├── demoApp
├── .gitignore
├── src
│ └── main
│ │ ├── jni
│ │ ├── Application.mk
│ │ ├── Android.mk
│ │ └── hello.c
│ │ ├── res
│ │ ├── values
│ │ │ ├── strings.xml
│ │ │ ├── styles.xml
│ │ │ └── colors.xml
│ │ ├── mipmap-hdpi
│ │ │ ├── ic_launcher.png
│ │ │ └── ic_launcher_round.png
│ │ ├── mipmap-mdpi
│ │ │ ├── ic_launcher.png
│ │ │ └── ic_launcher_round.png
│ │ ├── mipmap-xhdpi
│ │ │ ├── ic_launcher.png
│ │ │ └── ic_launcher_round.png
│ │ ├── mipmap-xxhdpi
│ │ │ ├── ic_launcher.png
│ │ │ └── ic_launcher_round.png
│ │ ├── mipmap-xxxhdpi
│ │ │ ├── ic_launcher.png
│ │ │ └── ic_launcher_round.png
│ │ └── layout
│ │ │ └── activity_main.xml
│ │ ├── java
│ │ └── lab
│ │ │ └── galaxy
│ │ │ └── yahfa
│ │ │ └── demoApp
│ │ │ ├── ClassWithJNIMethod.java
│ │ │ ├── ClassWithCtor.java
│ │ │ ├── ClassWithStaticMethod.java
│ │ │ ├── ClassWithVirtualMethod.java
│ │ │ ├── Hook_Log_e.java
│ │ │ ├── MainApp.java
│ │ │ └── MainActivity.java
│ │ └── AndroidManifest.xml
├── build.gradle
└── README.md
├── demoPlugin
├── .gitignore
├── src
│ └── main
│ │ ├── res
│ │ └── values
│ │ │ └── strings.xml
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ └── lab
│ │ └── galaxy
│ │ └── yahfa
│ │ ├── demoPlugin
│ │ ├── Hook_Log_e.java
│ │ ├── Hook_ClassWithCtor.java
│ │ ├── Hook_ClassWithJNIMethod_fromJNI.java
│ │ ├── Hook_String_startsWith.java
│ │ ├── Hook_ClassWithStaticMethod_tac.java
│ │ └── Hook_ClassWithVirtualMethod_tac.java
│ │ └── HookInfo.java
├── build.gradle
└── README.md
├── library
├── .gitignore
├── src
│ ├── main
│ │ ├── res
│ │ │ └── values
│ │ │ │ └── strings.xml
│ │ ├── AndroidManifest.xml
│ │ ├── jni
│ │ │ ├── trampoline.h
│ │ │ ├── common.h
│ │ │ ├── trampoline.c
│ │ │ ├── utils.c
│ │ │ └── HookMain.c
│ │ └── java
│ │ │ └── lab
│ │ │ └── galaxy
│ │ │ └── yahfa
│ │ │ ├── HookAnnotation.java
│ │ │ └── HookMain.java
│ └── androidTest
│ │ └── java
│ │ └── lab
│ │ └── galaxy
│ │ └── yahfa
│ │ └── HookingTest.java
├── build.gradle
└── CMakeLists.txt
├── settings.gradle
├── gradle
└── wrapper
│ ├── gradle-wrapper.jar
│ └── gradle-wrapper.properties
├── .gitignore
├── .github
└── workflows
│ └── ci.yml
├── gradle.properties
├── gradlew.bat
├── README.md
├── gradlew
└── LICENSE
/demoApp/.gitignore:
--------------------------------------------------------------------------------
1 | /build
2 |
--------------------------------------------------------------------------------
/demoPlugin/.gitignore:
--------------------------------------------------------------------------------
1 | /build
2 |
--------------------------------------------------------------------------------
/library/.gitignore:
--------------------------------------------------------------------------------
1 | /build
2 |
--------------------------------------------------------------------------------
/settings.gradle:
--------------------------------------------------------------------------------
1 | include ':demoApp', ':library', ':demoPlugin'
2 |
--------------------------------------------------------------------------------
/demoApp/src/main/jni/Application.mk:
--------------------------------------------------------------------------------
1 | APP_ABI := arm64-v8a armeabi-v7a x86
2 |
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/gradle/wrapper/gradle-wrapper.jar
--------------------------------------------------------------------------------
/library/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 |
2 | YAHFA
3 |
4 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 |
2 | YAHFA Demo
3 |
4 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 |
2 | YAHFA demoPlugin
3 |
4 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-hdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-hdpi/ic_launcher.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-mdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-mdpi/ic_launcher.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xhdpi/ic_launcher.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xxhdpi/ic_launcher.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xxxhdpi/ic_launcher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xxxhdpi/ic_launcher.png
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.iml
2 | .gradle
3 | /local.properties
4 | /.idea
5 | .DS_Store
6 | /build
7 | /captures
8 | .externalNativeBuild
9 | *.swp
10 | *.aar
11 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-hdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-hdpi/ic_launcher_round.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-mdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-mdpi/ic_launcher_round.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xhdpi/ic_launcher_round.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xxhdpi/ic_launcher_round.png
--------------------------------------------------------------------------------
/demoApp/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PAGalaxyLab/YAHFA/HEAD/demoApp/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png
--------------------------------------------------------------------------------
/demoApp/src/main/jni/Android.mk:
--------------------------------------------------------------------------------
1 | LOCAL_PATH:= $(call my-dir)
2 | include $(CLEAR_VARS)
3 |
4 | LOCAL_SRC_FILES:= hello.c
5 |
6 | LOCAL_LDLIBS := -llog
7 |
8 | LOCAL_MODULE:= hello
9 |
10 | include $(BUILD_SHARED_LIBRARY)
11 |
--------------------------------------------------------------------------------
/demoApp/src/main/jni/hello.c:
--------------------------------------------------------------------------------
1 | //
2 | // Created by lrk on 5/4/17.
3 | //
4 | #include
5 |
6 | jstring Java_lab_galaxy_yahfa_demoApp_ClassWithJNIMethod_fromJNI(JNIEnv *env, jclass clazz) {
7 | return (*env)->NewStringUTF(env, "hello from JNI");
8 | }
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionBase=GRADLE_USER_HOME
2 | distributionPath=wrapper/dists
3 | zipStoreBase=GRADLE_USER_HOME
4 | zipStorePath=wrapper/dists
5 | distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip
6 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/values/styles.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/values/colors.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | #3F51B5
4 | #303F9F
5 | #FF4081
6 |
7 |
--------------------------------------------------------------------------------
/demoPlugin/build.gradle:
--------------------------------------------------------------------------------
1 | apply plugin: 'com.android.application'
2 |
3 | android {
4 | compileSdkVersion 28
5 | defaultConfig {
6 | applicationId "lab.galaxy.yahfa.demoPlugin"
7 | minSdkVersion 21
8 | targetSdkVersion 28
9 | versionCode 1
10 | versionName "1.0"
11 | }
12 | }
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/ClassWithJNIMethod.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | /**
4 | * Created by lrk on 5/4/17.
5 | */
6 |
7 | public class ClassWithJNIMethod {
8 | static {
9 | System.loadLibrary("hello");
10 | }
11 |
12 | public native static String fromJNI();
13 | }
14 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/ClassWithCtor.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | public class ClassWithCtor {
4 | private String field;
5 |
6 | public ClassWithCtor(String param) {
7 | field = param;
8 | }
9 |
10 | public String getField() {
11 | return field;
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/library/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 |
9 |
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | name: Android CI
2 |
3 | on: [push, pull_request]
4 |
5 | jobs:
6 | build:
7 | runs-on: ubuntu-latest
8 | steps:
9 | - uses: actions/checkout@v1
10 | - uses: actions/setup-java@v1
11 | with:
12 | java-version: 1.8
13 | - name: build
14 | run: ./gradlew :library:build --stacktrace
15 |
16 |
17 |
--------------------------------------------------------------------------------
/library/src/main/jni/trampoline.h:
--------------------------------------------------------------------------------
1 | //
2 | // Created by liuruikai756 on 05/07/2017.
3 | //
4 |
5 | #ifndef YAHFA_TAMPOLINE_H
6 | #define YAHFA_TAMPOLINE_H
7 |
8 | void setupTrampoline(unsigned char offset);
9 |
10 | void *genTrampoline(void *toMethod, void *entrypoint);
11 |
12 | #define TRAMPOLINE_SPACE_SIZE 4096 // 4k mem page size
13 |
14 | #endif //YAHFA_TAMPOLINE_H
15 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 |
8 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/ClassWithStaticMethod.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | /**
4 | * Created by liuruikai756 on 30/03/2017.
5 | */
6 |
7 | public class ClassWithStaticMethod {
8 | public static String tac(String a, String b, String c, String d) {
9 | try {
10 | return d + c + b + a;
11 | } catch (Exception e) {
12 | e.printStackTrace();
13 | return "";
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/ClassWithVirtualMethod.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | /**
4 | * Created by liuruikai756 on 30/03/2017.
5 | */
6 |
7 | public class ClassWithVirtualMethod {
8 | final public String tac(String a, String b, String c, String d) {
9 | try {
10 | return d + c + b + a;
11 | } catch (Exception e) {
12 | e.printStackTrace();
13 | return "";
14 | }
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/demoApp/build.gradle:
--------------------------------------------------------------------------------
1 | apply plugin: 'com.android.application'
2 |
3 | android {
4 | compileSdkVersion 28
5 | defaultConfig {
6 | applicationId "lab.galaxy.yahfa.demoApp"
7 | minSdkVersion 21
8 | targetSdkVersion 28
9 | versionCode 1
10 | versionName "1.0"
11 | }
12 | externalNativeBuild {
13 | ndkBuild {
14 | path 'src/main/jni/Android.mk'
15 | }
16 | }
17 | }
18 |
19 | dependencies {
20 | implementation project(':library')
21 | }
22 |
--------------------------------------------------------------------------------
/demoApp/README.md:
--------------------------------------------------------------------------------
1 | YAHFA demoApp
2 | -------------
3 |
4 | Here is a demo app which shows the basic usage of YAHFA.
5 |
6 | ## Prerequisite
7 |
8 | Please build and push the [demoPlugin](https://github.com/rk700/YAHFA/tree/master/demoPlugin) APK to sdcard before running the demo app.
9 |
10 | ## Usage
11 |
12 | Click the button and take a look at the app log.
13 |
14 | ## What happened
15 |
16 | The demo app loads and applies the plugin APK, which hooks the following methods:
17 |
18 | - Log.e()
19 | - String.startsWith()
20 | - ClassWithVirtualMethod.tac()
21 | - ClassWithStaticMethod.tac()
22 |
23 | After hooking, the arguments would be displayed and then the original method be called.
24 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/Hook_Log_e.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | import android.util.Log;
4 |
5 | public class Hook_Log_e {
6 | public static String className = "android.util.Log";
7 | public static String methodName = "e";
8 | public static String methodSig = "(Ljava/lang/String;Ljava/lang/String;)I";
9 |
10 | public static int hook(String tag, String msg) {
11 | Log.w("HookTest", "in Log.e(): " + tag + ", " + msg);
12 | return backup(tag, msg);
13 | }
14 |
15 | public static int backup(String tag, String msg) {
16 | Log.w("HookTest", "Log.e() should not be here");
17 | return 1;
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_Log_e.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | /**
8 | * Created by liuruikai756 on 30/03/2017.
9 | */
10 |
11 | public class Hook_Log_e {
12 | public static String className = "android.util.Log";
13 | public static String methodName = "e";
14 | public static String methodSig = "(Ljava/lang/String;Ljava/lang/String;)I";
15 |
16 | public static int hook(String tag, String msg) {
17 | Log.w(TAG, "in Log.e(): " + tag + ", " + msg);
18 | return backup(tag, msg);
19 | }
20 |
21 | public static int backup(String tag, String msg) {
22 | Log.w(TAG, "Log.e() should not be here");
23 | return 1;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_ClassWithCtor.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | public class Hook_ClassWithCtor {
8 | public static String className = "lab.galaxy.yahfa.demoApp.ClassWithCtor";
9 | public static String methodName = "";
10 | public static String methodSig =
11 | "(Ljava/lang/String;)V";
12 |
13 | public static void hook(Object thiz, String param) {
14 | Log.w(TAG, "in ClassWithCtor.: " + param);
15 | backup(thiz, "hooked " + param);
16 | return;
17 | }
18 |
19 | public static void backup(Object thiz, String param) {
20 | Log.w(TAG, "ClassWithVirtualMethod.tac() should not be here");
21 | return;
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_ClassWithJNIMethod_fromJNI.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | /**
8 | * Created by lrk on 5/4/17.
