Full Shadow hook setup guide

[doviettung96]

Hi guys, I've used the default setting with Dobby but since that can only work with an emulator (not real device) or just my bad.
This is my native-lib.cpp

#include "BNM/Loading.hpp"
#include "BNM/Class.hpp"
#include "BNMResolve.hpp"
void OnLoaded_Example() {
    BNM_LOG_INFO("OnLoaded_Example Called");
}


JNIEXPORT jint JNI_OnLoad(JavaVM *vm, void *reserved) {
    JNIEnv *env;
    vm->GetEnv((void **) &env, JNI_VERSION_1_6);

    BNM::Loading::AllowLateInitHook();
    BNM::Loading::AddOnLoadedEvent(OnLoaded_Example);
    BNM::Loading::TryLoadByJNI(env);
    BNM_LOG_INFO("JNI_OnLoad");
    
    return JNI_VERSION_1_6;
}

I started to try shadowhook by first following https://github.com/bytedance/android-inline-hook/blob/main/doc/manual.md#integration and add shadowhook_init before the BNM::Loading. Also, uncomment the section in GlobalSettings.hpp and add #include <shadowhook.h>

// Shadowhook
template<typename PTR_T, typename NEW_T, typename T_OLD>
inline void *BasicHook(PTR_T ptr, NEW_T newMethod, T_OLD &oldBytes) {
    if ((void *) ptr != nullptr) return shadowhook_hook_func_addr((void *)ptr, (void *) newMethod, (void **) &oldBytes);
    return nullptr;
}

template<typename PTR_T, typename NEW_T, typename T_OLD>
inline void *BasicHook(PTR_T ptr, NEW_T newMethod, T_OLD &&oldBytes) {
    if ((void *) ptr != nullptr) return shadowhook_hook_func_addr((void *)ptr, (void *) newMethod, (void **) &oldBytes);
    return nullptr;
}

template<typename PTR_T>
inline void Unhook(PTR_T ptr) {
    if ((void *) ptr != nullptr) shadowhook_unhook((void *)ptr);
}

I also remove dobby related stuffs in CMakeLists.txt and replace with shadowhook.
I'm using AndKittyInjector to inject the final lib.so but constantly get

I: inject_lib: Stopped target process threads.
I: inject_lib: Attaching to target process...
I: inject_lib: Attached successfully.
I: injectLibrary: [native=arm64 | lib=arm64].
I: injectLibrary: lib handle = 0x0.
I: injectLibrary: lib Base = 0x0.
E: injectLibrary: failed )':
E: injectLibrary: calling dlerror...
E: injectLibrary: dlopen failed: library "libshadowhook.so" not found
I: inject_lib: Killing target process...
E: Injection failed.

even though I pushed that libshadowhook.so into the device and even add LD_LIBRARY_PATH point to /data/local/tmp..
What did I do wrong? If possible, can you show your full configs to make shadowhook work? Thanks

[Creator1A]

Try changing to ShadowHook 1.0.10. The newer versions don't support emulators and I assume they also don't work as well either.

As for the setup this should be good enough:

void init_shadowhook() {
    // Initialize Shadowhook with unique mode and debug logging enabled
    int result = shadowhook_init(SHADOWHOOK_MODE_UNIQUE, false);
}

JNIEXPORT jint JNICALL JNI_OnLoad(JavaVM *vm, void * /*reserved*/) {
    SetJavaVM(vm);

// setup code and what not that I see in your issue already...


// Init/load code
    init_shadowhook();
    Loading::TryLoadByJNI(env);
    Loading::AddOnLoadedEvent(setter);

    return JNI_VERSION_1_6;
}

[doviettung96]

Yeah. I also used Shadowhook 1.0.10. Anyway, how do you integrate shadowhook into the game? I'm using AndKittyInjector to inject my lib.so, but often get the error that not found libshadowhook.so. Also, I did put shadowhook_init before my code. E.g:

JNIEXPORT jint JNI_OnLoad(JavaVM *vm, void *reserved) {
    JNIEnv *env;
    vm->GetEnv((void **) &env, JNI_VERSION_1_6);

    int result = shadowhook_init(SHADOWHOOK_MODE_UNIQUE, false);

    BNM::Loading::AllowLateInitHook();
    BNM::Loading::AddOnLoadedEvent(OnLoaded_Example);
    BNM::Loading::TryLoadByJNI(env);
    BNM_LOG_INFO("JNI_OnLoad");
    
    return JNI_VERSION_1_6;
}

[Creator1A]

That's weird. For my case the game isn't really protected so I can directly load my main lib via java and load the hooks via BNM::Loading::AddOnLoadedEvent. For shadowhook specifically the only thing I needed to do was link the prefab in my make file and initialize it using shadowhook_init. I then added both my lib and shadowhook lib to the game like you would normally.

This is likely an issue with the injection code you're using. Could also be an android version issue as well. Lastly this is the only thing related to your issue but you probably also tried that already "use memfd or disable selinux".

[doviettung96]

hmm. But have you succeeded with Dobby before? How do you load your lib via java? by editting smali and resign apk? ALso, if if worked for you with Dobby, just

JNIEXPORT jint JNI_OnLoad(JavaVM *vm, void *reserved) {
    JNIEnv *env;
    vm->GetEnv((void **) &env, JNI_VERSION_1_6);

    BNM::Loading::AllowLateInitHook();
    BNM::Loading::AddOnLoadedEvent(OnLoaded_Example);
    BNM::Loading::TryLoadByJNI(env);
    BNM_LOG_INFO("JNI_OnLoad");
    
    return JNI_VERSION_1_6;
}

this also works for you, right?

[Creator1A]

Dobby didn't work on emulators for me so I had to switch to shadowhook. And as for the loading Im pretty sure i didn't do anything besides adding the dobby libs, linking them in my make file and making BNM use it.

You could give this repo a look if you want to try different things,

As for the java part, I just add my lib on activity creation.

[doviettung96]

ah.. I'm working on a real device, bro. For emulators, it just worked. Even with the default Dobby setting.. and my minimal native-lib.cpp code (above). I got a problem with a real device, that's why I want to try shadowhook

[Creator1A]

As I said, if your game isn't protected then you can try loading your main lib via activity OnCreate and just adding the libs. This should load shadowhook without any issues. I have a mod myself with ten thousand+ users and not once did I witness a load issue with shadowhook.

[doviettung96]

Okay.. Thank you. I will try that approach. If it's protected, I will try smali editting. Probably, the problem is with my AndKittyInjector.