search

sanfengAndroid / FakeXposed

Hide xposed, root, file redirection, etc.
Apache License 2.0
635 stars 193 forks source link

App crash, seems error while hook properties, orig___system_property_read_callback can't find in api 23 #4

Closed hwangjr closed 3 years ago

hwangjr commented 3 years ago

Env: OPPO R9s Android 6.1, API 23 Test App: https://github.com/vvb2060/MagiskDetector Install with Magisk(Canary 22005) & Xposed(version 89): https://github.com/topjohnwu/Magisk/
https://github.com/Magisk-Modules-Repo/xposed

build script: python build.py -vm api 23

03-21 16:40:29.554 8840-8840/? E/HookLog: Current operating platform: arm64
03-21 16:40:29.905 8862-8862/? E/HookLog: Current operating platform: arm64
03-21 16:40:29.928 8840-8840/io.github.vvb2060.magiskdetector E/HookLog: ERROR: find symbol failed, symbol name: __system_property_read_callback, error code: 0xffffffe0
03-21 16:40:29.928 8840-8840/io.github.vvb2060.magiskdetector E/HookLog: /Users/xxx/xxx/FakeXposed/app/src/main/cpp/hook/hook_properties.cpp:53: get_orig___system_property_read_callback CHECK 'orig___system_property_read_callback' failed
03-21 16:40:29.928 8840-8840/io.github.vvb2060.magiskdetector A/libc: Fatal signal 6 (SIGABRT), code -6 in tid 8840 (.magiskdetector)
03-21 16:40:29.982 686-686/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-21 16:40:29.982 686-686/? A/DEBUG: Build fingerprint: 'OPPO/R9s/R9s:6.0.1/MMB29M/1482468466:user/release-keys'
03-21 16:40:29.982 686-686/? A/DEBUG: Revision: '0'
03-21 16:40:29.982 686-686/? A/DEBUG: ABI: 'arm64'
03-21 16:40:29.983 686-686/? A/DEBUG: pid: 8840, tid: 8840, name: .magiskdetector  >>> io.github.vvb2060.magiskdetector <<<
03-21 16:40:29.983 686-686/? A/DEBUG: signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
03-21 16:40:29.997 686-686/? A/DEBUG:     x0   0000000000000000  x1   0000000000002288  x2   0000000000000006  x3   0000000000000000
03-21 16:40:29.997 686-686/? A/DEBUG:     x4   0000000000000000  x5   0000000000000001  x6   0000000000000000  x7   0000000000000000
03-21 16:40:29.997 686-686/? A/DEBUG:     x8   0000000000000083  x9   0000000000000000  x10  0000000000000000  x11  0000007fd4bd6078
03-21 16:40:29.997 686-686/? A/DEBUG:     x12  0000007fd4bd5f50  x13  00000000000000c2  x14  0000007fd4bd6138  x15  0000000000000000
03-21 16:40:29.998 686-686/? A/DEBUG:     x16  0000007f9004e568  x17  0000007f8ffe056c  x18  0000007f904109b4  x19  0000007f904a5088
03-21 16:40:29.998 686-686/? A/DEBUG:     x20  0000007f904a4fc8  x21  0000000000000058  x22  0000000000000006  x23  0000007fd4bd68b0
03-21 16:40:29.998 686-686/? A/DEBUG:     x24  0000000012d95c60  x25  0000000012c2ba40  x26  00000000700c9378  x27  0000000012cc40b0
03-21 16:40:29.998 686-686/? A/DEBUG:     x28  0000000070ffc3f2  x29  0000007fd4bd6530  x30  0000007f8ffddd08
03-21 16:40:29.998 686-686/? A/DEBUG:     sp   0000007fd4bd6530  pc   0000007f8ffe0574  pstate 0000000020000000
03-21 16:40:30.006 686-686/? A/DEBUG: backtrace:
03-21 16:40:30.006 686-686/? A/DEBUG:     #00 pc 0000000000069574  /system/lib64/libc.so (tgkill+8)
03-21 16:40:30.006 686-686/? A/DEBUG:     #01 pc 0000000000066d04  /system/lib64/libc.so (pthread_kill+68)
03-21 16:40:30.006 686-686/? A/DEBUG:     #02 pc 0000000000023878  /system/lib64/libc.so (raise+28)
03-21 16:40:30.006 686-686/? A/DEBUG:     #03 pc 000000000001e018  /system/lib64/libc.so (abort+60)
03-21 16:40:30.006 686-686/? A/DEBUG:     #04 pc 0000000000079d24  /data/app/com.sanfengandroid.datafilter-1/lib/arm/libhookl64.so (get_orig___system_property_read_callback+120)
03-21 16:40:30.006 686-686/? A/DEBUG:     #05 pc 0000000000079df8  /data/app/com.sanfengandroid.datafilter-1/lib/arm/libhookl64.so (__system_property_read_callback+192)
03-21 16:40:30.007 686-686/? A/DEBUG:     #06 pc 000000000000e8e8  /data/app/io.github.vvb2060.magiskdetector-2/base.apk (offset 0x1000)
03-21 16:40:30.007 686-686/? A/DEBUG:     #07 pc 0000000000025c70  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+172)
03-21 16:40:30.007 686-686/? A/DEBUG:     #08 pc 0000000000025cb8  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+244)
03-21 16:40:30.007 686-686/? A/DEBUG:     #09 pc 0000000000025c28  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+100)
03-21 16:40:30.007 686-686/? A/DEBUG:     #10 pc 0000000000025c28  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+100)
03-21 16:40:30.007 686-686/? A/DEBUG:     #11 pc 0000000000025c28  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+100)
03-21 16:40:30.007 686-686/? A/DEBUG:     #12 pc 0000000000025cb8  /system/lib64/libc.so (_ZL16foreach_propertyP7prop_btPFvPK9prop_infoPvES4_+244)
03-21 16:40:30.007 686-686/? A/DEBUG:     #13 pc 000000000000e6f0  /data/app/io.github.vvb2060.magiskdetector-2/base.apk (offset 0x1000)
03-21 16:40:30.007 686-686/? A/DEBUG:     #14 pc 00000000005ce958  /data/app/io.github.vvb2060.magiskdetector-2/oat/arm64/base.odex (offset 0x219000) (java.lang.String io.github.vvb2060.magiskdetector.Native.getPropsHash()+124)
03-21 16:40:30.007 686-686/? A/DEBUG:     #15 pc 00000000005cc348  /data/app/io.github.vvb2060.magiskdetector-2/oat/arm64/base.odex (offset 0x219000) (int io.github.vvb2060.magiskdetector.MainActivity.props()+2060)
03-21 16:40:30.007 686-686/? A/DEBUG:     #16 pc 00000000005ce5a4  /data/app/io.github.vvb2060.magiskdetector-2/oat/arm64/base.odex (offset 0x219000) (void io.github.vvb2060.magiskdetector.MainActivity.onStart()+760)
03-21 16:40:30.008 686-686/? A/DEBUG:     #17 pc 0000000073018a88  /data/dalvik-cache/arm64/system@framework@boot.oat (offset 0x2274000)
03-21 16:40:30.181 686-686/? A/DEBUG: Tombstone written to: /data/tombstones/tombstone_05
03-21 16:40:30.181 686-686/? E/DEBUG: AM write failed: Broken pipe
hwangjr commented 3 years ago