9 | */
10 |
11 | public class Hook_ClassWithJNIMethod_fromJNI {
12 | public static String className = "lab.galaxy.yahfa.demoApp.ClassWithJNIMethod";
13 | public static String methodName = "fromJNI";
14 | public static String methodSig = "()Ljava/lang/String;";
15 |
16 | // calling origin method is no longer available for JNI methods
17 | public static String hook() {
18 | Log.w(TAG, "calling fromJNI");
19 | return backup();
20 | }
21 |
22 | public static String backup() {
23 | Log.w(TAG, "calling fromJNI");
24 | return "1234";
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_String_startsWith.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | /**
8 | * Created by liuruikai756 on 30/03/2017.
9 | */
10 |
11 | public class Hook_String_startsWith {
12 | public static String className = "java.lang.String";
13 | public static String methodName = "startsWith";
14 | public static String methodSig = "(Ljava/lang/String;)Z";
15 |
16 | public static boolean hook(String thiz, String prefix) {
17 | Log.w(TAG, "in String.startsWith(): " + thiz + ", " + prefix);
18 | return backup(thiz, prefix);
19 | }
20 |
21 | public static boolean backup(String thiz, String prefix) {
22 | Log.w(TAG, "String.startsWith() should not be here");
23 | return false;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/gradle.properties:
--------------------------------------------------------------------------------
1 | ## Project-wide Gradle settings.
2 | #
3 | # For more details on how to configure your build environment visit
4 | # http://www.gradle.org/docs/current/userguide/build_environment.html
5 | #
6 | # Specifies the JVM arguments used for the daemon process.
7 | # The setting is particularly useful for tweaking memory settings.
8 | # Default value: -Xmx1024m -XX:MaxPermSize=256m
9 | # org.gradle.jvmargs=-Xmx2048m -XX:MaxPermSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
10 | #
11 | # When configured, Gradle will run in incubating parallel mode.
12 | # This option should only be used with decoupled projects. More details, visit
13 | # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
14 | # org.gradle.parallel=true
15 | #Wed Dec 06 09:59:46 CST 2017
16 | android.enableJetifier=true
17 | android.useAndroidX=true
18 | org.gradle.jvmargs=-Xmx1536m
19 |
--------------------------------------------------------------------------------
/demoApp/src/main/res/layout/activity_main.xml:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
14 |
15 |
22 |
23 |
--------------------------------------------------------------------------------
/demoApp/src/main/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
4 |
5 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/HookInfo.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa;
2 |
3 | import lab.galaxy.yahfa.demoPlugin.Hook_ClassWithCtor;
4 | import lab.galaxy.yahfa.demoPlugin.Hook_ClassWithJNIMethod_fromJNI;
5 | import lab.galaxy.yahfa.demoPlugin.Hook_ClassWithStaticMethod_tac;
6 | import lab.galaxy.yahfa.demoPlugin.Hook_ClassWithVirtualMethod_tac;
7 | import lab.galaxy.yahfa.demoPlugin.Hook_Log_e;
8 | import lab.galaxy.yahfa.demoPlugin.Hook_String_startsWith;
9 |
10 | /**
11 | * Created by liuruikai756 on 30/03/2017.
12 | */
13 |
14 | public class HookInfo {
15 | public static final String TAG = "HookInfo";
16 | public static String[] hookItemNames = {
17 | Hook_Log_e.class.getName(),
18 | Hook_String_startsWith.class.getName(),
19 | Hook_ClassWithVirtualMethod_tac.class.getName(),
20 | Hook_ClassWithStaticMethod_tac.class.getName(),
21 | Hook_ClassWithJNIMethod_fromJNI.class.getName(),
22 | Hook_ClassWithCtor.class.getName(),
23 | };
24 | }
25 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_ClassWithStaticMethod_tac.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | /**
8 | * Created by liuruikai756 on 30/03/2017.
9 | */
10 |
11 | public class Hook_ClassWithStaticMethod_tac {
12 | public static String className = "lab.galaxy.yahfa.demoApp.ClassWithStaticMethod";
13 | public static String methodName = "tac";
14 | public static String methodSig =
15 | "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;";
16 |
17 | public static String hook(String a, String b, String c, String d) {
18 | Log.w(TAG, "in ClassWithStaticMethod.tac(): " + a + ", " + b + ", " + c + ", " + d);
19 | return "test" + a;
20 | }
21 | /*
22 | public static String backup(String a, String b, String c, String d) {
23 | Log.w(TAG, "ClassWithStaticMethod.tac() should not be here");
24 | return "";
25 | }
26 | */
27 | }
28 |
--------------------------------------------------------------------------------
/library/build.gradle:
--------------------------------------------------------------------------------
1 | plugins {
2 | id 'com.android.library'
3 | }
4 |
5 | android {
6 | compileSdkVersion 28
7 | defaultConfig {
8 | minSdkVersion 21
9 | targetSdkVersion 28
10 | versionCode 1
11 | versionName "1.0"
12 |
13 | testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
14 |
15 | externalNativeBuild {
16 | cmake {
17 | arguments "-DANDROID_STL=none"
18 | }
19 | }
20 | }
21 | externalNativeBuild {
22 | cmake {
23 | path 'CMakeLists.txt'
24 | }
25 | }
26 | buildFeatures {
27 | prefab true
28 | }
29 |
30 | packagingOptions {
31 | exclude "**/libdlfunc.so"
32 | }
33 |
34 | // testOptions {
35 | // unitTests {
36 | // packagingOptions {
37 | // pickFirst "**/libdlfunc.so"
38 | // }
39 | // }
40 | // }
41 | }
42 |
43 | dependencies {
44 | implementation 'io.github.rk700:dlfunc:0.1.0'
45 | testImplementation 'junit:junit:4.12'
46 | androidTestImplementation 'androidx.test.espresso:espresso-core:3.1.0-alpha4'
47 | }
48 |
49 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/MainApp.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | import android.app.Application;
4 | import android.content.Context;
5 | import android.os.Environment;
6 |
7 | import java.io.File;
8 |
9 | import dalvik.system.DexClassLoader;
10 | import lab.galaxy.yahfa.HookMain;
11 |
12 | /**
13 | * Created by liuruikai756 on 30/03/2017.
14 | */
15 |
16 | public class MainApp extends Application {
17 | @Override
18 | protected void attachBaseContext(Context base) {
19 | super.attachBaseContext(base);
20 |
21 | try {
22 | /*
23 | Build and put the demoPlugin apk in sdcard before running the demoApp
24 | */
25 | ClassLoader classLoader = getClassLoader();
26 |
27 | DexClassLoader dexClassLoader = new DexClassLoader(
28 | new File(Environment.getExternalStorageDirectory(), "demoPlugin-debug.apk").getAbsolutePath(),
29 | getCodeCacheDir().getAbsolutePath(), null, classLoader);
30 | HookMain.doHookDefault(dexClassLoader, classLoader);
31 | } catch (Exception e) {
32 | e.printStackTrace();
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/demoPlugin/src/main/java/lab/galaxy/yahfa/demoPlugin/Hook_ClassWithVirtualMethod_tac.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoPlugin;
2 |
3 | import android.util.Log;
4 |
5 | import static lab.galaxy.yahfa.HookInfo.TAG;
6 |
7 | /**
8 | * Created by liuruikai756 on 30/03/2017.
9 | */
10 |
11 | public class Hook_ClassWithVirtualMethod_tac {
12 | public static String className = "lab.galaxy.yahfa.demoApp.ClassWithVirtualMethod";
13 | public static String methodName = "tac";
14 | public static String methodSig =
15 | "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;";
16 |
17 | public static String hook(Object thiz, String a, String b, String c, String d) {
18 | int uid = android.os.Process.myUid();
19 | Log.w(TAG, "in ClassWithVirtualMethod.tac(): " + a + ", " + b + ", " + c + ", " + d + ": " + uid);
20 | return backup(thiz, a, b, c, d);
21 | }
22 |
23 | public static String backup(Object thiz, String a, String b, String c, String d) {
24 | try {
25 | Log.w(TAG, "ClassWithVirtualMethod.tac() should not be here");
26 | }
27 | catch (Exception e) {
28 |
29 | }
30 | return "";
31 | }
32 | }
33 |
34 |
--------------------------------------------------------------------------------
/library/src/main/jni/common.h:
--------------------------------------------------------------------------------
1 | //
2 | // Created by liuruikai756 on 05/07/2017.
3 | //
4 | #ifndef YAHFA_COMMON_H
5 | #define YAHFA_COMMON_H
6 |
7 | #include
8 | #include
9 | #include
10 |
11 | // Android 13
12 | #ifndef __ANDROID_API_T__
13 | #define __ANDROID_API_T__ 33
14 | #endif
15 |
16 | // Android 12+
17 | #ifndef __ANDROID_API_S_L__
18 | #define __ANDROID_API_S_L__ 32
19 | #endif
20 |
21 | #ifndef __ANDROID_API_S__
22 | #define __ANDROID_API_S__ 31
23 | #endif
24 |
25 | extern int SDKVersion;
26 |
27 | #define LOG_TAG "YAHFA-Native"
28 | #define LOGI(...) __android_log_print(ANDROID_LOG_INFO,LOG_TAG,__VA_ARGS__)
29 | #define LOGW(...) __android_log_print(ANDROID_LOG_WARN,LOG_TAG,__VA_ARGS__)
30 | #define LOGE(...) __android_log_print(ANDROID_LOG_ERROR,LOG_TAG,__VA_ARGS__)
31 |
32 | #define pointer_size sizeof(void*)
33 | #define roundUpToPtrSize(v) (v + pointer_size - 1 - ((v + pointer_size - 1) & (pointer_size - 1)))
34 |
35 | #define read32(addr) *((uint32_t *)(addr))
36 |
37 | #define write32(addr, value) *((uint32_t *)(addr)) = (value)
38 |
39 | #define readAddr(addr) *((void **)(addr))
40 |
41 | #define writeAddr(addr, value) *((void **)(addr)) = (value)
42 |
43 | #endif //YAHFA_COMMON_H
44 |
--------------------------------------------------------------------------------
/library/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | # Sets the minimum version of CMake required to build your native library.
2 | # This ensures that a certain set of CMake features is available to
3 | # your build.
4 |
5 | cmake_minimum_required(VERSION 3.4.1)
6 |
7 | # Specifies a library name, specifies whether the library is STATIC or
8 | # SHARED, and provides relative paths to the source code. You can
9 | # define multiple libraries by adding multiple add_library() commands,
10 | # and CMake builds them for you. When you build your app, Gradle
11 | # automatically packages shared libraries with your APK.
12 |
13 | find_library( # Defines the name of the path variable that stores the
14 | # location of the NDK library.
15 | log-lib
16 |
17 | # Specifies the name of the NDK library that
18 | # CMake needs to locate.
19 | log )
20 |
21 |
22 | add_library( # Specifies the name of the library.
23 | yahfa
24 |
25 | # Sets the library as a shared library.
26 | SHARED
27 |
28 | # Provides a relative path to your source file(s).
29 | src/main/jni/HookMain.c
30 | src/main/jni/trampoline.c
31 | src/main/jni/utils.c
32 | )
33 |
34 | # class visibly init only needed after Android R for arm
35 | if(${ANDROID_ABI} MATCHES "arm")
36 | find_package(dlfunc REQUIRED CONFIG)
37 | target_link_libraries( # Specifies the target library.
38 | yahfa
39 |
40 | # Links the log library to the target library.
41 | ${log-lib}
42 | dlfunc::dlfunc
43 | )
44 | else()
45 | target_link_libraries( # Specifies the target library.
46 | yahfa
47 |
48 | # Links the log library to the target library.
49 | ${log-lib}
50 | )
51 | endif()
52 |
53 |
54 |
--------------------------------------------------------------------------------
/demoPlugin/README.md:
--------------------------------------------------------------------------------
1 | YAHFA demoPlugin
2 | ----------------
3 |
4 | Here is a demo plugin which contains the hook info.
