless you manage to bypass the root checks in the apps via the hooks (which requires anyway to remove the app from DenyList) https://github.com/BlackMesa123/KnoxPatch/issues/21#issuecomment-1545791101

brandonros commented 11 months ago

so if I have an app that:

when on the deny list, works

when not on the deny list, even with Shamiko, doesn't work

it means the app is able to bypass Shamiko still for anti-root detection?

I'm deep into gdb, I can try to figure out what it's doing. It's a packed .ELF with many tricks going on, but nothing the community hasn't seen before I'm sure. Might just need some massaging to make it more up to date? What do you think, too large of an endeavor/very difficult?

salvogiangri commented 11 months ago

when not on the deny list, even with Shamiko, doesn't work

it means the app is able to bypass Shamiko still for anti-root detection?

Shamiko will not hide root to apps that are not in the DenyList

I'm deep into gdb, I can try to figure out what it's doing. It's a packed .ELF with many tricks going on, but nothing the community hasn't seen before I'm sure. Might just need some massaging to make it more up to date? What do you think, too large of an endeavor/very difficult?

You can probably start by looking at the (little) source code snippets you can find online to see what the binary could check:

https://github.com/vvb2060/MagiskDetector https://github.com/canyie/MagiskKiller https://github.com/LSPosed/NativeDetector

There’s a newer app called “Momo” now to check your device’s root detection, unfortunately like Shamiko it’s closed sourced to avoid sharing those “detection methods” in the wild: https://t.me/magiskalpha/529

brandonros commented 11 months ago

Shamiko will not hide root to apps that are not in the DenyList

Sorry, to clarify:

Install Shamiko module

In Magisk settings, configure DenyList, add target app, but keep Enforce DenyList off because otherwise Shamiko Magisk Module will say "Shamiko doens't work since enforce denylist is enabled"?

 $ md5 assets/appsuit/momo 
MD5 (assets/appsuit/momo) = 91eca337d818d48f30a9a583a43a194a

Yes, the app I'm debugging has both native armeabi lipAppSuit.so and then assets/appsuit/momo as well.

I am guessing libAppSuit.so is a multi-stage ELF with many spoofs that then depends/calls on momo? I am at the stage where libAppSuit itself without calling to momo is able to SIGSEGV due to root detection (guessing)

salvogiangri commented 11 months ago

Install Shamiko module

In Magisk settings, configure DenyList, add target app, but keep Enforce DenyList off because otherwise Shamiko Magisk Module will say "Shamiko doens't work since enforce denylist is enabled"?

Correct, all you have to do now is add/remove apps in Magisk DenyList, Shamiko will do the rest.

I am guessing libAppSuit.so is a multi-stage ELF with many spoofs that then depends/calls on momo? I am at the stage where libAppSuit itself without calling to momo is able to SIGSEGV due to root detection (guessing)

Might I know what app are you testing it out? I saw the package name ends with o.smartlauncher but I couldn't find such app anywhere

brandonros commented 11 months ago

Thank you for the help, it is appreciated.

I could send it to you. I'd prefer to keep it offline. I redacted the string you mentioned.

Might I ask your opinion on this... It's doing this weird trick.

When you launch the .apk, it has something like this:

public class a {
    static {
        System.loadLibrary("AppSuit");
    }
}

That's fine. Thanks to the amazing work of LSPosed/Magisk/Shamiko, the app is able to run if you set it up correctly (aka root and LSPosed can't be detected/are hidden).

The problem I'm facing now (and I don't know if it's specifically due to the libAppSuit.so library) is that the process is spawning a child process that is ptrace()ing itself, preventing me from being able to attach with a debugger or even dump the memory so I can see how the hidden/obfuscated/encrypted classes get loaded.

For example, the AndroidManifest.xml mentions a class that doesn't show up in classes.dex (which has next to nothing), which lets me think it's doing some kind of reflection/importing the classes at runtime.

I've tried LD_PRELOAD via like setprop wrap.com.redacted.redacted LD_PRELOAD=/data/local/tmp/lipMyPreload.so but that didn't work. Curious if you would know how to get around this ptrace protection?

brandonros commented 11 months ago

@BlackMesa123 sorry to bother you on this, want to ask you a question.

com.highcapable.yukihookapi.hook.entity.YukiBaseHooker injects itself + runs at runtime/launch, but apps protected with AppSuit load themselves in stages

How would you catch this? I want to hook certain things that eventually get loaded. findClass from what I understand won't work because not all classes are loaded at app init/launch.

salvogiangri commented 11 months ago

Devs at @LSPosed probably know more stuff than me, try opening an issue there. https://github.com/LSPosed/LSPosed

brandonros commented 11 months ago 
import com.highcapable.yukihookapi.hook.factory.onLoadClass

appClassLoader.onLoadClass { clazz ->
            val stringifiedClass = clazz.toString()
            loggerD(msg = "$TAG: onLoadClass. ${stringifiedClass}")
            if (stringifiedClass.equals("class redacted")) {
                loadApp(Constants.REDACTED, ReadctedServiceHooks)
            }
        }

I was able to extend what you did in MainHook.kt and add this, thank you!