Refactor some more

frida · Dec 13, 2024 · 653246e · 653246e
1 parent a70d8c1
commit 653246e
Showing 1 changed file with 55 additions and 58 deletions.
diff --git a/lib/android.js b/lib/android.js
@@ -405,27 +405,22 @@ function _getApi () {
           if (procSelfCmdlineAddr !== null) {
             procSelfCmdlineAddr = procSelfCmdlineAddr.add(1);
 
-            exp = findPcRelativeReferenceToString(
-              'libart.so', '?0 ?? ff ?0 00 ?? ?? 91', 0,
-              procSelfCmdlineAddr,
-              adrpAddAddr => {
-                for (let off = 0; off !== 40; off += 4) {
-                  const insn = Instruction.parse(adrpAddAddr.sub(off));
-                  const mnemonic = insn.mnemonic;
-                  if (mnemonic === 'b' || mnemonic === 'bl') {
-                    const branchAddr = ptr(insn.operands[0].value);
-                    const nextDis = Instruction.parse(branchAddr);
-                    if (nextDis.mnemonic === 'stp') {
-                      return {
-                        type: 'function',
-                        name,
-                        address: nextDis.address
-                      };
-                    }
+            exp = findPcRelativeReferenceToString('libart.so', '?0 ?? ff ?0 00 ?? ?? 91', 0, procSelfCmdlineAddr,
+              match => scanBackward(match.first.address.sub(4), 10, insn => {
+                const mnemonic = insn.mnemonic;
+                if (mnemonic === 'b' || mnemonic === 'bl') {
+                  const branchAddr = ptr(insn.operands[0].value);
+                  const targetInsn = Instruction.parse(branchAddr);
+                  if (targetInsn.mnemonic === 'stp') {
+                    return {
+                      type: 'function',
+                      name,
+                      address: targetInsn.address
+                    };
                   }
                 }
                 return null;
-              }
+              })
             );
           }
         }
@@ -584,33 +579,24 @@ function tryGetEnvJvmti (vm, runtime) {
 
   vm.perform(() => {
     let ensurePluginLoadedAddr = Module.findExportByName('libart.so', '_ZN3art7Runtime18EnsurePluginLoadedEPKcPNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEE');
-    console.log('arch:', Process.arch, 'ensurePluginLoadedAddr:', ensurePluginLoadedAddr);
     if (ensurePluginLoadedAddr === null) {
       const libopenjdkjvmtiSoString = '6c 69 62 6f 70 65 6e 6a 64 6b 6a 76 6d 74 69 2e 73 6f';
       const libopenjdkjvmtiSoAddr = findStringInRodata('libart.so', libopenjdkjvmtiSoString);
       if (libopenjdkjvmtiSoAddr !== null) {
         if (Process.arch === 'arm64') {
-          ensurePluginLoadedAddr = findPcRelativeReferenceToString(
-            'libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0,
-            libopenjdkjvmtiSoAddr,
-            adrpAddAddr => {
-              for (let off = 0; ; off += 4) {
-                const insn = Instruction.parse(adrpAddAddr.add(off));
-                const mnemonic = insn.mnemonic;
-                if (mnemonic === 'b' || mnemonic === 'bl') {
-                  return ptr(insn.operands[0].value);
-                }
-              }
-            }
+          ensurePluginLoadedAddr = findPcRelativeReferenceToString('libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0, libopenjdkjvmtiSoAddr,
+            match => scanForward(match.last.next, 4, insn => {
+              const mnemonic = insn.mnemonic;
+              return (mnemonic === 'b' || mnemonic === 'bl') ? ptr(insn.operands[0].value) : null;
+            })
           );
         } else {
-          ensurePluginLoadedAddr = findPcRelativeReferenceToString(
-            'libart.so', '49 0d f1 ?? 0a', -1,
-            libopenjdkjvmtiSoAddr,
-            match => scanForward(match.add.next, 4, insn => (insn.mnemonic === 'bl') ? ptr(insn.operands[0].value).or(1) : null)
+          ensurePluginLoadedAddr = findPcRelativeReferenceToString('libart.so', '49 0d f1 ?? 0a', -1, libopenjdkjvmtiSoAddr,
+            match => scanForward(match.last.next, 4, insn => {
+              return (insn.mnemonic === 'bl') ? ptr(insn.operands[0].value).or(1) : null;
+            })
           );
         }
-        console.log('ensurePluginLoadedAddr:', ensurePluginLoadedAddr?.sub(Module.getBaseAddress('libart.so')));
       }
     }
     if (ensurePluginLoadedAddr === null) {
@@ -1953,12 +1939,11 @@ function instrumentArtMethodInvocationFromInterpreter () {
     const invokingPercentSAddr = findStringInRodata('libart.so', invokingPercentSString);
     if (invokingPercentSAddr !== null) {
       const foundFuncs = [];
-      const doCallFuncAddrs = findPcRelativeReferenceToString(
-        'libart.so', '?2 e? ff ?0 42 ?? ?? 91', 0,
-        invokingPercentSAddr,
-        adrpAddAddr => {
-          for (let off = 0; ; off += 4) {
-            let insn = Instruction.parse(adrpAddAddr.sub(off));
+      const doCallFuncAddrs = findPcRelativeReferenceToString('libart.so', '?2 e? ff ?0 42 ?? ?? 91', 0, invokingPercentSAddr,
+        match => {
+          const adrp = match.first.address;
+          for (let off = 12; ; off += 4) {
+            let insn = Instruction.parse(adrp.sub(off));
             if (insn.mnemonic === 'str') {
               insn = Instruction.parse(insn.next);
               if (insn.mnemonic === 'stp') {
@@ -2014,12 +1999,11 @@ function ensureArtKnowsHowToHandleReplacementMethods (vm) {
     const copyingPhaseString = '43 6f 70 79 69 6e 67 50 68 61 73 65';
     const copyingPhaseAddr = findStringInRodata('libart.so', copyingPhaseString);
     if (copyingPhaseAddr !== null) {
-      copyingPhase = findPcRelativeReferenceToString(
-        'libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0,
-        copyingPhaseAddr,
-        adrpAddAddr => {
-          for (let off = 0; ; off += 4) {
-            let insn = Instruction.parse(adrpAddAddr.sub(off));
+      copyingPhase = findPcRelativeReferenceToString('libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0, copyingPhaseAddr,
+        match => {
+          const adrp = match.first.address;
+          for (let off = 8; ; off += 4) {
+            let insn = Instruction.parse(adrp.sub(off));
             if (insn.mnemonic === 'sub') {
               insn = Instruction.parse(insn.next);
               if (insn.mnemonic === 'stp') {
@@ -4068,12 +4052,11 @@ function makeArtThreadStateTransitionImpl (vm, env, callback) {
 
