Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

夜神模拟器跑unity应用,hook libunity.so #22

Closed
CrazyStormer opened this issue Dec 17, 2021 · 4 comments
Closed

夜神模拟器跑unity应用,hook libunity.so #22

CrazyStormer opened this issue Dec 17, 2021 · 4 comments

Comments

@CrazyStormer
Copy link

CrazyStormer commented Dec 17, 2021
edited
Loading

我现在在夜神模拟器7.0.0.8 32位上跑bhook,hook了libunity的fseek函数或者其他函数,fopen等等。我单纯调用bytehook_init没问题,但是一旦调用了bytehook_hook_single去hook函数,也是显示hook成功的,但是后面就闪退了:
2021-12-17 12:12:00.127 5510-5510/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0xfff33011 in tid 5510 (xxx.xxx.xxx)
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Build fingerprint: 'samsung/dream2qltezh/dream2qltechn:7.1/N2G48H/G9550ZHU1AQEE:user/release-keys'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Revision: '12'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: ABI: 'x86'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: pid: 5510, tid: 5510, name: xxx.xxx.xxx >>> xxx.xxx.xxx <<<
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xfff33011
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eax f66d4127 ebx 98724ff4 ecx 00000001 edx fff32e99
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: esi 989a720c edi fff32e99
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eip 984fa373 ebp 988c67e4 esp bfa9c334 flags 00010282
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: backtrace:
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: #00 pc 00238373 /system/lib/libhoudini.so

我的应用是只打了arm32和arm64的,没打x86,在模拟器上应该是跑的arm32。应该是libhoudini.so转码导致的。用你的demo只打arm32和arm64,在模拟器上跑却没问题。
@CrazyStormer
Copy link
Author

我用真机跑,是毫无问题的。

@CrazyStormer
Copy link
Author

CrazyStormer commented Dec 18, 2021
edited
Loading

2021-12-18 14:35:43.629 2174-2360/? I/ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.example.mylibrarytest/com.example.mylibrary.MainActivity bnds=[934,368][1202,522]} from uid 1000 on display 0
2021-12-18 14:35:43.632 2607-2607/? W/ContextImpl: Calling a method in the system process without a qualified user: android.app.ContextImpl.sendBroadcast:892 android.content.ContextWrapper.sendBroadcast:426 com.vphone.launcher.Stats.recordLaunch:129 com.vphone.launcher.Launcher.b:3322 com.vphone.launcher.Launcher.onClickAppShortcut:3260