5 |
6 | ## Usage
7 |
8 | Build the plugin and you'll get an APK file. Push the APK to `/sdcard/demoPlugin-debug.apk` before running the [demoApp](https://github.com/rk700/YAHFA/tree/master/demoApp).
9 |
10 | ## How to write a plugin
11 |
12 | To hook a method, please create a `Class` which has the following fields:
13 |
14 | - A static `String` field named `className`. This is the name of the class where the target method belongs to
15 | - A static `String` field named `methodName`. This is the name of the target method
16 | - A static `String` field named `methodSig`. This is the signature string of the target method
17 |
18 | The above fields are used for finding target method. Besides, the class should have the following methods:
19 |
20 | - A __static__ method named `hook`. This is the hook method that would replace the target method. Please make sure that the arguments do match. For example, if you hook a virtual method, then the first argument of the `hook()` should be _this_ `Object`.
21 | - A __static__ method named `backup`. This is the placeholder where the target method would be backed up before hooking. You can invoke `backup()` in `hook()` wherever you like. Since `backup()` is a placeholder, how the method is implemented doesn't matter. Also, `backup()` is optional, which means it's not necessary if the original method would not be called.
22 |
23 | Now you have a class which contains all the information for hooking a method. We call this class _hook item_. You can create as many hook items as you like.
24 |
25 | After creating all the hook items, put their names in the field `hookItemNames` of class `lab.galaxy.yahfa.HookInfo`. YAHFA would read this field for hook items when loading the plugin.
26 |
27 |
--------------------------------------------------------------------------------
/demoApp/src/main/java/lab/galaxy/yahfa/demoApp/MainActivity.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa.demoApp;
2 |
3 | import android.app.Activity;
4 | import android.os.Bundle;
5 | import android.util.Log;
6 | import android.view.View;
7 | import android.widget.Button;
8 |
9 | import java.lang.reflect.Method;
10 |
11 | import lab.galaxy.yahfa.HookMain;
12 |
13 | public class MainActivity extends Activity {
14 | private static final String TAG = "origin";
15 |
16 | @Override
17 | protected void onCreate(Bundle savedInstanceState) {
18 | super.onCreate(savedInstanceState);
19 | setContentView(R.layout.activity_main);
20 |
21 | findViewById(R.id.hookBtn).setOnClickListener(new View.OnClickListener() {
22 | @Override
23 | public void onClick(View v) {
24 | try {
25 | Method hook = Hook_Log_e.class.getDeclaredMethod("hook", String.class, String.class);
26 | Method backup = Hook_Log_e.class.getDeclaredMethod("backup", String.class, String.class);
27 | HookMain.findAndBackupAndHook(Log.class, Hook_Log_e.methodName, Hook_Log_e.methodSig, hook, backup);
28 | } catch (NoSuchMethodException e) {
29 | e.printStackTrace();
30 | }
31 | }
32 | });
33 |
34 | Button button = (Button) findViewById(R.id.button);
35 | button.setOnClickListener(new View.OnClickListener() {
36 | @Override
37 | public void onClick(View v) {
38 | for (int i = 0; i < 200; i++) {
39 | doWork();
40 | }
41 | }
42 | });
43 | }
44 |
45 | void doWork() {
46 | // Log.e() should be hooked
47 | Log.e(TAG, "call Log.e()");
48 | // String.startsWith() should be hooked
49 | Log.w(TAG, "foo startsWith f is " + "foo".startsWith("f"));
50 | // ClassWithVirtualMethod.tac() should be hooked
51 | Log.w(TAG, "virtual tac a,b,c,d, got " +
52 | new ClassWithVirtualMethod().tac("a", "b", "c", "d"));
53 | // ClassWithStaticMethod.tac() should be hooked
54 | Log.w(TAG, "static tac a,b,c,d, got " +
55 | ClassWithStaticMethod.tac("a", "b", "c", "d"));
56 | Log.w(TAG, "JNI method return string: " + ClassWithJNIMethod.fromJNI());
57 |
58 | ClassWithCtor classWithCtor = new ClassWithCtor("param");
59 | Log.w(TAG, "class ctor and get field: " + classWithCtor.getField());
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/gradlew.bat:
--------------------------------------------------------------------------------
1 | @if "%DEBUG%" == "" @echo off
2 | @rem ##########################################################################
3 | @rem
4 | @rem Gradle startup script for Windows
5 | @rem
6 | @rem ##########################################################################
7 |
8 | @rem Set local scope for the variables with windows NT shell
9 | if "%OS%"=="Windows_NT" setlocal
10 |
11 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
12 | set DEFAULT_JVM_OPTS=
13 |
14 | set DIRNAME=%~dp0
15 | if "%DIRNAME%" == "" set DIRNAME=.
16 | set APP_BASE_NAME=%~n0
17 | set APP_HOME=%DIRNAME%
18 |
19 | @rem Find java.exe
20 | if defined JAVA_HOME goto findJavaFromJavaHome
21 |
22 | set JAVA_EXE=java.exe
23 | %JAVA_EXE% -version >NUL 2>&1
24 | if "%ERRORLEVEL%" == "0" goto init
25 |
26 | echo.
27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
28 | echo.
29 | echo Please set the JAVA_HOME variable in your environment to match the
30 | echo location of your Java installation.
31 |
32 | goto fail
33 |
34 | :findJavaFromJavaHome
35 | set JAVA_HOME=%JAVA_HOME:"=%
36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
37 |
38 | if exist "%JAVA_EXE%" goto init
39 |
40 | echo.
41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
42 | echo.
43 | echo Please set the JAVA_HOME variable in your environment to match the
44 | echo location of your Java installation.
45 |
46 | goto fail
47 |
48 | :init
49 | @rem Get command-line arguments, handling Windowz variants
50 |
51 | if not "%OS%" == "Windows_NT" goto win9xME_args
52 | if "%@eval[2+2]" == "4" goto 4NT_args
53 |
54 | :win9xME_args
55 | @rem Slurp the command line arguments.
56 | set CMD_LINE_ARGS=
57 | set _SKIP=2
58 |
59 | :win9xME_args_slurp
60 | if "x%~1" == "x" goto execute
61 |
62 | set CMD_LINE_ARGS=%*
63 | goto execute
64 |
65 | :4NT_args
66 | @rem Get arguments from the 4NT Shell from JP Software
67 | set CMD_LINE_ARGS=%$
68 |
69 | :execute
70 | @rem Setup the command line
71 |
72 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
73 |
74 | @rem Execute Gradle
75 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
76 |
77 | :end
78 | @rem End local scope for the variables with windows NT shell
79 | if "%ERRORLEVEL%"=="0" goto mainEnd
80 |
81 | :fail
82 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
83 | rem the _cmd.exe /c_ return code!
84 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
85 | exit /b 1
86 |
87 | :mainEnd
88 | if "%OS%"=="Windows_NT" endlocal
89 |
90 | :omega
91 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | YAHFA
2 | ----------------
3 |
4 | [](https://github.com/PAGalaxyLab/YAHFA/actions)
5 | [](https://github.com/PAGalaxyLab/YAHFA/releases/latest/download/library-release.aar)
6 | [](https://repo1.maven.org/maven2/io/github/pagalaxylab/yahfa/)
7 |
8 | ## Introduction
9 |
10 | YAHFA is a hook framework for Android ART. It provides an efficient way for Java method hooking or replacement. Currently it supports:
11 |
12 | - ~~Android 5.0(API 21)~~
13 | - ~~Android 5.1(API 22)~~
14 | - ~~Android 6.0(API 23)~~
15 | - Android 7.0(API 24)
16 | - Android 7.1(API 25)
17 | - Android 8.0(API 26)
18 | - Android 8.1(API 27)
19 | - Android 9(API 28)
20 | - Android 10(API 29)
21 | - Android 11(API 30)
22 | - Android 12(DP1)
23 |
24 | (Support for version <= 6.0 is broken after commit [9824bdd](https://github.com/PAGalaxyLab/YAHFA/commit/9824bdd9d958fd0eca43537b6288bb04da191036).)
25 |
26 | with ABI:
27 |
28 | - x86
29 | - x86_64
30 | - armeabi-v7a
31 | - arm64-v8a
32 |
33 | YAHFA is utilized by [VirtualHook](https://github.com/rk700/VirtualHook) so that applications can be hooked without root permission.
34 |
35 | Please take a look at this [article](http://rk700.github.io/2017/03/30/YAHFA-introduction/) and this [one](http://rk700.github.io/2017/06/30/hook-on-android-n/) for a detailed introduction.
36 |
37 | [更新说明](https://github.com/rk700/YAHFA/wiki/%E6%9B%B4%E6%96%B0%E8%AF%B4%E6%98%8E)
38 |
39 | ## Setup
40 |
41 | Add Maven central repo in `build.gradle`:
42 |
43 | ```
44 | buildscript {
45 | repositories {
46 | mavenCentral()
47 | }
48 | }
49 |
50 | allprojects {
51 | repositories {
52 | mavenCentral()
53 | }
54 | }
55 | ```
56 |
57 | Then add YAHFA as a dependency:
58 |
59 | ```
60 | dependencies {
61 | implementation 'io.github.pagalaxylab:yahfa:0.10.0'
62 | }
63 | ```
64 |
65 | YAHFA depends on [dlfunc](https://github.com/rk700/dlfunc) after commit [5b60df8](https://github.com/PAGalaxyLab/YAHFA/commit/5b60df8af85fab2b4901cf881c7e9362010c0472) for calling `MakeInitializedClassesVisiblyInitialized` explicitly on Android R, and Android Gradle Plugin version 4.1+ is required for that native library dependency.
66 |
67 | ## Usage
68 |
69 | To hook a method:
70 |
71 | ```java
72 | HookMain.backupAndHook(Method target, Method hook, Method backup);
73 | ```
74 |
75 | where `backup` would be a placeholder for invoking the target method. Set `backup` to null or just use `HookMain.hook(Method target, Method hook)` if the original code is not needed.
76 |
77 | Both `hook` and `backup` are static methods, and their parameters should match the ones of `target`. Please take a look at [demoPlugin](https://github.com/rk700/YAHFA/tree/master/demoPlugin) on how these methods are defined.
78 |
79 | ## Workaround for Method Inlining
80 |
81 | Hooking would fail for methods that are compiled to be inlined. For example:
82 |
83 | ```
84 | 0x00004d5a: f24a7e81 movw lr, #42881
85 | 0x00004d5e: f2c73e11 movt lr, #29457
86 | 0x00004d62: f6495040 movw r0, #40256
87 | 0x00004d66: f2c70033 movt r0, #28723
88 | 0x00004d6a: 4641 mov r1, r8
89 | 0x00004d6c: 1c32 mov r2, r6
90 | 0x00004d6e: 47f0 blx lr
91 | ```
92 |
93 | Here the value of register `lr` is hardcoded instead of reading from entry point field of `ArtMethod`.
94 |
95 | A simple workaround is to build the APP with debuggable option on, in which case the inlining optimization will not apply. However the option `--debuggable` of `dex2oat` is not available until API 23. So please take a look at machine instructions of the target when the hook doesn't work.
96 |
97 | ## License
98 |
99 | YAHFA is distributed under GNU GPL V3.
100 |
--------------------------------------------------------------------------------
/gradlew:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ##############################################################################
4 | ##
5 | ## Gradle start up script for UN*X
6 | ##
7 | ##############################################################################
8 |
9 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
10 | DEFAULT_JVM_OPTS=""
11 |
12 | APP_NAME="Gradle"
13 | APP_BASE_NAME=`basename "$0"`
14 |
15 | # Use the maximum available, or set MAX_FD != -1 to use that value.
16 | MAX_FD="maximum"
17 |
18 | warn ( ) {
19 | echo "$*"
20 | }
21 |
22 | die ( ) {
23 | echo
24 | echo "$*"
25 | echo
26 | exit 1
27 | }
28 |
29 | # OS specific support (must be 'true' or 'false').
30 | cygwin=false
31 | msys=false
32 | darwin=false
33 | case "`uname`" in
34 | CYGWIN* )
35 | cygwin=true
36 | ;;
37 | Darwin* )
38 | darwin=true
39 | ;;
40 | MINGW* )
41 | msys=true
42 | ;;
43 | esac
44 |
45 | # Attempt to set APP_HOME
46 | # Resolve links: $0 may be a link
47 | PRG="$0"
48 | # Need this for relative symlinks.
