Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hook java static method #14

Open
zmxsa opened this issue Nov 21, 2015 · 3 comments
Open

hook java static method #14

zmxsa opened this issue Nov 21, 2015 · 3 comments

Comments

@zmxsa
Copy link

zmxsa commented Nov 21, 2015

Hi,
I try to hook the static method. But, when the original method is invoked, some exceptions are thrown. The example is as follow.

Java static method: Lexample;->test()V

My hook method:
void sb_test(JNIEnv _env) {
dalvik_prepare(&d, &sb, env);
(_env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!!
dalvik_postcall(&d, &sb);
}

Is there any problem? Thank for very much!
@crmulliner
Copy link
Owner

What is the exception ? What does logcat say?

On Nov 20, 2015, at 23:22, ziminlin [email protected] wrote:

Hi,
I try to hook the static method. But, when the original method is invoked, some exceptions are thrown. The example is as follow.

Java static method:

Lexample;->test()V

My hook method:
void sb_test(JNIEnv env) {
dalvik_prepare(&d, &sb, env);
(env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!!
dalvik_postcall(&d, &sb);
}

Is there any problem? Thank for very much!


Reply to this email directly or view it on GitHub.

@zmxsa
Copy link
Author

zmxsa commented Nov 22, 2015

Thanks for your prompt reply.
I test this in the Android emulators 2.3, 3.0 and 4.0. This problem just occurs in the version 4.0.

In the log of DDI, the function "_Z20dvmDecodeIndirectRefP6ThreadP8_jobject" can be not resolved. So, the function "_Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject" is added. The follow is the concrete output.
_Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x0
_Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject = 0x4080a8d9

I wonder whether the problem is caused by the "dvmDecodeIndirectRef", where the logcat also gives some prompts. However, after searching the source code of Android, I don't find the dependency between "CallStatic###Method" and "dvmDecodeIndirectRef".
Please help me to find the problem. Thank you!!!

The follow is the output of logcat.

