Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash when demoApp change to release #58

Closed
Code89757 opened this issue Jun 6, 2018 · 2 comments
Closed

Crash when demoApp change to release #58

Code89757 opened this issue Jun 6, 2018 · 2 comments

Comments

@Code89757
Copy link

Code89757 commented Jun 6, 2018
edited
Loading

Debug模式正常,但是修改为Release模式后,加上签名,点击按钮,出现崩溃问题。

06-06 17:38:05.624 32321-32321/lab.galaxy.yahfa.demoApp E/origin: call Log.e()
06-06 17:38:05.627 32321-32321/lab.galaxy.yahfa.demoApp A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x80001131cd178 in tid 32321 (y.yahfa.demoApp), pid 32321 (y.yahfa.demoApp)
06-06 17:38:05.674 32733-32733/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    Build fingerprint: 'google/angler/angler:8.1.0/OPM3.171019.013/4499252:user/release-keys'
    Revision: '0'
    ABI: 'arm64'
    pid: 32321, tid: 32321, name: y.yahfa.demoApp  >>> lab.galaxy.yahfa.demoApp <<<
    signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x80001131cd178
        x0   00000072ace02108  x1   0000000012d80da0  x2   0000000070924678  x3   0000000070925498
        x4   0000000070925c78  x5   0000000070927668  x6   0000000000000002  x7   7f7f7f7f7f7f7f7f
        x8   0000000000000030  x9   00000072b0736000  x10  00000072ae57da5b  x11  000000722baf9a30
        x12  000000722baf9a78  x13  000000722baf9ac0  x14  000000722baf9b20  x15  0000000000000000
        x16  08080001131cd178  x17  0000000000000000  x18  0000000000000010  x19  000000722bcbea00
        x20  0000000000000000  x21  000000722bcbea00  x22  0000007fc0ebfbbc  x23  00000072ae57da55
        x24  0000000000000014  x25  00000072b0921a40  x26  000000722bcbeaa0  x27  0000000000000005
        x28  0000000000000002  x29  0000007fc0ebf9e8  x30  000000722baf9b8c
        sp   0000007fc0ebf9c0  pc   00080001131cd178  pstate 0000000080000000
06-06 17:38:06.059 32733-32733/? A/DEBUG: backtrace:
        #00 pc 00080001131cd178  <unknown>
        #01 pc 000000000054ab88  /system/lib64/libart.so (art_quick_invoke_stub+584)
        #02 pc 00000000000dc594  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+204)
        #03 pc 000000000029b49c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
        #04 pc 0000000000295a90  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+700)
        #05 pc 0000000000532ad8  /system/lib64/libart.so (MterpInvokeVirtual+652)
        #06 pc 000000000053c914  /system/lib64/libart.so (ExecuteMterpImpl+14228)
        #07 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #08 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #09 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #10 pc 0000000000533ab8  /system/lib64/libart.so (MterpInvokeInterface+1576)
        #11 pc 000000000053cb14  /system/lib64/libart.so (ExecuteMterpImpl+14740)
        #12 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #13 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #14 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #15 pc 0000000000532ad8  /system/lib64/libart.so (MterpInvokeVirtual+652)
        #16 pc 000000000053c914  /system/lib64/libart.so (ExecuteMterpImpl+14228)
        #17 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #18 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #19 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #20 pc 0000000000533ab8  /system/lib64/libart.so (MterpInvokeInterface+1576)
        #21 pc 000000000053cb14  /system/lib64/libart.so (ExecuteMterpImpl+14740)
        #22 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #23 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #24 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #25 pc 0000000000533f50  /system/lib64/libart.so (MterpInvokeStatic+264)
        #26 pc 000000000053ca94  /system/lib64/libart.so (ExecuteMterpImpl+14612)
        #27 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
06-06 17:38:06.060 32733-32733/? A/DEBUG:     #28 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #29 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #30 pc 0000000000532ad8  /system/lib64/libart.so (MterpInvokeVirtual+652)
        #31 pc 000000000053c914  /system/lib64/libart.so (ExecuteMterpImpl+14228)
        #32 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #33 pc 000000000027b7cc  /system/lib64/libart.so (art::interpreter::ArtInterpreterToInterpreterBridge(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame*, art::JValue*)+216)
        #34 pc 0000000000295a70  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+668)
        #35 pc 0000000000533f50  /system/lib64/libart.so (MterpInvokeStatic+264)
        #36 pc 000000000053ca94  /system/lib64/libart.so (ExecuteMterpImpl+14612)
        #37 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #38 pc 0000000000525450  /system/lib64/libart.so (artQuickToInterpreterBridge+1052)
        #39 pc 0000000000553d0c  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
        #40 pc 000000000054ae4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
        #41 pc 00000000000dc5d0  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+264)
        #42 pc 000000000046edc8  /system/lib64/libart.so (art::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::ArgArray*, art::JValue*, char const*)+100)
        #43 pc 000000000047096c  /system/lib64/libart.so (art::InvokeMethod(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jobject*, _jobject*, unsigned long)+1456)
        #44 pc 00000000003f4184  /system/lib64/libart.so (art::Method_invoke(_JNIEnv*, _jobject*, _jobject*, _jobject*)+48)
        #45 pc 0000000000260f34  /system/framework/arm64/boot.oat (offset 0x1da000) (java.lang.Class.getDeclaredMethodInternal [DEDUPED]+180)
        #46 pc 000000000054ab88  /system/lib64/libart.so (art_quick_invoke_stub+584)
        #47 pc 00000000000dc594  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+204)
        #48 pc 000000000029b49c  /system/lib64/libart.so (art::interpreter::ArtInterpreterToCompiledCodeBridge(art::Thread*, art::ArtMethod*, art::ShadowFrame*, unsigned short, art::JValue*)+344)
        #49 pc 0000000000295a90  /system/lib64/libart.so (_ZN3art11interpreter6DoCallILb0ELb0EEEbPNS_9ArtMethodEPNS_6ThreadERNS_11ShadowFrameEPKNS_11InstructionEtPNS_6JValueE+700)
        #50 pc 0000000000532ad8  /system/lib64/libart.so (MterpInvokeVirtual+652)
        #51 pc 000000000053c914  /system/lib64/libart.so (ExecuteMterpImpl+14228)
        #52 pc 0000000000275c00  /system/lib64/libart.so (art::interpreter::Execute(art::Thread*, art::DexFile::CodeItem const*, art::ShadowFrame&, art::JValue, bool)+444)
        #53 pc 0000000000525450  /system/lib64/libart.so (artQuickToInterpreterBridge+1052)
        #54 pc 0000000000553d0c  /system/lib64/libart.so (art_quick_to_interpreter_bridge+92)
        #55 pc 0000000001648894  /system/framework/arm64/boot-framework.oat (offset 0x611000) (com.android.internal.os.ZygoteInit.main+2900)
        #56 pc 000000000054ae4c  /system/lib64/libart.so (art_quick_invoke_static_stub+604)
        #57 pc 00000000000dc5d0  /system/lib64/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+264)
        #58 pc 000000000046edc8  /system/lib64/libart.so (art::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::ArgArray*, art::JValue*, char const*)+100)
        #59 pc 000000000046e9ec  /system/lib64/libart.so (art::InvokeWithVarArgs(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, std::__va_list)+412)
        #60 pc 0000000000375428  /system/lib64/libart.so (art::JNI::CallStaticVoidMethodV(_JNIEnv*, _jclass*, _jmethodID*, std::__va_list)+612)
        #61 pc 00000000000a6da4  /system/lib64/libandroid_runtime.so (_JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...)+120)
        #62 pc 00000000000a9518  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::start(char const*, android::Vector<android::String8> const&, bool)+836)
        #63 pc 0000000000002440  /system/bin/app_process64 (main+1328)
06-06 17:38:06.405 3510-3510/? E//system/bin/tombstoned: Tombstone written to: /data/tombstones/tombstone_03
06-06 17:38:06.427 428-428/? E/lowmemorykiller: Error writing /proc/32321/oom_score_adj; errno=22
@Code89757
Copy link
Author