49 | while [ -h "$PRG" ] ; do
50 | ls=`ls -ld "$PRG"`
51 | link=`expr "$ls" : '.*-> \(.*\)$'`
52 | if expr "$link" : '/.*' > /dev/null; then
53 | PRG="$link"
54 | else
55 | PRG=`dirname "$PRG"`"/$link"
56 | fi
57 | done
58 | SAVED="`pwd`"
59 | cd "`dirname \"$PRG\"`/" >/dev/null
60 | APP_HOME="`pwd -P`"
61 | cd "$SAVED" >/dev/null
62 |
63 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
64 |
65 | # Determine the Java command to use to start the JVM.
66 | if [ -n "$JAVA_HOME" ] ; then
67 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
68 | # IBM's JDK on AIX uses strange locations for the executables
69 | JAVACMD="$JAVA_HOME/jre/sh/java"
70 | else
71 | JAVACMD="$JAVA_HOME/bin/java"
72 | fi
73 | if [ ! -x "$JAVACMD" ] ; then
74 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
75 |
76 | Please set the JAVA_HOME variable in your environment to match the
77 | location of your Java installation."
78 | fi
79 | else
80 | JAVACMD="java"
81 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
82 |
83 | Please set the JAVA_HOME variable in your environment to match the
84 | location of your Java installation."
85 | fi
86 |
87 | # Increase the maximum file descriptors if we can.
88 | if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then
89 | MAX_FD_LIMIT=`ulimit -H -n`
90 | if [ $? -eq 0 ] ; then
91 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
92 | MAX_FD="$MAX_FD_LIMIT"
93 | fi
94 | ulimit -n $MAX_FD
95 | if [ $? -ne 0 ] ; then
96 | warn "Could not set maximum file descriptor limit: $MAX_FD"
97 | fi
98 | else
99 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
100 | fi
101 | fi
102 |
103 | # For Darwin, add options to specify how the application appears in the dock
104 | if $darwin; then
105 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
106 | fi
107 |
108 | # For Cygwin, switch paths to Windows format before running java
109 | if $cygwin ; then
110 | APP_HOME=`cygpath --path --mixed "$APP_HOME"`
111 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
112 | JAVACMD=`cygpath --unix "$JAVACMD"`
113 |
114 | # We build the pattern for arguments to be converted via cygpath
115 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
116 | SEP=""
117 | for dir in $ROOTDIRSRAW ; do
118 | ROOTDIRS="$ROOTDIRS$SEP$dir"
119 | SEP="|"
120 | done
121 | OURCYGPATTERN="(^($ROOTDIRS))"
122 | # Add a user-defined pattern to the cygpath arguments
123 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then
124 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
125 | fi
126 | # Now convert the arguments - kludge to limit ourselves to /bin/sh
127 | i=0
128 | for arg in "$@" ; do
129 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
130 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
131 |
132 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
133 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
134 | else
135 | eval `echo args$i`="\"$arg\""
136 | fi
137 | i=$((i+1))
138 | done
139 | case $i in
140 | (0) set -- ;;
141 | (1) set -- "$args0" ;;
142 | (2) set -- "$args0" "$args1" ;;
143 | (3) set -- "$args0" "$args1" "$args2" ;;
144 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
145 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
146 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
147 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
148 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
149 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
150 | esac
151 | fi
152 |
153 | # Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules
154 | function splitJvmOpts() {
155 | JVM_OPTS=("$@")
156 | }
157 | eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS
158 | JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME"
159 |
160 | exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@"
161 |
--------------------------------------------------------------------------------
/library/src/main/jni/trampoline.c:
--------------------------------------------------------------------------------
1 | //
2 | // Created by liuruikai756 on 05/07/2017.
3 | //
4 | #include
5 | #include
6 | #include
7 | #include
8 |
9 | #include "common.h"
10 | #include "trampoline.h"
11 |
12 | static unsigned char *currentTrampolineOff = 0;
13 | static unsigned char *trampolineSpaceEnd = 0;
14 |
15 | static void *allocTrampolineSpace();
16 |
17 | // trampoline:
18 | // 1. set eax/rdi/r0/x0 to the hook ArtMethod addr
19 | // 2. jump into its entry point
20 |
21 | // trampoline for backup:
22 | // 1. set eax/rdi/r0/x0 to the target ArtMethod addr
23 | // 2. ret to the hardcoded original entry point
24 |
25 | #if defined(__i386__)
26 | // b8 78 56 34 12 ; mov eax, 0x12345678 (addr of the hook method)
27 | // ff 70 20 ; push DWORD PTR [eax + 0x20]
28 | // c3 ; ret
29 | unsigned char trampoline[] = {
30 | 0x00, 0x00, 0x00, 0x00, // code_size_ in OatQuickMethodHeader
31 | 0xb8, 0x78, 0x56, 0x34, 0x12,
32 | 0xff, 0x70, 0x20,
33 | 0xc3
34 | };
35 |
36 | // b8 78 56 34 12 ; mov eax, 0x12345678 (addr of the target method)
37 | // 68 78 56 34 12 ; push 0x12345678 (original entry point of the target method)
38 | // c3 ; ret
39 | unsigned char trampolineForBackup[] = {
40 | 0xb8, 0x78, 0x56, 0x34, 0x12,
41 | 0x68, 0x78, 0x56, 0x34, 0x12,
42 | 0xc3
43 | };
44 |
45 | #elif defined(__x86_64__)
46 | // 48 bf 78 56 34 12 78 56 34 12 ; movabs rdi, 0x1234567812345678
47 | // ff 77 20 ; push QWORD PTR [rdi + 0x20]
48 | // c3 ; ret
49 | unsigned char trampoline[] = {
50 | 0x00, 0x00, 0x00, 0x00, // code_size_ in OatQuickMethodHeader
51 | 0x48, 0xbf, 0x78, 0x56, 0x34, 0x12, 0x78, 0x56, 0x34, 0x12,
52 | 0xff, 0x77, 0x20,
53 | 0xc3
54 | };
55 |
56 | // 48 bf 78 56 34 12 78 56 34 12 ; movabs rdi, 0x1234567812345678
57 | // 57 ; push rdi (original entry point of the target method)
58 | // 48 bf 78 56 34 12 78 56 34 12 ; movabs rdi, 0x1234567812345678 (addr of the target method)
59 | // c3 ; ret
60 | unsigned char trampolineForBackup[] = {
61 | 0x48, 0xbf, 0x78, 0x56, 0x34, 0x12, 0x78, 0x56, 0x34, 0x12,
62 | 0x57,
63 | 0x48, 0xbf, 0x78, 0x56, 0x34, 0x12, 0x78, 0x56, 0x34, 0x12,
64 | 0xc3
65 | };
66 |
67 | #elif defined(__arm__)
68 | // 00 00 9F E5 ; ldr r0, [pc, #0]
69 | // 20 F0 90 E5 ; ldr pc, [r0, 0x20]
70 | // 78 56 34 12 ; 0x12345678 (addr of the hook method)
71 | unsigned char trampoline[] = {
72 | 0x00, 0x00, 0x00, 0x00, // code_size_ in OatQuickMethodHeader
73 | 0x00, 0x00, 0x9f, 0xe5,
74 | 0x20, 0xf0, 0x90, 0xe5,
75 | 0x78, 0x56, 0x34, 0x12
76 | };
77 |
78 | // 0c 00 9F E5 ; ldr r0, [pc, #12]
79 | // 01 00 2d e9 ; push {r0}
80 | // 00 00 9F E5 ; ldr r0, [pc, #0]
81 | // 00 80 bd e8 ; pop {pc}
82 | // 78 56 34 12 ; 0x12345678 (addr of the hook method)
83 | // 78 56 34 12 ; 0x12345678 (original entry point of the target method)
84 | unsigned char trampolineForBackup[] = {
85 | 0x0c, 0x00, 0x9f, 0xe5,
86 | 0x01, 0x00, 0x2d, 0xe9,
87 | 0x00, 0x00, 0x9f, 0xe5,
88 | 0x00, 0x80, 0xbd, 0xe8,
89 | 0x78, 0x56, 0x34, 0x12,
90 | 0x78, 0x56, 0x34, 0x12
91 | };
92 |
93 | #elif defined(__aarch64__)
94 | // 60 00 00 58 ; ldr x0, 12
95 | // 10 00 40 F8 ; ldr x16, [x0, #0x00]
96 | // 00 02 1f d6 ; br x16
97 | // 78 56 34 12
98 | // 89 67 45 23 ; 0x2345678912345678 (addr of the hook method)
99 | unsigned char trampoline[] = {
100 | 0x00, 0x00, 0x00, 0x00, // code_size_ in OatQuickMethodHeader
101 | 0x60, 0x00, 0x00, 0x58,
102 | 0x10, 0x00, 0x40, 0xf8,
103 | 0x00, 0x02, 0x1f, 0xd6,
104 | 0x78, 0x56, 0x34, 0x12,
105 | 0x89, 0x67, 0x45, 0x23
106 | };
107 |
108 | // 60 00 00 58 ; ldr x0, 12
109 | // 90 00 00 58 ; ldr x16, 16
110 | // 00 02 1f d6 ; br x16
111 | // 78 56 34 12
112 | // 89 67 45 23 ; 0x2345678912345678 (addr of the hook method)
113 | // 78 56 34 12
114 | // 89 67 45 23 ; 0x2345678912345678 (original entry point of the target method)
115 | unsigned char trampolineForBackup[] = {
116 | 0x60, 0x00, 0x00, 0x58,
117 | 0x90, 0x00, 0x00, 0x58,
118 | 0x00, 0x02, 0x1f, 0xd6,
119 | 0x78, 0x56, 0x34, 0x12,
120 | 0x89, 0x67, 0x45, 0x23,
121 | 0x78, 0x56, 0x34, 0x12,
122 | 0x89, 0x67, 0x45, 0x23
123 | };
124 | #endif
125 |
126 | void *genTrampoline(void *toMethod, void *entrypoint) {
127 | size_t trampolineSize = entrypoint != NULL ? sizeof(trampolineForBackup) : sizeof(trampoline);
128 |
129 | // check available space for new trampoline
130 | if(currentTrampolineOff+trampolineSize > trampolineSpaceEnd) {
131 | currentTrampolineOff = allocTrampolineSpace();
132 | if (currentTrampolineOff == NULL) {
133 | return NULL;
134 | } else {
135 | trampolineSpaceEnd = currentTrampolineOff + TRAMPOLINE_SPACE_SIZE;
136 | }
137 | }
138 |
139 | unsigned char *targetAddr = currentTrampolineOff;
140 |
141 | if(entrypoint != NULL) {
142 | memcpy(targetAddr, trampolineForBackup, sizeof(trampolineForBackup));
143 | }
144 | else {
145 | memcpy(targetAddr, trampoline,
146 | sizeof(trampoline)); // do not use trampolineSize since it's a rounded size
147 | }
148 |
149 | // replace with the actual ArtMethod addr
150 | #if defined(__i386__)
151 | if(entrypoint) {
152 | memcpy(targetAddr + 1, &toMethod, pointer_size);
153 | memcpy(targetAddr + 6, &entrypoint, pointer_size);
154 | }
155 | else {
156 | memcpy(targetAddr + 5, &toMethod, pointer_size);
157 | }
158 |
159 | #elif defined(__x86_64__)
160 | if(entrypoint) {
161 | memcpy(targetAddr + 2, &entrypoint, pointer_size);
162 | memcpy(targetAddr + 13, &toMethod, pointer_size);
163 | }
164 | else {
165 | memcpy(targetAddr + 6, &toMethod, pointer_size);
166 | }
167 |
168 | #elif defined(__arm__)
169 | if(entrypoint) {
170 | memcpy(targetAddr + 20, &entrypoint, pointer_size);
171 | memcpy(targetAddr + 16, &toMethod, pointer_size);
172 | }
173 | else {
174 | memcpy(targetAddr + 12, &toMethod, pointer_size);
175 | }
176 |
177 | #elif defined(__aarch64__)
178 | if(entrypoint) {
179 | memcpy(targetAddr + 20, &entrypoint, pointer_size);
180 | memcpy(targetAddr + 12, &toMethod, pointer_size);
181 | }
182 | else {
183 | memcpy(targetAddr + 16, &toMethod, pointer_size);
184 | }
185 | #else
186 | #error Unsupported architecture
187 | #endif
188 |
