夜神模拟器跑unity应用，hook libunity.so

[CrazyStormer]

我现在在夜神模拟器7.0.0.8 32位上跑bhook，hook了libunity的fseek函数或者其他函数，fopen等等。我单纯调用bytehook_init没问题，但是一旦调用了bytehook_hook_single去hook函数，也是显示hook成功的，但是后面就闪退了:
2021-12-17 12:12:00.127 5510-5510/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0xfff33011 in tid 5510 (xxx.xxx.xxx)
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Build fingerprint: 'samsung/dream2qltezh/dream2qltechn:7.1/N2G48H/G9550ZHU1AQEE:user/release-keys'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: Revision: '12'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: ABI: 'x86'
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: pid: 5510, tid: 5510, name: xxx.xxx.xxx >>> xxx.xxx.xxx <<<
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xfff33011
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eax f66d4127 ebx 98724ff4 ecx 00000001 edx fff32e99
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: esi 989a720c edi fff32e99
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: eip 984fa373 ebp 988c67e4 esp bfa9c334 flags 00010282
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: backtrace:
2021-12-17 12:12:00.133 5567-5567/? A/DEBUG: #00 pc 00238373 /system/lib/libhoudini.so

我的应用是只打了arm32和arm64的，没打x86，在模拟器上应该是跑的arm32。应该是libhoudini.so转码导致的。用你的demo只打arm32和arm64，在模拟器上跑却没问题。

[CrazyStormer]

我用真机跑，是毫无问题的。

[CrazyStormer]

2021-12-18 14:35:43.629 2174-2360/? I/ActivityManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.example.mylibrarytest/com.example.mylibrary.MainActivity bnds=[934,368][1202,522]} from uid 1000 on display 0
2021-12-18 14:35:43.632 2607-2607/? W/ContextImpl: Calling a method in the system process without a qualified user: android.app.ContextImpl.sendBroadcast:892 android.content.ContextWrapper.sendBroadcast:426 com.vphone.launcher.Stats.recordLaunch:129 com.vphone.launcher.Launcher.b:3322 com.vphone.launcher.Launcher.onClickAppShortcut:3260