File:trampoline.c
Line:129

#elif defined(__aarch64__)
    switch (SDKVersion) {
        case ANDROID_O:
            trampoline1[13] = '\x14'; //10 14 40 f9 ; ldr x16, [x0, #40]
            break;

这段代码,也撇开了ANDROID_O2是否为有意为之?
我加上去后,一切正常了。
当我修改了加载方式,

   Class[] pareTyple = {Object.class, String.class, String.class, String.class, String.class};
                obj_class = Class.forName("lab.galaxy.yahfa.internalPlugin.Hook_ClassWithVirtualMethod_tac");
                hook = obj_class.getMethod("hook", pareTyple);
                backup = obj_class.getMethod("origin", pareTyple);

                obj_class = Class.forName("lab.galaxy.yahfa.demoApp.ClassWithVirtualMethod");
                HookMain.findAndBackupAndHook(
                        obj_class,
                        "tac",
                        "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;",
                        hook,
                        backup
                );

发现hook调用origin时,origin方法没有找到。

    public static String hook(Object thiz, String a, String b, String c, String d) {
        Log.w("YAHFA", "in ClassWithVirtualMethod.tac(): "+a+", "+b+", "+c+", "+d);
        return origin(thiz, a, b, c, d);
    }

    public static String origin(Object thiz, String a, String b, String c, String d) {
        Log.w("YAHFA", "ClassWithVirtualMethod.tac() should not be here");
        return "";
    }

@rk700
Copy link
Member

rk700 commented Jul 3, 2018

ANDROID_O2的问题同#56

@rk700 rk700 closed this as completed Jul 3, 2018
@uniking uniking mentioned this issue Aug 19, 2020
Open
@Gstalker Gstalker mentioned this issue Sep 10, 2021
Closed
@shuajinanhai shuajinanhai mentioned this issue Feb 17, 2022
Open
This was referenced Jun 2, 2022
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rk700 @Code89757