189 | // skip 4 bytes of code_size_
190 | if(entrypoint == NULL) {
191 | targetAddr += 4;
192 | }
193 |
194 | // keep each trampoline aligned
195 | currentTrampolineOff += roundUpToPtrSize(trampolineSize);
196 |
197 | return targetAddr;
198 | }
199 |
200 | void setupTrampoline(uint8_t offset) {
201 | #if defined(__i386__)
202 | trampoline[11] = offset;
203 | #elif defined(__x86_64__)
204 | trampoline[16] = offset;
205 | #elif defined(__arm__)
206 | trampoline[8] = offset;
207 | #elif defined(__aarch64__)
208 | trampoline[9] |= offset << 4;
209 | trampoline[10] |= offset >> 4;
210 | #else
211 | #error Unsupported architecture
212 | #endif
213 | }
214 |
215 | static void *allocTrampolineSpace() {
216 | unsigned char *buf = mmap(NULL, TRAMPOLINE_SPACE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
217 | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
218 | if (buf == MAP_FAILED) {
219 | LOGE("mmap failed, errno = %s", strerror(errno));
220 | return NULL;
221 | }
222 | else {
223 | LOGI("allocating space for trampoline code at %p", buf);
224 | return buf;
225 | }
226 |
227 | }
--------------------------------------------------------------------------------
/library/src/androidTest/java/lab/galaxy/yahfa/HookingTest.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa;
2 |
3 | import android.os.Build;
4 | import androidx.test.runner.AndroidJUnit4;
5 | import android.util.Log;
6 |
7 | import org.junit.Assert;
8 | import org.junit.Before;
9 | import org.junit.Test;
10 | import org.junit.runner.RunWith;
11 |
12 | @RunWith(AndroidJUnit4.class)
13 | public class HookingTest {
14 | private static final String TAG = HookingTest.class.getSimpleName();
15 |
16 | @Before
17 | public void setup() {
18 | Log.i(TAG, "ABI=" + Build.CPU_ABI);
19 | StaticHook.targetCount = 0;
20 | StaticHook.hookCount = 0;
21 | StaticHook.backupCount = 0;
22 |
23 | InstanceHook.targetCount = 0;
24 | InstanceHook.hookCount = 0;
25 | InstanceHook.backupCount = 0;
26 |
27 | CtorHook.targetCount = 0;
28 | CtorHook.hookCount = 0;
29 | CtorHook.backupCount = 0;
30 | }
31 |
32 | @Test
33 | public void hookInstanceMethod() throws Exception {
34 | InstanceHook hookedInstance = new InstanceHook();
35 |
36 | Assert.assertEquals(3, hookedInstance.target(3));
37 | Assert.assertEquals(1, InstanceHook.targetCount);
38 | Assert.assertEquals(0, InstanceHook.hookCount);
39 | Assert.assertEquals(0, InstanceHook.backupCount);
40 |
41 | try {
42 | InstanceHook.hook(hookedInstance, 4);
43 | Assert.fail("Backup should have failed");
44 | } catch (UnsupportedOperationException e) {
45 | //Ok
46 | }
47 | Assert.assertEquals(1, InstanceHook.targetCount);
48 | Assert.assertEquals(1, InstanceHook.hookCount);
49 | Assert.assertEquals(1, InstanceHook.backupCount);
50 |
51 |
52 | //------------------------ AFTER HOOKING --------------------------------
53 | HookAnnotation.hookClass(InstanceHook.class);
54 |
55 | Assert.assertEquals(5, hookedInstance.target(5));
56 | Assert.assertEquals(2, InstanceHook.targetCount);
57 | Assert.assertEquals(2, InstanceHook.hookCount);
58 | Assert.assertEquals(1, InstanceHook.backupCount);
59 |
60 | Assert.assertEquals(6, InstanceHook.hook(hookedInstance, 6));
61 | Assert.assertEquals(3, InstanceHook.targetCount);
62 | Assert.assertEquals(3, InstanceHook.hookCount);
63 | Assert.assertEquals(1, InstanceHook.backupCount);
64 |
65 | Assert.assertEquals(7, InstanceHook.backup(hookedInstance, 7));
66 | Assert.assertEquals(4, InstanceHook.targetCount);
67 | Assert.assertEquals(3, InstanceHook.hookCount);
68 | Assert.assertEquals(1, InstanceHook.backupCount);
69 | }
70 |
71 | @Test
72 | public void hookStaticMethod() throws Exception {
73 | Assert.assertEquals(3, StaticHook.target(3));
74 | Assert.assertEquals(1, StaticHook.targetCount);
75 | Assert.assertEquals(0, StaticHook.hookCount);
76 | Assert.assertEquals(0, StaticHook.backupCount);
77 |
78 | try {
79 | StaticHook.hook(4);
80 | Assert.fail("Backup should have failed");
81 | } catch (UnsupportedOperationException e) {
82 | //Ok
83 | }
84 | Assert.assertEquals(1, StaticHook.targetCount);
85 | Assert.assertEquals(1, StaticHook.hookCount);
86 | Assert.assertEquals(1, StaticHook.backupCount);
87 |
88 |
89 | //------------------------ AFTER HOOKING --------------------------------
90 | HookAnnotation.hookClass(StaticHook.class);
91 |
92 | Assert.assertEquals(5, StaticHook.target(5));
93 | Assert.assertEquals(2, StaticHook.targetCount);
94 | Assert.assertEquals(2, StaticHook.hookCount);
95 | Assert.assertEquals(1, StaticHook.backupCount);
96 |
97 | Assert.assertEquals(6, StaticHook.hook(6));
98 | Assert.assertEquals(3, StaticHook.targetCount);
99 | Assert.assertEquals(3, StaticHook.hookCount);
100 | Assert.assertEquals(1, StaticHook.backupCount);
101 |
102 | Assert.assertEquals(7, StaticHook.backup(7));
103 | Assert.assertEquals(4, StaticHook.targetCount);
104 | Assert.assertEquals(3, StaticHook.hookCount);
105 | Assert.assertEquals(1, StaticHook.backupCount);
106 | }
107 |
108 | @Test
109 | public void hookCtorMethod() throws Exception {
110 | CtorHook ctorHook = new CtorHook(0);
111 | Assert.assertEquals(1, CtorHook.targetCount);
112 | Assert.assertEquals(0, CtorHook.hookCount);
113 | Assert.assertEquals(0, CtorHook.backupCount);
114 |
115 | try {
116 | CtorHook.hook(ctorHook, 4);
117 | Assert.fail("Backup should have failed");
118 | } catch (UnsupportedOperationException e) {
119 | //Ok
120 | }
121 | Assert.assertEquals(1, CtorHook.targetCount);
122 | Assert.assertEquals(1, CtorHook.hookCount);
123 | Assert.assertEquals(1, CtorHook.backupCount);
124 |
125 |
126 | //------------------------ AFTER HOOKING --------------------------------
127 | HookAnnotation.hookClass(CtorHook.class);
128 |
129 | ctorHook = new CtorHook(0);
130 |
131 | Assert.assertEquals(2, CtorHook.targetCount);
132 | Assert.assertEquals(2, CtorHook.hookCount);
133 | Assert.assertEquals(1, CtorHook.backupCount);
134 |
135 | ctorHook = new CtorHook(0);
136 | Assert.assertEquals(3, CtorHook.targetCount);
137 | Assert.assertEquals(3, CtorHook.hookCount);
138 | Assert.assertEquals(1, CtorHook.backupCount);
139 |
140 | CtorHook.backup(ctorHook, 0);
141 | Assert.assertEquals(4, CtorHook.targetCount);
142 | Assert.assertEquals(3, CtorHook.hookCount);
143 | Assert.assertEquals(1, CtorHook.backupCount);
144 | }
145 |
146 | static class CtorHook {
147 | static int targetCount = 0;
148 | static int hookCount = 0;
149 | static int backupCount = 0;
150 |
151 | public CtorHook(int arg) {
152 | targetCount++;
153 | }
154 |
155 | @HookAnnotation.ConstructorHook
156 | public static void hook(CtorHook thiz, int arg) {
157 | hookCount++;
158 | backup(thiz, arg);
159 | }
160 |
161 | @HookAnnotation.ConstructorBackup
162 | public static void backup(CtorHook thiz, int arg) {
163 | backupCount++;
164 | throw new UnsupportedOperationException("Stub!");
165 | }
166 | }
167 |
168 | static class StaticHook {
169 | static int targetCount = 0;
170 | static int hookCount = 0;
171 | static int backupCount = 0;
172 |
173 | public static int target(int arg) {
174 | targetCount++;
175 | return arg;
176 | }
177 |
178 | @HookAnnotation.StaticMethodHook(targetClass = StaticHook.class, methodName = "target")
179 | public static int hook(int arg) {
180 | hookCount++;
181 | return backup(arg);
182 | }
183 |
184 | @HookAnnotation.StaticMethodBackup(targetClass = StaticHook.class, methodName = "target")
185 | public static int backup(int arg) {
186 | backupCount++;
187 | throw new UnsupportedOperationException("Stub!");
188 | }
189 | }
190 |
191 | static class InstanceHook {
192 | static int targetCount;
193 | static int hookCount;
194 | static int backupCount;
195 |
196 | @HookAnnotation.MethodHook(methodName = "target")
197 | public static int hook(InstanceHook thiz, int arg) {
198 | hookCount++;
199 | return backup(thiz, arg);
200 | }
201 |
202 | @HookAnnotation.MethodBackup(methodName = "target")
203 | public static int backup(InstanceHook thiz, int arg) {
204 | backupCount++;
205 | throw new UnsupportedOperationException("Stub!");
206 | }
207 |
208 | public int target(int arg) {
209 | targetCount++;
210 | return arg;
211 | }
212 | }
213 | }
214 |
--------------------------------------------------------------------------------
/library/src/main/jni/utils.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #include "common.h"
8 |
9 | #if defined(__aarch64__)
10 | #include
11 | #include "dlfunc.h"
12 | #define NEED_CLASS_VISIBLY_INITIALIZED
13 | #endif
14 |
15 | static char *classLinker = NULL;
16 | typedef void (*InitClassFunc)(void *, void *, int);
17 | static InitClassFunc MakeInitializedClassesVisiblyInitialized = NULL;
18 | static int shouldVisiblyInit();
19 | static int findInitClassSymbols(JNIEnv *env);
20 |
21 | static const size_t kPointerSize = sizeof(void *);
22 | static const size_t kVTablePosition = 2;
23 |
24 | static int isValidAddress(const void *p) {
25 | if (!p) {
26 | return 0;
27 | }
28 |
29 | int ret = 1;
30 | int fd = open("/dev/random", O_WRONLY);
31 | size_t len = sizeof(int32_t);
32 | if (fd != -1) {
33 | if (write(fd, p, len) < 0) {
34 | ret = 0;
35 | }
36 | close(fd);
37 | } else {
38 | ret = 0;
39 | }
40 | return ret;
41 | }
42 |
43 | static int
44 | commonFindOffset(void *start, size_t max_count, size_t step, void *value, int start_search_offset) {
45 | if (NULL == start) {
46 | return -1;
47 | }
48 | if (start_search_offset > max_count) {
49 | return -1;
50 | }
51 |
52 | for (int i = start_search_offset; i <= max_count; i += step) {
53 | void *current_value = *(void **) ((size_t) start + i);
54 | if (value == current_value) {
55 | return i;
56 | }
57 | }
58 | return -1;
59 | }
60 |
61 | static int searchClassLinkerOffset(JavaVM *vm, void *runtime_instance, JNIEnv *env, void *libart_handle) {
62 | #ifndef NEED_CLASS_VISIBLY_INITIALIZED
63 | return -1;
64 | #else
65 | void *class_linker_vtable = dlfunc_dlsym(env, libart_handle, "_ZTVN3art11ClassLinkerE");
66 | if (class_linker_vtable != NULL) {
67 | // Before Android 9, class_liner do not hava virtual table, so class_linker_vtable is null.
