Null pointer dereference on android native methods - Frida 14.2.3
SajjadPourali opened this issue · 1 comments
SajjadPourali commented
Hi, I just have tried to hook android native methods, but from Frida version 14.2.3 null pointer dereference happens. Version 14.2.2 and below ones are working well.
adb logcat:
01-10 15:49:54.121 9936 9936 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
01-10 15:49:54.121 9936 9936 F DEBUG : LineageOS Version: '17.1-20200919-UNOFFICIAL-noblelte'
01-10 15:49:54.121 9936 9936 F DEBUG : Build fingerprint: 'samsung/nobleltejv/noblelte:7.0/NRD90M/N920CXXU3CQH6:user/release-keys'
01-10 15:49:54.121 9936 9936 F DEBUG : Revision: '0'
01-10 15:49:54.121 9936 9936 F DEBUG : ABI: 'arm64'
01-10 15:49:54.123 9936 9936 F DEBUG : Timestamp: 2021-01-10 15:49:54+0330
01-10 15:49:54.123 9936 9936 F DEBUG : pid: 9593, tid: 9923, name: pwarapp.com/... >>> com.topwar.gp <<<
01-10 15:49:54.123 9936 9936 F DEBUG : uid: 10482
01-10 15:49:54.123 9936 9936 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x10
01-10 15:49:54.123 9936 9936 F DEBUG : Cause: null pointer dereference
01-10 15:49:54.123 9936 9936 F DEBUG : x0 0000000000000000 x1 0000007394bff400 x2 0000007370c3aa30 x3 00000073fb4ee8b2
01-10 15:49:54.123 9936 9936 F DEBUG : x4 00000000000007ea x5 0000007370c3b560 x6 00000074f0c80000 x7 0000000000000000
01-10 15:49:54.123 9936 9936 F DEBUG : x8 0000000014818bf0 x9 000000746a6b3000 x10 0000000000000140 x11 00000000fffffff8
01-10 15:49:54.123 9936 9936 F DEBUG : x12 00000000000000c0 x13 00000003e8000000 x14 0000000000000000 x15 001227889038eb25
01-10 15:49:54.123 9936 9936 F DEBUG : x16 000000746a3ca1c8 x17 000000746a68d1d8 x18 0000007367aea000 x19 0000007370c3aa30
01-10 15:49:54.123 9936 9936 F DEBUG : x20 0000000000000000 x21 0000007394bff400 x22 000000745aa21610 x23 00000000000007ea
01-10 15:49:54.123 9936 9936 F DEBUG : x24 0000007370c3c020 x25 0000007370c3b560 x26 00000000146957e8 x27 000000745fc493f0
01-10 15:49:54.123 9936 9936 F DEBUG : x28 0000000000000000 x29 0000007370c3a900
01-10 15:49:54.123 9936 9936 F DEBUG : sp 0000007370c3a870 lr 000000746a68d1f8 pc 000000746a3ca24c
01-10 15:49:54.287 9936 9936 F DEBUG :
01-10 15:49:54.287 9936 9936 F DEBUG : backtrace:
01-10 15:49:54.287 9936 9936 F DEBUG : #00 pc 00000000002db24c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x2da000) (bool art::interpreter::DoCall<true, false>(art::ArtMethod*, art::Thread*, art::ShadowFrame&, art::Instruction const*, unsigned short, art::JValue*)+148) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #01 pc 000000000059e1f4 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeVirtualQuickRange+460) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #02 pc 0000000000134614 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual_range_quick+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #03 pc 00000000014808b2 /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (org.cocos2dx.lib.Cocos2dxWebsocket.onMessage+114)
01-10 15:49:54.287 9936 9936 F DEBUG : #04 pc 000000000059dd74 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeVirtualQuick+1368) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #05 pc 0000000000134594 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual_quick+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #06 pc 00000000008059a4 /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.ws.RealWebSocket.onReadMessage+4)
01-10 15:49:54.287 9936 9936 F DEBUG : #07 pc 0000000000599348 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeInterface+1740) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #08 pc 0000000000130a14 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_interface+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #09 pc 00000000008064ba /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.ws.WebSocketReader.readMessageFrame+122)
01-10 15:49:54.287 9936 9936 F DEBUG : #10 pc 0000000000599ee4 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeDirect+1168) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #11 pc 0000000000130914 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_direct+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #12 pc 000000000080651e /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.ws.WebSocketReader.processNextFrame+22)
01-10 15:49:54.287 9936 9936 F DEBUG : #13 pc 000000000059dd74 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeVirtualQuick+1368) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #14 pc 0000000000134594 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual_quick+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #15 pc 000000000080588e /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.ws.RealWebSocket.loopReader+14)