--------- beginning of main

2021-12-18 14:35:43.632 2174-2764/? E/ActivityManager: Sending non-protected broadcast com.vphone.launcher.action.LAUNCH from system 2607:com.vphone.launcher/1000 pkg com.vphone.launcher
java.lang.Throwable
at com.android.server.am.ActivityManagerService.checkBroadcastFromSystem(ActivityManagerService.java:17987)
at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:18573)
at com.android.server.am.ActivityManagerService.broadcastIntent(ActivityManagerService.java:18667)
at android.app.ActivityManagerNative.onTransact(ActivityManagerNative.java:499)
at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2809)
at android.os.Binder.execTransact(Binder.java:565)
2021-12-18 14:35:43.648 2607-2607/? W/ResourceType: No package identifier when getting name for resource number 0x0000000e
2021-12-18 14:35:43.662 1878-1878/? E/Zygote: Not whitelisted : /dev/ccid_ctrl
2021-12-18 14:35:43.665 5314-5314/? E/libnb: load libnb
2021-12-18 14:35:43.665 5314-5314/? D/houdini: [5314] Initialize library(version: 7.1.1b_x.49852 RELEASE)... successfully.
2021-12-18 14:35:43.666 5314-5314/? W/art: Unexpected CPU variant for X86 using defaults: x86
2021-12-18 14:35:43.672 2174-2580/? I/ActivityManager: Start proc 5314:com.example.mylibrarytest/u0a50 for activity com.example.mylibrarytest/com.example.mylibrary.MainActivity
2021-12-18 14:35:43.709 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.798 5314-5337/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libbytehook.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libhacker.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? I/unity: java层准备调用
2021-12-18 14:35:43.800 5314-5314/? I/bytehook_tag: 这里准备hook libunity.so
2021-12-18 14:35:43.802 5314-5314/? W/bytehook_tag: bytehook init, mode 0, debug 1, return 0
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: DL monitor: pre init
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: DL iterate: iterate by dl_iterate_phdr
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c000000 /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c100000 /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c200000 /system/lib/arm/liblog.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c300000 /system/lib/arm/nb/libm.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c400000 /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c800000 /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c500000 /system/lib/arm/nb/libandroid.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c600000 /system/lib/arm/nb/libz.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c700000 /system/lib/arm/nb/libEGL.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04000000 /system/lib/arm/nb/libbinder.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04100000 /system/lib/arm/nb/libcutils.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04200000 /system/lib/arm/nb/libutils.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04300000 /system/lib/arm/nb/libui.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04400000 /system/lib/arm/libc++.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04500000 /system/lib/arm/libbacktrace.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04600000 /system/lib/arm/nb/libhardware.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04700000 /system/lib/arm/libsync.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04800000 /system/lib/arm/libbase.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04900000 /system/lib/arm/libunwind.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: ELF manager: add 04a00000 /system/lib/arm/liblzma.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: ELF manager: add 04c00000 /data/app/com.example.mylibrarytest-1/lib/arm/libhacker.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: trampo block: created at a8c9e000, size 4096
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: trampo: created for GOT c105054 at a8c9e000, size 20 + 8 = 28
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: created for GOT c105054, orig func c0005a0
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c105054, func 4b03045
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.808 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c105054: c0005a0 -> a8c9e001, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.809 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c105054: + 4b03045, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeeb20 at a8c9e01c, size 20 + 8 = 28
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeeb20, orig func c0005a0
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeeb20, func 4b03045
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.820 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeeb20: c0005a0 -> a8c9e01d, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.820 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeeb20: + 4b03045, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: trampo: created for GOT c4c0614 at a8c9e038, size 20 + 8 = 28
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: created for GOT c4c0614, orig func c0005a0
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c4c0614, func 4b03045
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.825 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c4c0614: c0005a0 -> a8c9e039, dlopen, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.825 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c4c0614: + 4b03045, dlopen, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.828 5314-5314/? I/bytehook_tag: trampo: created for GOT c105068 at a8c9e054, size 20 + 8 = 28
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: created for GOT c105068, orig func c000580
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c105068, func 4b0341d
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.830 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c105068: c000580 -> a8c9e055, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.830 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c105068: + 4b0341d, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeeb5c at a8c9e070, size 20 + 8 = 28
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeeb5c, orig func c000580
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeeb5c, func 4b0341d
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.832 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeeb5c: c000580 -> a8c9e071, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.832 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeeb5c: + 4b0341d, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: trampo: created for GOT c4c0628 at a8c9e08c, size 20 + 8 = 28
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: created for GOT c4c0628, orig func c000580
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c4c0628, func 4b0341d
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c4c0628: c000580 -> a8c9e08d, dlclose, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c4c0628: + 4b0341d, dlclose, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: DL monitor: post init, OK
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeebf0 at a8c9e0a8, size 20 + 8 = 28
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeebf0, orig func c477ba0
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeebf0, func 4c0079d
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: verify bypass alias-func: fseek in /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeebf0: c477ba0 -> a8c9e0a9, fseek, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeebf0: + 4c0079d, fseek, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.838 5314-5314/? I/bytehook_tag: >>>>> hooked. status: 0, caller_path_name: /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so, sym_name: fseek
2021-12-18 14:35:43.932 2174-2196/? I/ActivityManager: Displayed com.example.mylibrarytest/com.example.mylibrary.MainActivity: +272ms
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: DL monitor: post dlopen(), filename: libc.so
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: task manager: post dlopen() OK
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: DL iterate: iterate by dl_iterate_phdr