68 | class_linker_vtable = (char *) class_linker_vtable + kPointerSize * kVTablePosition;
69 | }
70 |
71 | //Need to search jvm offset from 200, if not, on xiaomi android7.1.2 we would get jvm_offset 184, but in fact it is 440
72 | int jvm_offset_in_runtime = commonFindOffset(runtime_instance, 2000, 4, (void *) vm, 200);
73 |
74 | if (jvm_offset_in_runtime < 0) {
75 | LOGE("failed to find JavaVM in Runtime");
76 | return -1;
77 | }
78 |
79 | int step = 4;
80 | int class_linker_offset_value = -1;
81 | for (int i = jvm_offset_in_runtime - step; i > 0; i -= step) {
82 | void *class_linker_addr = *(void **) ((uintptr_t) runtime_instance + i);
83 |
84 | if (class_linker_addr == NULL || !isValidAddress(class_linker_addr)) {
85 | continue;
86 | }
87 | if (class_linker_vtable != NULL) {
88 | if (*(void **) class_linker_addr == class_linker_vtable) {
89 | class_linker_offset_value = i;
90 | break;
91 | }
92 | } else {
93 | // in runtime.h, the struct is:
94 | // ThreadList* thread_list_;
95 | // InternTable* intern_table_;
96 | // ClassLinker* class_linker_;
97 | // these objects list as this kind of order.
98 | // And the InternTable pointer is also saved in ClassLinker struct,
99 | // So, we can search ClassLinker struct to verify the intern_table_ address.
100 | void *intern_table_addr = *(void **) (
101 | (uintptr_t) runtime_instance +
102 | i -
103 | kPointerSize);
104 | if (isValidAddress(intern_table_addr)) {
105 | for (int j = 200; j < 500; j += step) {
106 | void *intern_table = *(void **) (
107 | (uintptr_t) class_linker_addr + j);
108 | if (intern_table_addr == intern_table) {
109 | class_linker_offset_value = i;
110 | break;
111 | }
112 | }
113 | }
114 | }
115 | if (class_linker_offset_value > 0) {
116 | break;
117 | }
118 | }
119 | return class_linker_offset_value;
120 | #endif
121 | }
122 |
123 | static int findInitClassSymbols(JNIEnv *env) {
124 | #ifndef NEED_CLASS_VISIBLY_INITIALIZED
125 | return 1;
126 | #else
127 | JavaVM *jvm = NULL;
128 | (*env)->GetJavaVM(env, &jvm);
129 | LOGI("JavaVM is %p", jvm);
130 |
131 | if(dlfunc_init(env) != JNI_OK) {
132 | LOGE("dlfunc init failed");
133 | return 1;
134 | }
135 | void *handle = dlfunc_dlopen(env, "libart.so", RTLD_LAZY);
136 | if(handle == NULL) {
137 | LOGE("failed to find libart.so handle");
138 | return 1;
139 | }
140 | else {
141 | void *runtime_bss = dlfunc_dlsym(env, handle, "_ZN3art7Runtime9instance_E");
142 | if(!runtime_bss) {
143 | LOGE("failed to find Runtime::instance symbol");
144 | return 1;
145 | }
146 | char *runtime = readAddr(runtime_bss);
147 | if(!runtime) {
148 | LOGE("Runtime::instance value is NULL");
149 | return 1;
150 | }
151 | LOGI("runtime bss is at %p, runtime instance is at %p", runtime_bss, runtime);
152 |
153 | int class_linker_offset_in_Runtime = searchClassLinkerOffset(jvm, runtime, env, handle);
154 | LOGI("find class_linker offset in_Runtime --> %d ", class_linker_offset_in_Runtime);
155 |
156 | if(class_linker_offset_in_Runtime < 0) {
157 | LOGE("failed to find class_linker offset in Runtime");
158 | return 1;
159 | }
160 |
161 | classLinker = readAddr(runtime + class_linker_offset_in_Runtime);
162 | MakeInitializedClassesVisiblyInitialized = dlfunc_dlsym(env, handle,
163 | "_ZN3art11ClassLinker40MakeInitializedClassesVisiblyInitializedEPNS_6ThreadEb");
164 | // "_ZN3art11ClassLinker12AllocIfTableEPNS_6ThreadEm"); // for test
165 | if(!MakeInitializedClassesVisiblyInitialized) {
166 | LOGE("failed to find MakeInitializedClassesVisiblyInitialized symbol");
167 | return 1;
168 | }
169 | LOGI("MakeInitializedClassesVisiblyInitialized is at %p",
170 | MakeInitializedClassesVisiblyInitialized);
171 | }
172 | return 0;
173 | #endif
174 | }
175 |
176 | jlong __attribute__((naked)) Java_lab_galaxy_yahfa_HookMain_00024Utils_getThread(JNIEnv *env, jclass clazz) {
177 | #if defined(__aarch64__)
178 | __asm__(
179 | "mov x0, x19\n"
180 | "ret\n"
181 | );
182 | #elif defined(__arm__)
183 | __asm__(
184 | "mov r0, r9\n"
185 | "bx lr\n"
186 | );
187 | #elif defined(__x86_64__)
188 | __asm__(
189 | "mov %gs:0xe8, %rax\n" // offset on Android R
190 | "ret\n"
191 | );
192 | #elif defined(__i386__)
193 | __asm__(
194 | "mov %fs:0xc4, %eax\n" // offset on Android R
195 | "ret\n"
196 | );
197 | #endif
198 | }
199 |
200 | static int shouldVisiblyInit() {
201 | #if defined(__i386__) || defined(__x86_64__)
202 | return 0;
203 | #else
204 | if(SDKVersion < __ANDROID_API_R__) {
205 | return 0;
206 | }
207 | else return 1;
208 | #endif
209 | }
210 |
211 | jboolean Java_lab_galaxy_yahfa_HookMain_00024Utils_shouldVisiblyInit(JNIEnv *env, jclass clazz) {
212 | return shouldVisiblyInit() != 0;
213 | }
214 |
215 | jint Java_lab_galaxy_yahfa_HookMain_00024Utils_visiblyInit(JNIEnv *env, jclass clazz, jlong thread) {
216 | if(!shouldVisiblyInit()) {
217 | return 0;
218 | }
219 |
220 | if(!classLinker || !MakeInitializedClassesVisiblyInitialized) {
221 | if(findInitClassSymbols(env) != 0) {
222 | LOGE("failed to find symbols: classLinker %p, MakeInitializedClassesVisiblyInitialized %p",
223 | classLinker, MakeInitializedClassesVisiblyInitialized);
224 | return 1;
225 | }
226 | }
227 |
228 | LOGI("thread is at %p", thread);
229 | MakeInitializedClassesVisiblyInitialized(classLinker, (void *)thread, 1);
230 | return 0;
231 | }
232 |
--------------------------------------------------------------------------------
/library/src/main/java/lab/galaxy/yahfa/HookAnnotation.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa;
2 |
3 | import android.util.Log;
4 |
5 | import java.lang.annotation.ElementType;
6 | import java.lang.annotation.Retention;
7 | import java.lang.annotation.RetentionPolicy;
8 | import java.lang.annotation.Target;
9 | import java.lang.reflect.Constructor;
10 | import java.lang.reflect.Method;
11 | import java.lang.reflect.Modifier;
12 | import java.util.Arrays;
13 | import java.util.HashMap;
14 | import java.util.Map;
15 |
16 | /**
17 | * Defines hooks using annotated methods.
18 | *
19 | * Target class, method name and signature are automatically inferred from the hook when possible
20 | */
21 | public class HookAnnotation {
22 | public static final String TAG = HookAnnotation.class.getSimpleName();
23 |
24 | public static final String HOOK_SUFFIX = "Hook";
25 | public static final String BACKUP_SUFFIX = "Backup";
26 |
27 | @Retention(RetentionPolicy.RUNTIME)
28 | @Target(ElementType.METHOD)
29 | public @interface ConstructorHook {
30 | }
31 |
32 | @Retention(RetentionPolicy.RUNTIME)
33 | @Target(ElementType.METHOD)
34 | public @interface MethodHook {
35 | String methodName() default "";
36 | }
37 |
38 | @Retention(RetentionPolicy.RUNTIME)
39 | @Target(ElementType.METHOD)
40 | public @interface StaticMethodHook {
41 | Class targetClass();
42 | String methodName() default "";
43 | }
44 |
45 | @Retention(RetentionPolicy.RUNTIME)
46 | @Target(ElementType.METHOD)
47 | public @interface ConstructorBackup {
48 | }
49 |
50 | @Retention(RetentionPolicy.RUNTIME)
51 | @Target(ElementType.METHOD)
52 | public @interface MethodBackup {
53 | String methodName() default "";
54 | }
55 |
56 | @Retention(RetentionPolicy.RUNTIME)
57 | @Target(ElementType.METHOD)
58 | public @interface StaticMethodBackup {
59 | Class targetClass();
60 | String methodName() default "";
61 | }
62 |
63 | public static void hookClass(Class cls) {
64 | Map hooks = new HashMap<>();
65 | Map backups = new HashMap<>();
66 |
67 | for (Method m : cls.getDeclaredMethods()) {
68 |
69 | if (m.getAnnotation(ConstructorHook.class) != null) {
70 | try {
71 | ConstructorHook annotation = m.getAnnotation(ConstructorHook.class);
72 | Class targetClass = m.getParameterTypes()[0];
73 | Class[] argTypes = Arrays.copyOfRange(m.getParameterTypes(), 1, m.getParameterTypes().length);
74 | Constructor targetMethod = targetClass.getDeclaredConstructor(argTypes);
75 | hooks.put(targetMethod, m);
76 | } catch (Exception e) {
77 | Log.e(TAG, "Cannot find target constructor for " + m, e);
78 | }
79 | }
80 |
81 | if (m.getAnnotation(MethodHook.class) != null) {
82 | try {
83 | MethodHook annotation = m.getAnnotation(MethodHook.class);
84 | Class targetClass = m.getParameterTypes()[0];
85 | String methodName = annotation.methodName().isEmpty() ? m.getName().replaceFirst(HOOK_SUFFIX + "$", "") : annotation.methodName();
86 | Class[] argTypes = Arrays.copyOfRange(m.getParameterTypes(), 1, m.getParameterTypes().length);
87 | Method targetMethod = targetClass.getDeclaredMethod(methodName, argTypes);
88 | if (Modifier.isStatic(targetMethod.getModifiers())) {
89 | throw new IllegalArgumentException("Target method is static: " + targetMethod);
90 | }
91 | hooks.put(targetMethod, m);
92 | } catch (Exception e) {
93 | Log.e(TAG, "Cannot find target method for " + m, e);
94 | }
95 | }
96 |
97 | if (m.getAnnotation(StaticMethodHook.class) != null) {
98 | try {
99 | StaticMethodHook annotation = m.getAnnotation(StaticMethodHook.class);
100 | Class targetClass = annotation.targetClass();
101 | String methodName = annotation.methodName().isEmpty() ? m.getName().replaceFirst(HOOK_SUFFIX + "$", "") : annotation.methodName();
102 | Class[] argTypes = m.getParameterTypes();
103 | Method targetMethod = targetClass.getDeclaredMethod(methodName, argTypes);
104 | if (!Modifier.isStatic(targetMethod.getModifiers())) {
105 | throw new IllegalArgumentException("Target method is not static: " + targetMethod);
106 | }
107 | hooks.put(targetMethod, m);
108 | } catch (Exception e) {
109 | Log.e(TAG, "Cannot find target method for " + m, e);
110 | }
111 | }
112 |
113 | if (m.getAnnotation(ConstructorBackup.class) != null) {
114 | try {
115 | ConstructorBackup annotation = m.getAnnotation(ConstructorBackup.class);
116 | Class targetClass = m.getParameterTypes()[0];
117 | Class[] argTypes = Arrays.copyOfRange(m.getParameterTypes(), 1, m.getParameterTypes().length);
118 | Constructor targetMethod = targetClass.getDeclaredConstructor(argTypes);
119 | backups.put(targetMethod, m);
120 | } catch (Exception e) {
121 | Log.e(TAG, "Cannot find target constructor for " + m, e);
122 | }
123 | }
124 |
125 | if (m.getAnnotation(MethodBackup.class) != null) {
126 | try {
127 | MethodBackup annotation = m.getAnnotation(MethodBackup.class);
128 | Class targetClass = m.getParameterTypes()[0];
129 | String methodName = annotation.methodName().isEmpty() ? m.getName().replaceFirst(BACKUP_SUFFIX + "$", "") : annotation.methodName();
130 | Class[] argTypes = Arrays.copyOfRange(m.getParameterTypes(), 1, m.getParameterTypes().length);
131 | Method targetMethod = targetClass.getDeclaredMethod(methodName, argTypes);
132 | if (Modifier.isStatic(targetMethod.getModifiers())) {
133 | throw new IllegalArgumentException("Target method is static: " + targetMethod);
134 | }
135 | backups.put(targetMethod, m);
136 | } catch (Exception e) {
137 | Log.e(TAG, "Cannot find target method for " + m, e);
138 | }
139 | }
140 |
141 | if (m.getAnnotation(StaticMethodBackup.class) != null) {
142 | try {
143 | StaticMethodBackup annotation = m.getAnnotation(StaticMethodBackup.class);
144 | Class targetClass = annotation.targetClass();
145 | String methodName = annotation.methodName().isEmpty() ? m.getName().replaceFirst(BACKUP_SUFFIX + "$", "") : annotation.methodName();
146 | Class[] argTypes = m.getParameterTypes();
147 | Method targetMethod = targetClass.getDeclaredMethod(methodName, argTypes);
148 | if (!Modifier.isStatic(targetMethod.getModifiers())) {
149 | throw new IllegalArgumentException("Target method is not static: " + targetMethod);
150 | }
151 | backups.put(targetMethod, m);
152 | } catch (Exception e) {
153 | Log.e(TAG, "Cannot find target method for " + m, e);
154 | }
155 | }
156 | }
157 |
158 | for (Object target : hooks.keySet()) {
159 | Method hook = hooks.get(target);
160 | Method backup = backups.get(target);
161 | Throwable err = null;
162 | try {
163 | HookMain.backupAndHook(target, hook, backup);
164 | Log.i(TAG, "Hooked " + target + ": hook=" + hook + (backup == null ? "" : ", backup=" + backup));
165 | } catch (Throwable t) {
166 | Log.e(TAG, "Failed to hooked " + target + ": hook=" + hook + (backup == null ? "" : ", backup=" + backup), t);
167 | }
168 | }
169 |
170 | for (Object target : backups.keySet()) {
171 | if (!hooks.containsKey(target)) {
172 | Log.w(TAG, "Failed to install backup " + backups.get(target) + " on " + target + " because there is no matching hook");
173 | }
174 | }
175 | }
176 | }
177 |
--------------------------------------------------------------------------------
/library/src/main/java/lab/galaxy/yahfa/HookMain.java:
--------------------------------------------------------------------------------
1 | package lab.galaxy.yahfa;
2 |
3 | import android.util.Log;
4 |
5 | import java.lang.reflect.Constructor;
6 | import java.lang.reflect.Method;
7 | import java.lang.reflect.Modifier;
8 | import java.util.ArrayList;
9 | import java.util.Arrays;
10 | import java.lang.reflect.Member;
11 | import android.os.Build;
12 |
13 | /**
14 | * Created by liuruikai756 on 28/03/2017.