01-10 15:49:54.287 9936 9936 F DEBUG : #16 pc 000000000059dd74 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeVirtualQuick+1368) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #17 pc 0000000000134594 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual_quick+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #18 pc 00000000008050b2 /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.ws.RealWebSocket$2.onResponse+154)
01-10 15:49:54.287 9936 9936 F DEBUG : #19 pc 0000000000599348 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeInterface+1740) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.287 9936 9936 F DEBUG : #20 pc 0000000000130a14 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_interface+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #21 pc 00000000007f6ebe /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.RealCall$AsyncCall.execute+38)
01-10 15:49:54.288 9936 9936 F DEBUG : #22 pc 000000000059dd74 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (MterpInvokeVirtualQuick+1368) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #23 pc 0000000000134594 /apex/com.android.runtime/lib64/libart.so (mterp_op_invoke_virtual_quick+20) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #24 pc 000000000147771e /data/app/com.topwar.gp-frqF74olOLVAjADQ3CvE1w==/oat/arm64/base.vdex (okhttp3.internal.NamedRunnable.run+34)
01-10 15:49:54.288 9936 9936 F DEBUG : #25 pc 00000000002afd20 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x292000) (_ZN3art11interpreterL7ExecuteEPNS_6ThreadERKNS_20CodeItemDataAccessorERNS_11ShadowFrameENS_6JValueEbb.llvm.1271440803783865717+240) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #26 pc 0000000000588e8c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (artQuickToInterpreterBridge+1012) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #27 pc 000000000013f468 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x13f000) (art_quick_to_interpreter_bridge+88) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #28 pc 00000000002fc514 /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.util.concurrent.ThreadPoolExecutor.runWorker+980) (BuildId: 0ce33b011864b33f3bd29d06f404c03dec7464dd)
01-10 15:49:54.288 9936 9936 F DEBUG : #29 pc 00000000002f9bc0 /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.util.concurrent.ThreadPoolExecutor$Worker.run+64) (BuildId: 0ce33b011864b33f3bd29d06f404c03dec7464dd)
01-10 15:49:54.288 9936 9936 F DEBUG : #30 pc 00000000001a3088 /system/framework/arm64/boot.oat!boot.oat (offset 0xb7000) (java.lang.Thread.run+72) (BuildId: 0ce33b011864b33f3bd29d06f404c03dec7464dd)
01-10 15:49:54.288 9936 9936 F DEBUG : #31 pc 0000000000136334 /apex/com.android.runtime/lib64/libart.so (art_quick_invoke_stub+548) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #32 pc 000000000014506c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x145000) (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+244) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #33 pc 00000000004a9110 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x454000) (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+104) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #34 pc 00000000004aa1a4 /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x454000) (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue const*)+416) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #35 pc 00000000004e9f3c /apex/com.android.runtime/lib64/libart.so!libart.so (offset 0x4b3000) (art::Thread::CreateCallback(void*)+1176) (BuildId: 1e93efd620d98502e840ab7f10abf661)
01-10 15:49:54.288 9936 9936 F DEBUG : #36 pc 00000000000e2320 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0xe1000) (__pthread_start(void*)+36) (BuildId: 32824628a80c12dea86ab2abd3237aa7)
01-10 15:49:54.288 9936 9936 F DEBUG : #37 pc 0000000000083a34 /apex/com.android.runtime/lib64/bionic/libc.so!libc.so (offset 0x81000) (__start_thread+64) (BuildId: 32824628a80c12dea86ab2abd3237aa7)
My script:
Java.perform(function () {
Java.use('org.cocos2dx.lib.Cocos2dxWebsocket').nativeOnMessage.overload('int', 'boolean', 'java.lang.String', 'long').implementation = function (p0, p1, p2, p3) {
console.log('nativeOnMessage:java.lang.String:', p2);
return this.nativeOnMessage(p0, p1, p2, p3)
};
});
0xanyuan commented
hi,did you solve it?