Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hook dex2oat functions to remove LSPosed traces #152

Merged
merged 3 commits into from
Jan 8, 2025
Merged

Hook dex2oat functions to remove LSPosed traces #152

merged 3 commits into from
Jan 8, 2025
+166 −14

Conversation

JingMatrix
Copy link
Owner

We use LD_PRELOAD to hook the execution of dex2oat. To do so, we first overwrite the output file by liboat_hook.so, which is given by the parameter --oat-location. However, we always get permission error of opening the target base.odex file in function save_fd_to_file.

@JingMatrix
Copy link
Owner Author

Since dex2oat is called using /apex/com.android.art/bin/art_exec --drop-capabilities --set-task-profile=Dex2OatBootComplete --set-priority=background --keep-fds=6:7:8:9:10:11:12 -- /apex/com.android.art/bin/dex2oat64 ..., we have problem of reading the liboat_hook.so file.

@JingMatrix
Copy link
Owner Author

The above problem is solved by directly passing file descriptor to LD_PRELOAD

@JingMatrix JingMatrix force-pushed the dex2oat branch 2 times, most recently from 82388c6 to d2bb29e Compare January 5, 2025 23:36
@JingMatrix JingMatrix marked this pull request as ready for review January 5, 2025 23:37
@JingMatrix
Copy link
Owner Author

Now this pull-request is finished, please tell me your test results.
To bypass some detector app, you may need to Re-optimize that application from LSPosed manager using the context menu so that its base.odex file will be updated.

@Stillhard
Copy link

Testing with:

  • A11
  • NeoZygisk

Getting alot of:
Error resolving symbol: _ZNK3art9OatHeader16GetKeyValueStoreEv in logcat

And in Manager' window:
Optimization failed: return value is empty

@JingMatrix
Copy link
Owner Author

JingMatrix commented Jan 6, 2025
edited
Loading

For symbols not found, please do the following to upload your symbols for me to add

  1. open termux and run apt update && apt install binutils;
  2. disable LSPosed module and reboot;
  3. open termux and save your symbols: sudo readelf -sW /apex/com.android.art/bin/dex2oat64 > dex2oat.txt;
  4. upload your file dex2oat.txt.

If you are using NeoZygisk and LSPosed by me, the second step can be skipped. Have a look at your dex2oat.txt: if it is too small, then you cannot skip step 2.

@Stillhard
Copy link

Stillhard commented Jan 6, 2025
edited
Loading

For symbols not found, please do the following to upload your symbols for me to add
4. upload your file dex2oat.symbols.

dex2oat.zip

For symbols not found, please do the following to upload your symbols for me to add
3. open termux and save your symbols: sudo readelf -sW /apex/com.android.art@1/bin/dex2oat64 > [email protected];
4. upload your file [email protected].

[email protected]

@Stillhard

This comment was marked as outdated.

Sign in to view
@mehgancangweh

This comment was marked as outdated.

Sign in to view
@EbananLinfal

This comment was marked as outdated.

Sign in to view
@EbananLinfal

This comment was marked as outdated.

Sign in to view
@JingMatrix
Copy link
Owner Author

JingMatrix commented Jan 6, 2025
edited
Loading

It seems the symbol names have no problems. I have updated the log printing, please record logs while Re-optimize an application:

adb logcat -s LSPosedDex2Oat dex2oat64 > dex2oat.log

And upload your dex2oat.log.

@EbananLinfal
Copy link

It seems the symbol names have no problems. I have updated the log printing, please record logs while Re-optimize an application:

adb logcat -s LSPosedDex2Oat dex2oat64 > dex2oat.log

And upload your dex2oat.log.

dex2oat.log

@JingMatrix
Copy link
Owner Author

@EbananLinfal Please upload again your symbols dex2oat.txt required in my previous comment. For your device, you need to disable LSPosed and reboot before using readelf command.

@EbananLinfal
Copy link

@EbananLinfal Please upload again your symbols dex2oat.txt required in my previous comment. For your device, you need to disable LSPosed and reboot before using readelf command.

