Dobby icon indicating copy to clipboard operation
Dobby copied to clipboard
verified publisher icon jmpews

Failed to hook fopen on Android 10 arm64

Open shatyuka opened this issue 4 years ago • 9 comments 

backtrace:
      #00 pc 000000000001d5c4  libzhiliao.so (GenRelocateCodeAndBranch(void*, MemoryChunk*, MemoryChunk*)+180) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #01 pc 0000000000017fc0  libzhiliao.so (InterceptRouting::GenerateRelocatedCode()+192) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #02 pc 0000000000019eb0  libzhiliao.so (FunctionInlineReplaceRouting::BuildReplaceRouting()+136) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #03 pc 0000000000019e18  libzhiliao.so (FunctionInlineReplaceRouting::Dispatch()+56) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)
      #04 pc 000000000001763c  libzhiliao.so (DobbyHook+500) (BuildId: 93a4a205012b0f3803d44066d51316cf808097ad)

2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] [DobbyHook] Initialize at 0x78df27bfa0
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] ================ FunctionInlineReplaceRouting Start ================
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao I/Dobby: [*] [trampoline] Generate trampoline buffer 0x78df27bfa0 -> 0x77ea5852cc
    
    
    --------- beginning of crash
2021-03-17 21:38:18.715 23332-23332/com.shatyuka.zhiliao A/libc: Fatal signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x78df27bfa0 in tid 23332 (hatyuka.zhiliao), pid 23332 (hatyuka.zhiliao)

DobbyHook((void*)fopen, (void*)fake_fopen, (void**)&orig_fopen);

shatyuka avatar Mar 17 '21 13:03 shatyuka

你好,这个问题解决了吗

zhaozzw avatar Dec 16 '21 08:12 zhaozzw

你好,这个问题解决了吗

mprotect

shatyuka avatar Dec 16 '21 08:12 shatyuka

有什么解决办法啊,我试了SandHook在Android10也不行

zhaozzw avatar Dec 16 '21 08:12 zhaozzw

请问mprotect这个要怎么修改?

ccWuu avatar Dec 21 '21 05:12 ccWuu

请问mprotect这个要怎么修改?

https://github.com/shatyuka/Zhiliao/blob/master/app/src/main/cpp/zhiliao.cpp

shatyuka avatar Dec 21 '21 05:12 shatyuka

感谢回复,修改后,还是一样的崩溃=。=

ccWuu avatar Dec 21 '21 07:12 ccWuu

void* addr = (void *)DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

zhaozzw avatar Dec 21 '21 07:12 zhaozzw

void* addr = (void *)DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

非常感谢,解决了~

ccWuu avatar Dec 21 '21 07:12 ccWuu

都应该感谢楼主~~

void* addr = (void *)DobbySymbolResolver(NULL, "fopen"); LOGI("addr = %p",addr);

int PageSize = sysconf(_SC_PAGE_SIZE);
LOGI("PageSize = %d",PageSize);
if(PageSize == -1){
    LOGI("PageSize == -1 error");
    return;
}
void * page_start = (void*)((long long)addr & ~(PageSize-1));
LOGI("page_start = %p",page_start);
//addr &= ~PMD_MASK;
int ret = mprotect(page_start, PageSize, PROT_READ | PROT_WRITE | PROT_EXEC);
LOGI("ret = %d",ret);
DobbyHook((void *)addr, (void *)fake_fopen, (void **)&orig_fopen);

非常感谢,解决了~

都应该感谢楼主~~

zhaozzw avatar Dec 21 '21 07:12 zhaozzw