--------- beginning of main

2021-12-18 14:35:43.632 2174-2764/? E/ActivityManager: Sending non-protected broadcast com.vphone.launcher.action.LAUNCH from system 2607:com.vphone.launcher/1000 pkg com.vphone.launcher
java.lang.Throwable
at com.android.server.am.ActivityManagerService.checkBroadcastFromSystem(ActivityManagerService.java:17987)
at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:18573)
at com.android.server.am.ActivityManagerService.broadcastIntent(ActivityManagerService.java:18667)
at android.app.ActivityManagerNative.onTransact(ActivityManagerNative.java:499)
at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2809)
at android.os.Binder.execTransact(Binder.java:565)
2021-12-18 14:35:43.648 2607-2607/? W/ResourceType: No package identifier when getting name for resource number 0x0000000e
2021-12-18 14:35:43.662 1878-1878/? E/Zygote: Not whitelisted : /dev/ccid_ctrl
2021-12-18 14:35:43.665 5314-5314/? E/libnb: load libnb
2021-12-18 14:35:43.665 5314-5314/? D/houdini: [5314] Initialize library(version: 7.1.1b_x.49852 RELEASE)... successfully.
2021-12-18 14:35:43.666 5314-5314/? W/art: Unexpected CPU variant for X86 using defaults: x86
2021-12-18 14:35:43.672 2174-2580/? I/ActivityManager: Start proc 5314:com.example.mylibrarytest/u0a50 for activity com.example.mylibrarytest/com.example.mylibrary.MainActivity
2021-12-18 14:35:43.709 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.798 5314-5337/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libbytehook.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? D/houdini: [5314] Added shared library /data/app/com.example.mylibrarytest-1/lib/arm/libhacker.so for ClassLoader by Native Bridge.
2021-12-18 14:35:43.799 5314-5314/? I/unity: java层准备调用
2021-12-18 14:35:43.800 5314-5314/? I/bytehook_tag: 这里准备hook libunity.so
2021-12-18 14:35:43.802 5314-5314/? W/bytehook_tag: bytehook init, mode 0, debug 1, return 0
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: DL monitor: pre init
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: DL iterate: iterate by dl_iterate_phdr
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c000000 /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c100000 /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c200000 /system/lib/arm/liblog.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c300000 /system/lib/arm/nb/libm.so
2021-12-18 14:35:43.802 5314-5314/? I/bytehook_tag: ELF manager: add 0c400000 /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c800000 /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c500000 /system/lib/arm/nb/libandroid.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c600000 /system/lib/arm/nb/libz.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 0c700000 /system/lib/arm/nb/libEGL.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04000000 /system/lib/arm/nb/libbinder.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04100000 /system/lib/arm/nb/libcutils.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04200000 /system/lib/arm/nb/libutils.so
2021-12-18 14:35:43.803 5314-5314/? I/bytehook_tag: ELF manager: add 04300000 /system/lib/arm/nb/libui.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04400000 /system/lib/arm/libc++.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04500000 /system/lib/arm/libbacktrace.so
2021-12-18 14:35:43.804 5314-5314/? I/bytehook_tag: ELF manager: add 04600000 /system/lib/arm/nb/libhardware.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04700000 /system/lib/arm/libsync.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04800000 /system/lib/arm/libbase.so
2021-12-18 14:35:43.805 5314-5314/? I/bytehook_tag: ELF manager: add 04900000 /system/lib/arm/libunwind.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: ELF manager: add 04a00000 /system/lib/arm/liblzma.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: ELF manager: add 04c00000 /data/app/com.example.mylibrarytest-1/lib/arm/libhacker.so
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: trampo block: created at a8c9e000, size 4096
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: trampo: created for GOT c105054 at a8c9e000, size 20 + 8 = 28
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: created for GOT c105054, orig func c0005a0
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c105054, func 4b03045
2021-12-18 14:35:43.806 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.808 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c105054: c0005a0 -> a8c9e001, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.809 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c105054: + 4b03045, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeeb20 at a8c9e01c, size 20 + 8 = 28
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeeb20, orig func c0005a0
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeeb20, func 4b03045
2021-12-18 14:35:43.819 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.820 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeeb20: c0005a0 -> a8c9e01d, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.820 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeeb20: + 4b03045, dlopen, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: trampo: created for GOT c4c0614 at a8c9e038, size 20 + 8 = 28
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: created for GOT c4c0614, orig func c0005a0
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c4c0614, func 4b03045
2021-12-18 14:35:43.824 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlopen in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.825 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c4c0614: c0005a0 -> a8c9e039, dlopen, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.825 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c4c0614: + 4b03045, dlopen, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.828 5314-5314/? I/bytehook_tag: trampo: created for GOT c105068 at a8c9e054, size 20 + 8 = 28
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: created for GOT c105068, orig func c000580
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c105068, func 4b0341d
2021-12-18 14:35:43.829 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.830 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c105068: c000580 -> a8c9e055, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.830 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c105068: + 4b0341d, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libmain.so
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeeb5c at a8c9e070, size 20 + 8 = 28
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeeb5c, orig func c000580
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeeb5c, func 4b0341d
2021-12-18 14:35:43.831 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.832 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeeb5c: c000580 -> a8c9e071, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.832 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeeb5c: + 4b0341d, dlclose, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: trampo: created for GOT c4c0628 at a8c9e08c, size 20 + 8 = 28
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: created for GOT c4c0628, orig func c000580
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT c4c0628, func 4b0341d
2021-12-18 14:35:43.834 5314-5314/? I/bytehook_tag: hook chain: verify OK: dlclose in /system/lib/arm/nb/libdl.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT c4c0628: c000580 -> a8c9e08d, dlclose, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT c4c0628: + 4b0341d, dlclose, /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.835 5314-5314/? I/bytehook_tag: DL monitor: post init, OK
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: trampo: created for GOT ceeebf0 at a8c9e0a8, size 20 + 8 = 28
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: hook chain: created for GOT ceeebf0, orig func c477ba0
2021-12-18 14:35:43.836 5314-5314/? I/bytehook_tag: hook chain: add(new) func, GOT ceeebf0, func 4c0079d
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: verify bypass alias-func: fseek in /system/lib/arm/nb/libc.so
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: auto REPLACE. GOT ceeebf0: c477ba0 -> a8c9e0a9, fseek, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.837 5314-5314/? I/bytehook_tag: hook chain: hook OK. GOT ceeebf0: + 4c0079d, fseek, /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so
2021-12-18 14:35:43.838 5314-5314/? I/bytehook_tag: >>>>> hooked. status: 0, caller_path_name: /data/app/com.example.mylibrarytest-1/lib/arm/libunity.so, sym_name: fseek
2021-12-18 14:35:43.932 2174-2196/? I/ActivityManager: Displayed com.example.mylibrarytest/com.example.mylibrary.MainActivity: +272ms
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: DL monitor: post dlopen(), filename: libc.so
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: task manager: post dlopen() OK
2021-12-18 14:35:43.935 5314-5339/? I/bytehook_tag: DL iterate: iterate by dl_iterate_phdr