--------- beginning of crash

2021-12-18 14:35:43.935 5314-5339/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe483e589 in tid 5339 (UnityMain)
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: Build fingerprint: 'samsung/dream2qltezh/dream2qltechn:7.1/N2G48H/G9550ZHU1AQEE:user/release-keys'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: Revision: '12'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: ABI: 'x86'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: pid: 5314, tid: 5339, name: UnityMain >>> com.example.mylibrarytest <<<
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe483e589
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: eax 98808ff4 ebx 98808ff4 ecx 00000000 edx 0000007c
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: esi 98715058 edi e483e589
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: eip 985cea07 ebp 0000003e esp 93363f40 flags 00010202
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: backtrace:
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: #00 pc 00228a07 /system/lib/libhoudini.so
2021-12-18 14:35:44.119 2174-2193/? I/BootReceiver: Copying /data/tombstones/tombstone_06 to DropBox (SYSTEM_TOMBSTONE)
2021-12-18 14:35:44.119 2174-5347/? W/ActivityManager: Force finishing activity com.example.mylibrarytest/com.example.mylibrary.MainActivity
2021-12-18 14:35:44.125 2174-5347/? E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 104)
2021-12-18 14:35:44.125 2174-5347/? W/ActivityManager: Exception thrown during pause
android.os.DeadObjectException: Transaction failed on small parcel; remote process probably died
at android.os.BinderProxy.transactNative(Native Method)
at android.os.BinderProxy.transact(Binder.java:615)
at android.app.ApplicationThreadProxy.schedulePauseActivity(ApplicationThreadNative.java:785)
at com.android.server.am.ActivityStack.startPausingLocked(ActivityStack.java:1141)
at com.android.server.am.ActivityStack.finishActivityLocked(ActivityStack.java:3523)
at com.android.server.am.ActivityStack.finishTopRunningActivityLocked(ActivityStack.java:3359)
at com.android.server.am.ActivityStackSupervisor.finishTopRunningActivityLocked(ActivityStackSupervisor.java:1855)
at com.android.server.am.AppErrors.handleAppCrashLocked(AppErrors.java:619)
at com.android.server.am.AppErrors.makeAppCrashingLocked(AppErrors.java:477)
at com.android.server.am.AppErrors.crashApplicationInner(AppErrors.java:353)
at com.android.server.am.AppErrors.crashApplication(AppErrors.java:305)
at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:13552)
at com.android.server.am.NativeCrashListener$NativeCrashReporter.run(NativeCrashListener.java:86)
2021-12-18 14:35:44.125 2174-2196/? E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 60)
2021-12-18 14:35:44.126 1873-1873/? E/lowmemorykiller: Error writing /proc/5314/oom_score_adj; errno=22
2021-12-18 14:35:44.126 2174-2212/? W/InputDispatcher: channel '7388208 com.example.mylibrarytest/com.example.mylibrary.MainActivity (server)' ~ Consumer closed input channel or an error occurred. events=0x9
2021-12-18 14:35:44.126 2174-2212/? E/InputDispatcher: channel '7388208 com.example.mylibrarytest/com.example.mylibrary.MainActivity (server)' ~ Channel is unrecoverably broken and will be disposed!
2021-12-18 14:35:44.129 2174-2764/? I/WindowManager: WIN DEATH: Window{8988523 u0 SurfaceView - com.example.mylibrarytest/com.example.mylibrary.MainActivity}
2021-12-18 14:35:44.130 2174-2184/? I/WindowManager: WIN DEATH: Window{7388208 u0 com.example.mylibrarytest/com.example.mylibrary.MainActivity}

这是夜神模拟器完整的日志,hook了就闪退

@CrazyStormer CrazyStormer changed the title x86模拟器跑arm32应用 夜神模拟器跑unity应用,hook libunity.so Dec 18, 2021
@shuixi2013
Copy link

兄弟,模拟器转译了代码,底层是libhoudi.so,要自己修改代码。

@CrazyStormer
Copy link
Author

@shuixi2013 大佬,要怎么修改代码呀,能给个大概方向么?

@tyrionchen tyrionchen mentioned this issue Feb 22, 2022
Closed
@bytedance bytedance locked and limited conversation to collaborators Mar 4, 2022
@caikelun caikelun converted this issue into discussion #32 Mar 4, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shuixi2013 @CrazyStormer