Method inlined on Android 13/Tiramisu (API 33)

[vegedreamgagnoa]

Tried LSPlant to hook android.app.Activity#getSystemService as a sample, the hook result returns true, but the callback has never been called. Why? trying to deoptimize not work. It works on Android 6 ~ 12 though.

[yujincheng08]

Have you tried to invoke android.app.Activity#getSystemService by reflection?

[vegedreamgagnoa]

If I am not mistaken it requires the object/instance of android.app.Activity, isn't it? Which usually we don't have access to that (we only have access to the Activity we defined). It's quite an hassle especially if we don't have access to the owner object.
Looking at the source, I am still not understand how this is different to/surpasses Pine or Whale - where with both frameworks I can easily hook that method.

[yujincheng08]

What I mean is just for testing...

[vegedreamgagnoa]

Oh, sorry - yeah, it works if I tried to invoke the backup using reflection.

[yujincheng08]

Not the backup.

What I mean is:
Hook, invoke the original method by reflection and see if the hook is invoked.

[vegedreamgagnoa]

Nope, not working - only works for Activity that I have defined, as I said.

[yujincheng08]

So reflection (on your own activity) can trigger hook, right?

[vegedreamgagnoa]

Yes! :)

[vegedreamgagnoa]

I am still trying to figure out why it's not working only for Tiramisu...

[yujincheng08]

Ok, then it's the inline problem. Tiramisu has increased its inline threshold so it's not surprising.
See LSPosed/LSPosed@ef1439a, systemMain is also inlined...

As the document has said, you should deoptimize the caller to make it work. Note that it's not deoptimizing the getSystemService but the method which invokes getSystemService.

For example, there's a piece of code like this:

class X {
fun A() {
xxActivity.getSystemService("activity")
}
}

You should deoptmize(X::A) rather than deoptmize(Activity::getSystemService)

[vegedreamgagnoa]

Cool, thanks for the hint. Can you also suggest how to find the caller of the method at runtime?

[yujincheng08]

Cool, thanks for the hint. Can you also suggest how to find the caller of the method at runtime?

It's possible but slow. I recommend you to hard code the callers. But if you are interesting, you can take a look at our experimental API for it at:

https://github.com/LSPosed/DexBuilder/blob/master/include/dex_helper.h

It can search all methods that invoke a specific method.

And a JVM binding is here: https://github.com/yujincheng08/BiliRoaming/blob/master/app/src/main/jni/biliroaming.cc

These APIs are still for experimental usage. We will publish it when it matures.

[vegedreamgagnoa]

This is working: https://github.com/LSPosed/LSPosed/blob/master/core/src/main/cpp/external/yahfa/src/HookMain.cpp

[yujincheng08]

are you hooking a normal app? LSPosed has disabled inline systemwisely so it may work.

[vegedreamgagnoa]

Yeah, I didn't build any Xposed/LSPosed module, just include this library and try on a normal app.
It's still not working as I had hoped, invoking the original using reflection might be good but without the owner object, you can't really do anything...

[vegedreamgagnoa]

Why this closed? We still have a discussion! ))

[yujincheng08]

Not the backup.

[vegedreamgagnoa]

woops, sorry, I mean the original. edited :)

[yujincheng08]

you should deoptimize the caller to make it work.

[yujincheng08]

And. The inline problem affects all hook frameworks, including pine, epic, sandhook, yahfa, etc.

[vegedreamgagnoa]

@yujincheng08 I found this function getInstanceOfClasses on VMDebug class on Android P and higher, might be able to use it to locate the instances/callers?

[yujincheng08]

Reflection is just for tests. If a hook can be invoked by reflection but not by other callers, it's likely inlined.

And the solution is never to find the instances and invoke them by reflection. The solution is to avoid the inline, like deoptimizing all possible callers or recompiling the app with flags that disable the inline.

[yujincheng08]

Why this closed? We still have a discussion! ))

It's not a bug. Maybe we should move it to the discussion.

[vegedreamgagnoa]

Which Android versions that have this inlining problem? Android R, S, and Tiramisu? or just Android S and Tiramisu?

[yujincheng08]

Nearly all.

[yujincheng08]

inline-max-code-units appears in Android 6. So at least Android 6 has the inline problem.

[yujincheng08]

Read https://github.com/asLody/SandHook/blob/master/doc/doc.md#inline-%E5%A4%84%E7%90%86 about the inline problem and how to deal with it.

[vegedreamgagnoa]

@yujincheng08 Seems like everything works correctly. I tried different method, this time, it's android.app.Activity#dispatchTouchEvent. The callback has been called successfully, and I returned true in the callback, but I couldn't tap on anything on my app. Maybe I need to call the super.dispatchTouchEvent (the original method) on the callback? How do I get this object/instance so I can invoke that original method?

[vegedreamgagnoa]

Sure, if there's anything I come with I will try to send a PR :)
By the way, why didn't support Android 5/5.1? Is there anything different?
The last time I checked it's because there's no java/lang/Executable or AbstractMethod in Android 5/5.1.
Is there any alternative hooking mechanism that we can use/you can suggest?

[yujincheng08]

There's AbstractMethod in Android 5.

The thing is.
In Android 6, the art method field is in long type, which is a pointer to the art method native object.
However, in Android 5, the art method field is a java object, and the logic to modify entrypoint or so is totally different.

[vegedreamgagnoa]

@yujincheng08 Is it possible for us to know the called/fired method from the callback?
From public Object callback_method(Object[] args), how can I know the method being called on this callback?

[vegedreamgagnoa]

Never mind - I know how :)

[yujincheng08]

store in the hooker object.
you can store any context and info you need in it.