Created
August 26, 2021 15:05
-
-
Save sandin/a36026e00cb3c0c7860b4307f95678c1 to your computer and use it in GitHub Desktop.
inst hotfix demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <signal.h> | |
| #include <cstdio> | |
| #include <cstring> | |
| #include <cstdlib> | |
| #include <sys/mman.h> | |
| #include <android/log.h> | |
| /* only for debug | |
| static void signal_handler(int signum, siginfo_t* siginfo, void* sigcontext) { | |
| printf("signal_handler: sig=%d\n", signum); | |
| ucontext_t* uc = (ucontext_t*)sigcontext; | |
| struct sigcontext *sigc = &uc->uc_mcontext; | |
| printf("fault_address=0x%llx, pc=0x%llx, sp=0x%llx\n", sigc->fault_address, sigc->pc, sigc->sp); | |
| for (int i = 0; i < 32; i++) { | |
| printf("r%d=0x%llx\n", i, sigc->regs[i]); | |
| } | |
| //print_stacktrace(); | |
| exit(-1); | |
| } | |
| static void register_crash_handler() { | |
| struct sigaction sigaction_action; | |
| memset(&sigaction_action, 0, sizeof(sigaction_action)); | |
| sigaction_action.sa_sigaction = signal_handler; | |
| sigemptyset(&sigaction_action.sa_mask); | |
| sigaction_action.sa_flags = SA_SIGINFO; | |
| sigaction(SIGILL, &sigaction_action, nullptr); | |
| sigaction(SIGABRT, &sigaction_action, nullptr); | |
| sigaction(SIGBUS, &sigaction_action, nullptr); | |
| sigaction(SIGFPE, &sigaction_action, nullptr); | |
| sigaction(SIGSEGV, &sigaction_action, nullptr); | |
| sigaction(SIGSTKFLT, &sigaction_action, nullptr); | |
| sigaction(SIGPIPE, &sigaction_action, nullptr); | |
| } | |
| */ | |
| typedef void (*hotfix_entrypoint)(void* env); | |
| void hotfix(void* code, size_t code_size) { | |
| void *mem = mmap(NULL, code_size, PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_PRIVATE, -1, 0); | |
| printf("hotfix mmap base_addr=%p, size=%zu\n", mem, code_size); | |
| memcpy(mem, code, code_size); | |
| hotfix_entrypoint entrypoint = (hotfix_entrypoint)mem; | |
| void* env = { | |
| (void*)__android_log_print | |
| }; | |
| printf("hotfix start, env=%p, __android_log_print=%p, entrypoint=%p\n", &env, __android_log_print, entrypoint); | |
| entrypoint(&env); | |
| printf("hotfix end.\n"); | |
| } | |
| int main() { | |
| //register_crash_handler(); | |
| __android_log_print(ANDROID_LOG_DEBUG, "HOTFIX", "hello host"); | |
| /** | |
| * <code> | |
| * typedef void (*func__android_log_print)(int prio, const char *tag, const char *fmt, ...); | |
| * static func__android_log_print __android_log_print = nullptr; | |
| * | |
| * void hotfix_entrypoint(void** env) { | |
| * __android_log_print = (func__android_log_print)env[0]; | |
| * | |
| * __android_log_print(3, "HOTFIX", "hello hotfix"); | |
| * } | |
| * </code> | |
| */ | |
| unsigned char code[] = { | |
| // .text | |
| /* 00100000 */ 0x03, 0x00, 0x40, 0xF9, // ldr x3,[x0] | |
| /* 00100004 */ 0x01, 0x00, 0x00, 0x90, // ldrp x1,0x0 | |
| /* 00100008 */ 0x02, 0x00, 0x00, 0x90, // ldrp x2,0x0 | |
| /* 0010000c */ 0x08, 0x00, 0x00, 0x90, // ldrp x8.0x0 | |
| /* 00100010 */ 0x21, 0xc0, 0x00, 0x91, // add x1,x1,0x30 | |
| /* 00100014 */ 0x42, 0xdc, 0x00, 0x91, // add x2,x2,0x37 | |
| /* 00100018 */ 0xE0, 0x07, 0x00, 0x32, // orr w0,wzr,#0x3 | |
| /* 0010001c */ 0x03, 0x01, 0x00, 0xF9, // str x3,[x8] | |
| /* 00100020 */ 0x60, 0x00, 0x1F, 0xD6, // br x3 | |
| /* 00100024 */ 0x00, 0x00, 0x00, 0x00, | |
| /* 00100028 */ 0x00, 0x00, 0x00, 0x00, | |
| /* 0010002c */ 0x00, 0x00, 0x00, 0x00, | |
| // .rodata | |
| /* 00100030 */ 0x48, 0x4F, 0x54, 0x46, // 0x30: "HOTFIX" | |
| /* 00100034 */ 0x49, 0x58, 0x00, 0x68, // 0x37: "hello hotfix" | |
| /* 00100038 */ 0x65, 0x6C, 0x6C, 0x6F, | |
| /* 0010003c */ 0x20, 0x68, 0x6F, 0x74, | |
| /* 00100040 */ 0x66, 0x69, 0x78, 0x00 | |
| }; | |
| hotfix((void*)&code, sizeof(code)); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment