Thread: How to link a dynamic .so library to create a static executable?
View Single Post
  #5  
Old 02-11-2024, 21:20
dion dion is offline
game tech
  
Join Date: Jan 2002
Posts: 173
Rept. Given: 17
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 9
Thanks Rcvd at 13 Times in 8 Posts
dion Reputation: 2
no intention to hijack the thread, but i am on the same goal as CZC, to understand codes in android .so native library (arm64).

i have tried to debug using jeb (the apk itself) on rooted phone, turned out one has to set debuggable flag. I did (after repack and resign the apk), but then the app crashed. so i try another way.

the native has somekind of java wrapper, it load them using system.loadlibrary. so, i look into android studio sample, which incorporate external native library and calls them. then i add the target native library and modify gradle, cmakelists.txt, the source code, and i don't remember whatelse, to accomodate the new native library.

so, i press debug in android studio, and the app crashed, i know by looking at the logcat window. the cause was something like this :

Code:
JNI NewGlobalRef called with pending exception java.lang.ClassNotFoundException: Didn't find class "com.example.hello" on path: DexPathList [[zip file "/data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/base.apk"],nativeLibraryDirectories=[/data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/lib/arm64, /data/app/com.example.hello-JXyLr8y_WKw9Tt8GbtoaIw==/base.apk!/lib/arm64-v8a, /system/lib64]]'
i looked, it turned out it is on JNI_OnLoad() function inside one of the native library. ida 'interpret' the function like this :

Code:
jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
  jint result; // w0
  __int64 v3; // x19
  __int64 v4; // x8
  __int64 v5[2]; // [xsp+0h] [xbp-30h] BYREF

  v5[1] = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v5[0] = 0LL;
  if ( (*vm)->GetEnv(vm, (void **)v5, 65540LL)
    || (v3 = v5[0],
        (v4 = (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)v5[0] + 48LL))(
                v5[0],
                "com/original/class/name")) == 0) )
  {
    result = -1;
  }
  else
  {
    result = ((*(int (__fastcall **)(__int64, __int64, char **, __int64))(*(_QWORD *)v3 + 1720LL))(
                v3,
                v4,
                off_70010,
                53LL) >> 31) | 0x10004;
  }
  return result;
}
since the expected class name was different (i masked the original class name here), i hex edited the class name inside the so file, and got the logcat like above when debug.

later, i know the function that return the error was findclass(). i was thinking to patch the function, but i am not sure about the function after else syntax, that looks like do something with the results.

have search google couple days, and applied what suggested, like using -keepclass at proguard.pro rule. but nothing works so far.

does anyone can help with the problem?
thanks in advance.
Reply With Quote