15 | */
16 |
17 | public class HookMain {
18 | private static final String TAG = HookMain.class.getSimpleName();
19 | // MakeInitializedClassesVisiblyInitialized is called explicitly
20 | // entry of jni methods would not be set to jni trampoline after hooked
21 | // isDebugModeEnabledR = BuildConfig.DEBUG;
22 | // Ref: http://aosp.opersys.com/xref/android-11.0.0_r17/xref/art/runtime/art_method.cc
23 | // public static Boolean isDebugModeEnabledR = Boolean.FALSE;
24 | // public static void setDebugEnabledR(Boolean b)
25 | // {
26 | // isDebugModeEnabledR = b;
27 | // }
28 |
29 | static {
30 | System.loadLibrary("yahfa");
31 | // Android SDK Ver
32 | int buildSdk = Build.VERSION.SDK_INT;
33 | if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
34 | try {
35 | if(Build.VERSION.PREVIEW_SDK_INT > 0)
36 | buildSdk += 1;
37 | } catch (Throwable e) {
38 | // ignore
39 | }
40 | }
41 | init(buildSdk);
42 | }
43 |
44 | public static void doHookDefault(ClassLoader patchClassLoader, ClassLoader originClassLoader) {
45 | try {
46 | Class hookInfoClass = Class.forName("lab.galaxy.yahfa.HookInfo", true, patchClassLoader);
47 | String[] hookItemNames = (String[]) hookInfoClass.getField("hookItemNames").get(null);
48 | for (String hookItemName : hookItemNames) {
49 | doHookItemDefault(patchClassLoader, hookItemName, originClassLoader);
50 | }
51 | } catch (Exception e) {
52 | e.printStackTrace();
53 | }
54 | }
55 |
56 | private static void doHookItemDefault(ClassLoader patchClassLoader, String hookItemName, ClassLoader originClassLoader) {
57 | try {
58 | Log.i(TAG, "Start hooking with item " + hookItemName);
59 | Class hookItem = Class.forName(hookItemName, true, patchClassLoader);
60 |
61 | String className = (String) hookItem.getField("className").get(null);
62 | String methodName = (String) hookItem.getField("methodName").get(null);
63 | String methodSig = (String) hookItem.getField("methodSig").get(null);
64 |
65 | if (className == null || className.equals("")) {
66 | Log.w(TAG, "No target class. Skipping...");
67 | return;
68 | }
69 | Class clazz = Class.forName(className, true, originClassLoader);
70 | if (Modifier.isAbstract(clazz.getModifiers())) {
71 | Log.w(TAG, "Hook may fail for abstract class: " + className);
72 | }
73 |
74 | Method hook = null;
75 | Method backup = null;
76 | for (Method method : hookItem.getDeclaredMethods()) {
77 | if (method.getName().equals("hook") && Modifier.isStatic(method.getModifiers())) {
78 | hook = method;
79 | } else if (method.getName().equals("backup") && Modifier.isStatic(method.getModifiers())) {
80 | backup = method;
81 | }
82 | }
83 | if (hook == null) {
84 | Log.e(TAG, "Cannot find hook for " + methodName);
85 | return;
86 | }
87 |
88 | // has to visibly init the classes
89 | // see the comment for function Utils.initClass()
90 | if(Utils.initClass() != 0) {
91 | Log.e(TAG, "Utils.initClass failed");
92 | }
93 |
94 | findAndBackupAndHook(clazz, methodName, methodSig, hook, backup);
95 | } catch (Exception e) {
96 | e.printStackTrace();
97 | }
98 | }
99 |
100 | public static void findAndHook(Class targetClass, String methodName, String methodSig, Method hook) {
101 | hook(findMethod(targetClass, methodName, methodSig), hook);
102 | }
103 |
104 | public static void findAndBackupAndHook(Class targetClass, String methodName, String methodSig,
105 | Method hook, Method backup) {
106 | backupAndHook(findMethod(targetClass, methodName, methodSig), hook, backup);
107 | }
108 |
109 | public static void hook(Object target, Method hook) {
110 | backupAndHook(target, hook, null);
111 | }
112 |
113 | public static void backupAndHook(Object target, Method hook, Method backup) {
114 | if (target == null) {
115 | throw new IllegalArgumentException("null target method");
116 | }
117 |
118 | // if(target instanceof Member && Modifier.isStatic(((Member)target).getModifiers()) && isDebugModeEnabledR)
119 | // {
120 | // throw new IllegalArgumentException("Debug enabled.");
121 | // }
122 |
123 | if (hook == null) {
124 | throw new IllegalArgumentException("null hook method");
125 | }
126 |
127 | if (!Modifier.isStatic(hook.getModifiers())) {
128 | throw new IllegalArgumentException("Hook must be a static method: " + hook);
129 | }
130 | checkCompatibleMethods(target, hook, "Original", "Hook");
131 | if (backup != null) {
132 | if (!Modifier.isStatic(backup.getModifiers())) {
133 | throw new IllegalArgumentException("Backup must be a static method: " + backup);
134 | }
135 | // backup is just a placeholder and the constraint could be less strict
136 | checkCompatibleMethods(target, backup, "Original", "Backup");
137 | }
138 |
139 | // has to visibly init the classes
140 | // see the comment for function Utils.initClass()
141 | if(Utils.initClass() != 0) {
142 | Log.e(TAG, "Utils.initClass failed");
143 | }
144 |
145 | if (!backupAndHookNative(target, hook, backup)) {
146 | throw new RuntimeException("Failed to hook " + target + " with " + hook);
147 | }
148 | }
149 |
150 | private static Object findMethod(Class cls, String methodName, String methodSig) {
151 | if (cls == null) {
152 | throw new IllegalArgumentException("null class");
153 | }
154 | if (methodName == null) {
155 | throw new IllegalArgumentException("null method name");
156 | }
157 | if (methodSig == null) {
158 | throw new IllegalArgumentException("null method signature");
159 | }
160 | return findMethodNative(cls, methodName, methodSig);
161 | }
162 |
163 | private static void checkCompatibleMethods(Object original, Method replacement, String originalName, String replacementName) {
164 | ArrayList> originalParams;
165 | if (original instanceof Method) {
166 | originalParams = new ArrayList<>(Arrays.asList(((Method) original).getParameterTypes()));
167 | } else if (original instanceof Constructor) {
168 | originalParams = new ArrayList<>(Arrays.asList(((Constructor) original).getParameterTypes()));
169 | } else {
170 | throw new IllegalArgumentException("Type of target method is wrong");
171 | }
172 |
173 | ArrayList> replacementParams = new ArrayList<>(Arrays.asList(replacement.getParameterTypes()));
174 |
175 | if (original instanceof Method
176 | && !Modifier.isStatic(((Method) original).getModifiers())) {
177 | originalParams.add(0, ((Method) original).getDeclaringClass());
178 | } else if (original instanceof Constructor) {
179 | originalParams.add(0, ((Constructor) original).getDeclaringClass());
180 | }
181 |
182 |
183 | if (!Modifier.isStatic(replacement.getModifiers())) {
184 | replacementParams.add(0, replacement.getDeclaringClass());
185 | }
186 |
187 | if (original instanceof Method
188 | && !replacement.getReturnType().isAssignableFrom(((Method) original).getReturnType())) {
189 | throw new IllegalArgumentException("Incompatible return types. " + originalName + ": " + ((Method) original).getReturnType() + ", " + replacementName + ": " + replacement.getReturnType());
190 | } else if (original instanceof Constructor) {
191 | if (replacement.getReturnType().equals(Void.class)) {
192 | throw new IllegalArgumentException("Incompatible return types. " + "" + ": " + "V" + ", " + replacementName + ": " + replacement.getReturnType());
193 | }
194 | }
195 |
196 | if (originalParams.size() != replacementParams.size()) {
197 | throw new IllegalArgumentException("Number of arguments don't match. " + originalName + ": " + originalParams.size() + ", " + replacementName + ": " + replacementParams.size());
198 | }
199 |
200 | for (int i = 0; i < originalParams.size(); i++) {
201 | if (!replacementParams.get(i).isAssignableFrom(originalParams.get(i))) {
202 | throw new IllegalArgumentException("Incompatible argument #" + i + ": " + originalName + ": " + originalParams.get(i) + ", " + replacementName + ": " + replacementParams.get(i));
203 | }
204 | }
205 | }
206 |
207 | private static native boolean backupAndHookNative(Object target, Method hook, Method backup);
208 |
209 | // JNI.ToReflectedMethod() could return either Method or Constructor
210 | public static native Object findMethodNative(Class targetClass, String methodName, String methodSig);
211 |
212 | private static native void init(int sdkVersion);
213 |
214 | public static class Utils {
215 | // https://github.com/PAGalaxyLab/YAHFA/pull/133#issuecomment-743728607
216 | // class may be visible initialized after it's initialized after Android R
217 | // so we have to call MakeInitializedClassesVisiblyInitialized explicitly before hooking
218 | public static int initClass() {
219 | // do nothing before Android R or on x86 devices
220 | if(shouldVisiblyInit()) {
221 | long thread = getThread();
222 | return visiblyInit(thread);
223 | }
224 | else {
225 | return 0;
226 | }
227 | }
228 |
229 | private static native boolean shouldVisiblyInit();
230 | private static native int visiblyInit(long thread);
231 | private static native long getThread();
232 | }
233 | }
234 |
--------------------------------------------------------------------------------
/library/src/main/jni/HookMain.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | #include "common.h"
5 | #include "trampoline.h"
6 |
7 | int SDKVersion;
8 | static uint32_t OFFSET_entry_point_from_interpreter_in_ArtMethod;
9 | static uint32_t OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod;
10 | static uint32_t OFFSET_ArtMehod_in_Object;
11 | static uint32_t OFFSET_access_flags_in_ArtMethod;
12 | static uint32_t kAccNative = 0x0100;
13 | static uint32_t kAccCompileDontBother = 0x01000000;
14 | static uint32_t kAccFastInterpreterToInterpreterInvoke = 0x40000000;
15 | static uint32_t kAccPreCompiled = 0x00200000;
16 |
17 | static jfieldID fieldArtMethod = NULL;
18 |
19 |
20 | void Java_lab_galaxy_yahfa_HookMain_init(JNIEnv *env, jclass clazz, jint sdkVersion) {