     if (jniFatalErrorCalledAddr !== null) {
       const occurrences = [];
-      if (findPcRelativeReferenceToString(
-        'libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0,
-        jniFatalErrorCalledAddr,
-        address => {
-          occurrences.push(address);
+      if (findPcRelativeReferenceToString('libart.so', '?1 ?? ff ?0 21 ?? ?? 91', 0, jniFatalErrorCalledAddr,
+        match => {
+          const address = match.first.address;
 
+          occurrences.push(address);
           if (occurrences.length === 1) {
             return null;
           }
@@ -5309,7 +5292,7 @@ function findPcRelativeReferenceToString (modName, pattern, offset, stringAddr,
       const destReg = adrpOps[0].value;
       const baseVal = adrpOps[1].value;
 
-      const offsetVal = scanForward(adrp.next, 2, insn => {
+      const scanResult = scanForward(adrp.next, 2, insn => {
         if (insn.mnemonic !== 'add') {
           return null;
         }
@@ -5324,14 +5307,15 @@ function findPcRelativeReferenceToString (modName, pattern, offset, stringAddr,
           return null;
         }
 
-        return immOp.value;
+        return [insn, immOp.value];
       });
-      if (offsetVal === null) {
+      if (scanResult === null) {
         continue;
       }
+      const [add, offsetVal] = scanResult;
 
       if (ptr(baseVal).add(offsetVal).equals(stringAddr)) {
-        const result = predicate(candidate);
+        const result = predicate({ first: adrp, last: add });
         if (result !== null) {
           return result;
         }
@@ -5384,7 +5368,7 @@ function findPcRelativeReferenceToString (modName, pattern, offset, stringAddr,
       const offsetVal = add.address.add(4);
 
       if (baseVal.add(offsetVal).equals(stringAddr)) {
-        const result = predicate({ ldr, add });
+        const result = predicate({ first: ldr, last: add });
         if (result !== null) {
           return result;
         }
@@ -5408,6 +5392,19 @@ function scanForward (startAddress, limit, predicate) {
   return null;
 }
 
+function scanBackward (startAddress, limit, predicate) {
+  let cursor = startAddress;
+  for (let i = 0; i !== limit; i++) {
+    const insn = Instruction.parse(cursor);
+
+    const result = predicate(insn);
+    if (result !== null) { return result; }
+
+    cursor = cursor.sub(4);
+  }
+  return null;
+}
+
 function scanBackwardForSubStp (startAddress) {
   for (let off = 0; ; off += 4) {
     const insn = Instruction.parse(startAddress.sub(off));