Modify https://github.com/sanfengAndroid/FakeXposed/blob/main/app/src/main/cpp/hook/hook_properties.cpp source seems everything goes ok: 

...

#if __ANDROID_API__ >= __ANDROID_API_O__
std::map<void *, void (*)(void *, const char *, const char *, uint32_t)> callbacks;

static void handle_system_property(void *cookie, const char *name, const char *value, uint32_t serial) {
    void (*callback)(void *, const char *, const char *, uint32_t) = callbacks[cookie];
    const char *new_value = FXHandler::PropertyReplace(name, value);
    callback(cookie, name, new_value == nullptr ? value : new_value, serial);
}

FUN_INTERCEPT HOOK_DEF(void, __system_property_read_callback,
                       const prop_info *pi,
                       void (*callback)(void *__cookie, const char *__name, const char *__value, uint32_t __serial),
                       void *cookie) __INTRODUCED_IN(26) {
//    LOGMV("prop_info: %p, cookie: %p", pi, cookie);
    if (cookie == nullptr) {
        get_orig___system_property_read_callback()(pi, callback, cookie);
        return;
    }
    callbacks[cookie] = callback;
    get_orig___system_property_read_callback()(pi, handle_system_property, cookie);
}
#endif
hwangjr commented 3 years ago

if ok, i can make a pull request. @sanfengAndroid

sanfengAndroid commented 3 years ago

The hook module only distinguishes between Android7 and above, and cannot use macro definitions __ANDROID_API__

sanfengAndroid commented 3 years ago

The libc.so in the official 6.0 does not contain the __system_property_read_callback function, please do not call it under Android 8.0.This situation may occur because the app itself implemented it and was intercepted by us by mistake. You can check whether the export symbol is included in the app’s dynamic library.

hwangjr commented 3 years ago

I think this may cause the crash, here is the code: https://github.com/vvb2060/MagiskDetector/blob/master/app/src/main/jni/vvb2060.c#L178


// NOLINTNEXTLINE
void __system_property_read_callback(const prop_info *pi,
                                     void (*callback)(void *cookie, const char *name,
                                                      const char *value, uint32_t serial),
                                     void *cookie) __attribute__((weak));

...

static void callback(const prop_info *info, void *cookie) {
    if (&__system_property_read_callback) {
        __system_property_read_callback(info, &read_callback, cookie);
    } else {
        char name[PROP_NAME_MAX];
        char value[PROP_VALUE_MAX];
        __system_property_read(info, name, value);
        hash(cookie, name, value);
    }
}
sanfengAndroid commented 3 years ago

Indeed, it uses weak references here, which should not actually be intercepted

sanfengAndroid commented 3 years ago

This can not be changed for the time being, this symbol will not be used under the more general Android 8 __system_property_read_callback

hwangjr commented 3 years ago

ok, so maybe you can provide the snippet code to fix this issue here? someone like me may need this in some cases. thanks a lot.

sanfengAndroid commented 3 years ago

Fixing it is still a bit tricky, the easiest way is to comment out the method and repackage it. This is applicable to Android 8 and below.

//FUN_INTERCEPT HOOK_DEF(void, __system_property_read_callback,
//                       const prop_info *pi,
//                       void (*callback)(void *__cookie, const char *__name, const char *__value, uint32_t __serial),
//                       void *cookie) __INTRODUCED_IN(26) {
////    LOGMV("prop_info: %p, cookie: %p", pi, cookie);
//    if (cookie == nullptr) {
//        get_orig___system_property_read_callback()(pi, callback, cookie);
//        return;
//    }
//    callbacks[cookie] = callback;
//    get_orig___system_property_read_callback()(pi, handle_system_property, cookie);
//}
hwangjr commented 3 years ago

ok, thanks a lot.