21 | SDKVersion = sdkVersion;
22 | jclass classExecutable;
23 | LOGI("init to SDK %d", sdkVersion);
24 | switch (sdkVersion) {
25 | case __ANDROID_API_T__:
26 | case __ANDROID_API_S_L__:
27 | case __ANDROID_API_S__:
28 | kAccPreCompiled = 0x00800000;
29 | case __ANDROID_API_R__:
30 | classExecutable = (*env)->FindClass(env, "java/lang/reflect/Executable");
31 | fieldArtMethod = (*env)->GetFieldID(env, classExecutable, "artMethod", "J");
32 | case __ANDROID_API_Q__:
33 | case __ANDROID_API_P__:
34 | kAccCompileDontBother = 0x02000000;
35 | OFFSET_ArtMehod_in_Object = 0;
36 | OFFSET_access_flags_in_ArtMethod = 4;
37 | //OFFSET_dex_method_index_in_ArtMethod = 4*3;
38 | if (sdkVersion >= __ANDROID_API_S__)
39 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
40 | roundUpToPtrSize(4 * 3 + 2 * 2) + pointer_size;
41 | else
42 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
43 | roundUpToPtrSize(4 * 4 + 2 * 2) + pointer_size;
44 | break;
45 | case __ANDROID_API_O_MR1__:
46 | kAccCompileDontBother = 0x02000000;
47 | case __ANDROID_API_O__:
48 | OFFSET_ArtMehod_in_Object = 0;
49 | OFFSET_access_flags_in_ArtMethod = 4;
50 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
51 | roundUpToPtrSize(4 * 4 + 2 * 2) + pointer_size * 2;
52 | break;
53 | case __ANDROID_API_N_MR1__:
54 | case __ANDROID_API_N__:
55 | OFFSET_ArtMehod_in_Object = 0;
56 | OFFSET_access_flags_in_ArtMethod = 4; // sizeof(GcRoot) = 4
57 | // ptr_sized_fields_ is rounded up to pointer_size in ArtMethod
58 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
59 | roundUpToPtrSize(4 * 4 + 2 * 2) + pointer_size * 3;
60 | break;
61 | case __ANDROID_API_M__:
62 | OFFSET_ArtMehod_in_Object = 0;
63 | OFFSET_entry_point_from_interpreter_in_ArtMethod = roundUpToPtrSize(4 * 7);
64 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
65 | OFFSET_entry_point_from_interpreter_in_ArtMethod + pointer_size * 2;
66 | break;
67 | case __ANDROID_API_L_MR1__:
68 | OFFSET_ArtMehod_in_Object = 4 * 2;
69 | OFFSET_entry_point_from_interpreter_in_ArtMethod = roundUpToPtrSize(
70 | OFFSET_ArtMehod_in_Object + 4 * 7);
71 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
72 | OFFSET_entry_point_from_interpreter_in_ArtMethod + pointer_size * 2;
73 | break;
74 | case __ANDROID_API_L__:
75 | OFFSET_ArtMehod_in_Object = 4 * 2;
76 | OFFSET_entry_point_from_interpreter_in_ArtMethod = OFFSET_ArtMehod_in_Object + 4 * 4;
77 | OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod =
78 | OFFSET_entry_point_from_interpreter_in_ArtMethod + 8 * 2;
79 | break;
80 | default:
81 | LOGE("not compatible with SDK %d", sdkVersion);
82 | break;
83 | }
84 |
85 | setupTrampoline(OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod);
86 | }
87 |
88 | static uint32_t getFlags(char *method) {
89 | uint32_t access_flags = read32(method + OFFSET_access_flags_in_ArtMethod);
90 | return access_flags;
91 | }
92 |
93 | static void setFlags(char *method, uint32_t access_flags) {
94 | write32(method + OFFSET_access_flags_in_ArtMethod, access_flags);
95 | }
96 |
97 | static void setNonCompilable(void *method) {
98 | if (SDKVersion < __ANDROID_API_N__) {
99 | return;
100 | }
101 | uint32_t access_flags = getFlags(method);
102 | uint32_t old_flags = access_flags;
103 | access_flags |= kAccCompileDontBother;
104 | if (SDKVersion >= __ANDROID_API_R__) {
105 | access_flags &= ~kAccPreCompiled;
106 | }
107 | setFlags(method, access_flags);
108 | LOGI("setNonCompilable: change access flags from 0x%x to 0x%x", old_flags, access_flags);
109 |
110 | }
111 |
112 | static int replaceMethod(void *fromMethod, void *toMethod, int isBackup) {
113 | LOGI("replace method from %p to %p", fromMethod, toMethod);
114 |
115 | // replace entry point
116 | void *newEntrypoint = NULL;
117 | if(isBackup) {
118 | void *originEntrypoint = readAddr((char *) toMethod + OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod);
119 | // entry point hardcoded
120 | newEntrypoint = genTrampoline(toMethod, originEntrypoint);
121 | }
122 | else {
123 | // entry point from ArtMethod struct
124 | newEntrypoint = genTrampoline(toMethod, NULL);
125 | }
126 |
127 | LOGI("replace entry point from %p to %p",
128 | readAddr((char *) fromMethod + OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod),
129 | newEntrypoint
130 | );
131 | if (newEntrypoint) {
132 | writeAddr((char *) fromMethod + OFFSET_entry_point_from_quick_compiled_code_in_ArtMethod,
133 | newEntrypoint);
134 | } else {
135 | LOGE("failed to allocate space for trampoline of target method");
136 | return 1;
137 | }
138 |
139 | if (OFFSET_entry_point_from_interpreter_in_ArtMethod != 0) {
140 | void *interpEntrypoint = readAddr((char *) toMethod + OFFSET_entry_point_from_interpreter_in_ArtMethod);
141 | writeAddr((char *) fromMethod + OFFSET_entry_point_from_interpreter_in_ArtMethod,
142 | interpEntrypoint);
143 | }
144 |
145 | // set the target method to native so that Android O wouldn't invoke it with interpreter
146 | if(SDKVersion >= __ANDROID_API_O__) {
147 | uint32_t access_flags = getFlags(fromMethod);
148 | uint32_t old_flags = access_flags;
149 | if (SDKVersion >= __ANDROID_API_Q__) {
150 | // On API 29 whether to use the fast path or not is cached in the ART method structure
151 | access_flags &= ~kAccFastInterpreterToInterpreterInvoke;
152 | }
153 | // MakeInitializedClassesVisiblyInitialized is called explicitly
154 | // entry of jni methods would not be set to jni trampoline after hooked
155 |
156 | // do not set native flag
157 | // https://github.com/PAGalaxyLab/YAHFA/issues/151
158 | // hook would fail on debug mode though
159 | if (SDKVersion <= __ANDROID_API_Q__) {
160 | // We don't set kAccNative on R+ because they will try to load from real native method pointer instead of entry_point_from_quick_compiled_code_.
161 | // Ref: https://cs.android.com/android/platform/superproject/+/android-11.0.0_r3:art/runtime/art_method.h;l=844;bpv=1;bpt=1
162 | access_flags |= kAccNative;
163 | }
164 | setFlags(fromMethod, access_flags);
165 | LOGI("change access flags from 0x%x to 0x%x", old_flags, access_flags);
166 | }
167 |
168 | return 0;
169 |
170 | }
171 |
172 | static int doBackupAndHook(void *targetMethod, void *hookMethod, void *backupMethod) {
173 | LOGI("target method is at %p, hook method is at %p, backup method is at %p",
174 | targetMethod, hookMethod, backupMethod);
175 |
176 | int res = 0;
177 |
178 | // set kAccCompileDontBother for a method we do not want the compiler to compile
179 | // so that we don't need to worry about hotness_count_
180 | if (SDKVersion >= __ANDROID_API_N__) {
181 | setNonCompilable(targetMethod);
182 | // setNonCompilable(hookMethod);
183 | if(backupMethod) setNonCompilable(backupMethod);
184 | }
185 |
186 | if (backupMethod) {// do method backup
187 | // we use the same way as hooking target method
188 | // hook backup method and redirect back to the original target method
189 | // the only difference is that the entry point is now hardcoded
190 | // instead of reading from ArtMethod struct since it's overwritten
191 | res += replaceMethod(backupMethod, targetMethod, 1);
192 | }
193 |
194 | res += replaceMethod(targetMethod, hookMethod, 0);
195 |
196 | LOGI("hook and backup done");
197 | return res;
198 | }
199 |
200 | static void *getArtMethod(JNIEnv *env, jobject jmethod) {
201 | void *artMethod = NULL;
202 |
203 | if(jmethod == NULL) {
204 | return artMethod;
205 | }
206 |
207 | if(SDKVersion >= __ANDROID_API_R__) {
208 | artMethod = (void *) (*env)->GetLongField(env, jmethod, fieldArtMethod);
209 | }
210 | else {
211 | artMethod = (void *) (*env)->FromReflectedMethod(env, jmethod);
212 | }
213 |
214 | LOGI("ArtMethod: %p", artMethod);
215 | return artMethod;
216 |
217 | }
218 |
219 | jobject Java_lab_galaxy_yahfa_HookMain_findMethodNative(JNIEnv *env, jclass clazz,
220 | jclass targetClass, jstring methodName,
221 | jstring methodSig) {
222 | const char *c_methodName = (*env)->GetStringUTFChars(env, methodName, NULL);
223 | const char *c_methodSig = (*env)->GetStringUTFChars(env, methodSig, NULL);
224 | jobject ret = NULL;
225 |
226 |
227 | //Try both GetMethodID and GetStaticMethodID -- Whatever works :)
228 | jmethodID method = (*env)->GetMethodID(env, targetClass, c_methodName, c_methodSig);
229 | if (!(*env)->ExceptionCheck(env)) {
230 | ret = (*env)->ToReflectedMethod(env, targetClass, method, JNI_FALSE);
231 | } else {
232 | (*env)->ExceptionClear(env);
233 | method = (*env)->GetStaticMethodID(env, targetClass, c_methodName, c_methodSig);
234 | if (!(*env)->ExceptionCheck(env)) {
235 | ret = (*env)->ToReflectedMethod(env, targetClass, method, JNI_TRUE);
236 | } else {
237 | (*env)->ExceptionClear(env);
238 | }
239 | }
240 |
241 | (*env)->ReleaseStringUTFChars(env, methodName, c_methodName);
242 | (*env)->ReleaseStringUTFChars(env, methodSig, c_methodSig);
243 | return ret;
244 | }
245 |
246 | jboolean Java_lab_galaxy_yahfa_HookMain_backupAndHookNative(JNIEnv *env, jclass clazz,
247 | jobject target, jobject hook,
248 | jobject backup) {
249 |
250 |
251 |
252 | if (!doBackupAndHook(
253 | getArtMethod(env, target),
254 | getArtMethod(env, hook),
255 | getArtMethod(env, backup)
256 | )) {
257 | (*env)->NewGlobalRef(env, hook); // keep a global ref so that the hook method would not be GCed
258 | if(backup) (*env)->NewGlobalRef(env, backup);
259 | return JNI_TRUE;
260 | } else {
261 | return JNI_FALSE;
262 | }
263 | }
264 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 | {one line to give the program's name and a brief idea of what it does.}
635 | Copyright (C) {year} {name of author}
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | {project} Copyright (C) {year} {fullname}
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------