I/DEBUG ( 33): r0 00000000 r1 000a0ac0 r2 00000000 r3 00000000
I/DEBUG ( 33): r4 deadd00d r5 4086cc58 r6 0000020c r7 409881e8
I/DEBUG ( 33): r8 40849027 r9 408488c3 10 40849033 fp 40849280
I/DEBUG ( 33): ip 00000000 sp befa52f0 lr 40805d63 pc 40805d62 cpsr 60000030
I/DEBUG ( 33): d0 0000009643160000 d1 3ff0000043160000
I/DEBUG ( 33): d2 0000000000000000 d3 405500003f800000
I/DEBUG ( 33): d4 43f0000000000000 d5 43f0000042d80000
I/DEBUG ( 33): d6 0000000000000000 d7 3f8000003f800000
I/DEBUG ( 33): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 33): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 33): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 33): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 33): scr 60000012
I/DEBUG ( 33):
I/DEBUG ( 33): #00 pc 00050d62 /system/lib/libdvm.so (dvmAbort)
I/DEBUG ( 33): #1 pc 000559c2 /system/lib/libdvm.so (_Z20dvmDecodeIndirectRefP7_JNIEnvP8_jobject)
I/DEBUG ( 33): #2 pc 000449a0 /system/lib/libdvm.so
I/DEBUG ( 33): #3 pc 000452e8 /system/lib/libdvm.so
I/DEBUG ( 33): #4 pc 00049ab8 /system/lib/libdvm.so
I/DEBUG ( 33): #5 pc 00001954 /data/local/tmp/libstrmon.so (sb30_sb250)
I/DEBUG ( 33): #6 pc 0001ec70 /system/lib/libdvm.so (dvmPlatformInvoke)
I/DEBUG ( 33): #7 pc 0005925a /system/lib/libdvm.so (_Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread)
I/DEBUG ( 33): #8 pc 0004cc7c /system/lib/libdvm.so (_Z21dvmCheckCallJNIMethodPKjP6JValuePK6MethodP6Thread)
I/DEBUG ( 33): #9 pc 00030a8c /system/lib/libdvm.so
I/DEBUG ( 33): #10 pc 000342ac /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue)
I/DEBUG ( 33): #11 pc 0006c93e /system/lib/libdvm.so (_Z15dvmInvokeMethodP6ObjectPK6MethodP11ArrayObjectS5_P11ClassObjectb)
I/DEBUG ( 33): #12 pc 00073d4a /system/lib/libdvm.so
I/DEBUG ( 33): #13 pc 00030a8c /system/lib/libdvm.so
I/DEBUG ( 33): #14 pc 000342ac /system/lib/libdvm.so (_Z12dvmInterpretP6ThreadPK6MethodP6JValue)
I/DEBUG ( 33): #15 pc 0006cc1c /system/lib/libdvm.so (_Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list)
I/DEBUG ( 33): #16 pc 00055226 /system/lib/libdvm.so
I/DEBUG ( 33): #17 pc 00049b5c /system/lib/libdvm.so
I/DEBUG ( 33): #18 pc 00040b7a /system/lib/libandroid_runtime.so
I/DEBUG ( 33): #19 pc 000416e2 /system/lib/libandroid_runtime.so (ZN7android14AndroidRuntime5startEPKcS2)
I/DEBUG ( 33): #20 pc 00008f0e /system/bin/app_process
I/DEBUG ( 33): #21 pc 00016700 /system/lib/libc.so (__libc_init)
I/DEBUG ( 33):
I/DEBUG ( 33): code around pc:
I/DEBUG ( 33): 40805d40 34bcf8d3 ec16f7cd 26001e73 2f01f813
I/DEBUG ( 33): 40805d50 42abb152 d0074416 4798e7f8 f7ff4c0a
I/DEBUG ( 33): 40805d60 7026ffa7 ec0cf7cd 2006490c 44794a0c
I/DEBUG ( 33): 40805d70 f7cd447a 2000eace eb84f7cd 58e54b05
I/DEBUG ( 33): 40805d80 2b006c6b e7e9d1e9 deadd00d 00062278
I/DEBUG ( 33):
I/DEBUG ( 33): code around lr:
I/DEBUG ( 33): 40805d40 34bcf8d3 ec16f7cd 26001e73 2f01f813
I/DEBUG ( 33): 40805d50 42abb152 d0074416 4798e7f8 f7ff4c0a
I/DEBUG ( 33): 40805d60 7026ffa7 ec0cf7cd 2006490c 44794a0c
I/DEBUG ( 33): 40805d70 f7cd447a 2000eace eb84f7cd 58e54b05
I/DEBUG ( 33): 40805d80 2b006c6b e7e9d1e9 deadd00d 00062278
I/DEBUG ( 33):
I/DEBUG ( 33): stack:
I/DEBUG ( 33): befa52b0 00000000
I/DEBUG ( 33): befa52b4 4001df19 /system/lib/libc.so
I/DEBUG ( 33): befa52b8 4004770c /system/lib/libc.so
I/DEBUG ( 33): befa52bc 4004c85c
I/DEBUG ( 33): befa52c0 00000000
I/DEBUG ( 33): befa52c4 4001f121 /system/lib/libc.so
I/DEBUG ( 33): befa52c8 4004755c /system/lib/libc.so
I/DEBUG ( 33): befa52cc 00000000
I/DEBUG ( 33): befa52d0 0000020c
I/DEBUG ( 33): befa52d4 409881e8
I/DEBUG ( 33): befa52d8 40849027 /system/lib/libdvm.so
I/DEBUG ( 33): befa52dc 4001df37 /system/lib/libc.so
I/DEBUG ( 33): befa52e0 40867f90
I/DEBUG ( 33): befa52e4 befa54f3 [stack]
...
...
W/dalvikvm( 483): threadid=2: spin on suspend #1 threadid=1 (pcf=0)
...
...
I/DEBUG ( 33): befa54f4 32a61f77
I/DEBUG ( 33): befa54f8 dead4321
I/DEBUG ( 33): befa54fc befa561c [stack]
I/DEBUG ( 33): befa5500 41363958
I/DEBUG ( 33): befa5504 4080a9c7 /system/lib/libdvm.so
I/DEBUG ( 33): #1 befa5508 41363958
I/DEBUG ( 33): befa550c befa561c [stack]
I/DEBUG ( 33): befa5510 40848e8e /system/lib/libdvm.so
I/DEBUG ( 33): befa5514 407f99a5 /system/lib/libdvm.so
W/dalvikvm( 483): threadid=2: spin on suspend #2 threadid=1 (pcf=0)
I/dalvikvm( 483): "GC" daemon prio=5 tid=2 RUNNABLE
I/dalvikvm( 483): | group="system" sCount=0 dsCount=0 obj=0x41341070 self=0x9ba68
I/dalvikvm( 483): | sysTid=486 nice=0 sched=0/0 cgrp=default handle=631024
I/dalvikvm( 483): | schedstat=( 72449266 434593906 33 ) utm=3 stm=4 core=0
I/dalvikvm( 483): at dalvik.system.NativeStart.run(Native Method)
I

@decash
Copy link

decash commented Jan 14, 2016

i find solution

first

void sb_test(JNIEnv env)
{
sb.sm=1 // solution
sb.resolvm = 1 // solution
dalvik_prepare(&d, &sb, env);
(env)->CallStaticVoidMethod(env, sb.cls, sb.mid); // Exception is here!!
dalvik_postcall(&d, &sb);
}

and

dalvik_hook_setup(&sb, "Ltest/test/test", "test", 0, sb_test);
// solution insSize is not argSize+1, static method insSize == argSize

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crmulliner @zmxsa @decash