Ok
dex2oat.zip

@JingMatrix
Copy link
Owner Author

For full compatibility of all Android version, I think I have to use LSPlt to hook those symbols.

@Stillhard
Copy link

Stillhard commented Jan 6, 2025
edited by JingMatrix
Loading

It seems the symbol names have no problems. I have updated the log printing, please record logs while Re-optimize an application:

adb logcat -s LSPosedDex2Oat dex2oat64 > dex2oat.log

And upload your dex2oat.log.

dex2oat.log

@mehgancangweh
Copy link

mehgancangweh commented Jan 6, 2025
edited
Loading

EDIT:
I tested and its Fixed (at least on my device). the dev clarify very clear: #152 (comment) thanks.

With the latest Core build there are other crash issue with the webview on the manager which i never seen them before
I uploaded a screen record to treamable since i cannot upload more than 10MByte here.
Screen Record:
emf2mo
Log + Device Info:
com.android.shell_2025-01-06T19_35_08.103.log

Let me know if you need more info..

@mehgancangweh mehgancangweh mentioned this pull request Jan 6, 2025
Closed
@JingMatrix JingMatrix linked an issue Jan 6, 2025 that may be closed by this pull request
Remove trace of LSPosed wrapper for dex2oat #129
Closed
@JingMatrix
Copy link
Owner Author

@mehgancangweh Thanks for reporting, it is related to #149 (comment)_, fixed now.

@Stillhard
Copy link

Stillhard commented Jan 6, 2025
edited
Loading

adb logcat -s LSPosedDex2Oat dex2oat64 > dex2oat.log

Optimization failed: return value is empty

dex2oat.log

crash.log

@EbananLinfal
Copy link

It seems the symbol names have no problems. I have updated the log printing, please record logs while Re-optimize an application:

adb logcat -s LSPosedDex2Oat dex2oat64 > dex2oat.log

And upload your dex2oat.log.

dex2oat.log

Same again

@JingMatrix
Hook dex2oat functions to remove LSPosed traces
6531c88 
We use the env LD_PRELOAD to hook the execution of `dex2oat`, which can be directly set to be a file descriptor.
@JingMatrix
Introduce LSPlt and rewrite hook in cpp
78467cb
@JingMatrix
Hook functions using LSPlt
94bbdb2 
It is strange that LSPlt gave a lot of runtime crashes for totally unknown reason.
After adding some workarounds in LSPlt, those issues disappeared.
@JingMatrix
Copy link
Owner Author

I am using LSPlt to provide compatibility support for all Android versions.
Please test the lastest CI build and tell me your results.

@Stillhard
Copy link

Stillhard commented Jan 8, 2025
edited
Loading

I am using LSPlt to provide compatibility support for all Android versions. Please test the lastest CI build and tell me your results.

Ok tested, no more error 👍
But, what's the purpose of this commits anyway? 😂
Can we test in real app/detector to compare?

@EbananLinfal
Copy link

EbananLinfal commented Jan 8, 2025
edited
Loading

Tested with A13 and NeoZygisk, now Native Detector (Detected LSPosed Trace (5)) and Holmes (Miscellaneous (a)) passed

@mehgancangweh
Copy link

Tested #12661652493 A12 & ZygiskNext 1.2.5.
Optimize Work, Native Detector & Holmes pass.
I used to switch from NeoZygisk since the latest master CI has a root request & zygisk disabled issue on my dev. maybe that's the case you wanna try.

@JingMatrix
Copy link
Owner Author

@mehgancangweh Please report your issues on NeoZygisk properly, thanks!

@JingMatrix JingMatrix merged commit c0478f5 into master Jan 8, 2025
1 check passed
@kkphile
Copy link

kkphile commented Jan 8, 2025

Normal in native test and native detector. But showed something wrong in holmes with latest zygisk next

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove trace of LSPosed wrapper for dex2oat
5 participants
@JingMatrix @Stillhard @mehgancangweh @EbananLinfal @kkphile