--------- beginning of crash

2021-12-18 14:35:43.935 5314-5339/? A/libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe483e589 in tid 5339 (UnityMain)
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: Build fingerprint: 'samsung/dream2qltezh/dream2qltechn:7.1/N2G48H/G9550ZHU1AQEE:user/release-keys'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: Revision: '12'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: ABI: 'x86'
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: pid: 5314, tid: 5339, name: UnityMain >>> com.example.mylibrarytest <<<
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe483e589
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: eax 98808ff4 ebx 98808ff4 ecx 00000000 edx 0000007c
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: esi 98715058 edi e483e589
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: xcs 00000073 xds 0000007b xes 0000007b xfs 0000003b xss 0000007b
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: eip 985cea07 ebp 0000003e esp 93363f40 flags 00010202
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: backtrace:
2021-12-18 14:35:43.991 5342-5342/? A/DEBUG: #00 pc 00228a07 /system/lib/libhoudini.so
2021-12-18 14:35:44.119 2174-2193/? I/BootReceiver: Copying /data/tombstones/tombstone_06 to DropBox (SYSTEM_TOMBSTONE)
2021-12-18 14:35:44.119 2174-5347/? W/ActivityManager: Force finishing activity com.example.mylibrarytest/com.example.mylibrary.MainActivity
2021-12-18 14:35:44.125 2174-5347/? E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 104)
2021-12-18 14:35:44.125 2174-5347/? W/ActivityManager: Exception thrown during pause
android.os.DeadObjectException: Transaction failed on small parcel; remote process probably died
at android.os.BinderProxy.transactNative(Native Method)
at android.os.BinderProxy.transact(Binder.java:615)
at android.app.ApplicationThreadProxy.schedulePauseActivity(ApplicationThreadNative.java:785)
at com.android.server.am.ActivityStack.startPausingLocked(ActivityStack.java:1141)
at com.android.server.am.ActivityStack.finishActivityLocked(ActivityStack.java:3523)
at com.android.server.am.ActivityStack.finishTopRunningActivityLocked(ActivityStack.java:3359)
at com.android.server.am.ActivityStackSupervisor.finishTopRunningActivityLocked(ActivityStackSupervisor.java:1855)
at com.android.server.am.AppErrors.handleAppCrashLocked(AppErrors.java:619)
at com.android.server.am.AppErrors.makeAppCrashingLocked(AppErrors.java:477)
at com.android.server.am.AppErrors.crashApplicationInner(AppErrors.java:353)
at com.android.server.am.AppErrors.crashApplication(AppErrors.java:305)
at com.android.server.am.ActivityManagerService.handleApplicationCrashInner(ActivityManagerService.java:13552)
at com.android.server.am.NativeCrashListener$NativeCrashReporter.run(NativeCrashListener.java:86)
2021-12-18 14:35:44.125 2174-2196/? E/JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 60)
2021-12-18 14:35:44.126 1873-1873/? E/lowmemorykiller: Error writing /proc/5314/oom_score_adj; errno=22
2021-12-18 14:35:44.126 2174-2212/? W/InputDispatcher: channel '7388208 com.example.mylibrarytest/com.example.mylibrary.MainActivity (server)' ~ Consumer closed input channel or an error occurred. events=0x9
2021-12-18 14:35:44.126 2174-2212/? E/InputDispatcher: channel '7388208 com.example.mylibrarytest/com.example.mylibrary.MainActivity (server)' ~ Channel is unrecoverably broken and will be disposed!
2021-12-18 14:35:44.129 2174-2764/? I/WindowManager: WIN DEATH: Window{8988523 u0 SurfaceView - com.example.mylibrarytest/com.example.mylibrary.MainActivity}
2021-12-18 14:35:44.130 2174-2184/? I/WindowManager: WIN DEATH: Window{7388208 u0 com.example.mylibrarytest/com.example.mylibrary.MainActivity}

这是夜神模拟器完整的日志，hook了就闪退

[shuixi2013]

兄弟，模拟器转译了代码，底层是libhoudi.so，要自己修改代码。

[CrazyStormer]

@shuixi2013 大佬，要怎么修改代码呀，能给个大概方向么？

[shuixi2013]

直接模拟器跑arm的so进行Hook是有问题的，也比较不好处理，网上的一般方案是模拟器的中通过X86的so作为桥梁加载调用arm的so来实现Hook，单纯只有arm的so hook不好出来。https://bbs.pediy.com/thread-272672-1.htm 类似的讨论文章很多，可以研究一下。

[caikelun]

模拟器的话，可以试下“手动模式”（默认是自动模式），手动模式相当于是xHook的直接跳转，没有trampoline。
houdini使运行环境变得复杂了，目前我们没有针对模拟器做过测试。