frida / frida-gum Goto Github PK

Cross-platform instrumentation and introspection library written in C

License: Other

Shell 0.12% C++ 11.14% C 83.87% Objective-C 0.12% Assembly 0.21% Vala 0.87% Python 2.15% JavaScript 0.65% Meson 0.83% Makefile 0.02% Objective-C++ 0.01% Batchfile 0.02%

frida instrumentation

frida-gum's Introduction

Frida

Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at frida.re.

Two ways to install

1. Install from prebuilt binaries

This is the recommended way to get started. All you need to do is:

pip install frida-tools # CLI tools
pip install frida       # Python bindings
npm install frida       # Node.js bindings

You may also download pre-built binaries for various operating systems from Frida's releases page on GitHub.

2. Build your own binaries

Run:

make

You may also invoke ./configure first if you want to specify a --prefix, or any other options.

CLI tools

For running the Frida CLI tools, e.g. frida, frida-ls-devices, frida-ps, frida-kill, frida-trace, frida-discover, etc., you need a few packages:

pip install colorama prompt-toolkit pygments

Apple OSes

First make a trusted code-signing certificate. You can use the guide at https://sourceware.org/gdb/wiki/PermissionsDarwin in the sections “Create a certificate in the System Keychain” and “Trust the certificate for code signing”. You can use the name frida-cert instead of gdb-cert if you'd like.

Next export the name of the created certificate to relevant environment variables, and run make:

export MACOS_CERTID=frida-cert
export IOS_CERTID=frida-cert
export WATCHOS_CERTID=frida-cert
export TVOS_CERTID=frida-cert
make

To ensure that macOS accepts the newly created certificate, restart the taskgated daemon:

sudo killall taskgated

Learn more

Have a look at our documentation.

frida-gum's People

Contributors

Stargazers

Watchers

Forkers

sangohan pombredanne luiseduardohdbackup imcu idkwim tamerplatform jivaro tyilo someoneweird marc1006 fitblip moonight10 terry2012 mdabbagh88 elvanderb s1341 riverar ius yusitek smx-smx 0xitx gitcollect aonorin techlord-rce tanis2000 morrandir neilbryant manizzle mrmacete bsia erik-smit runelabs fabianfreyer jmpews johncoatesoss codingsf dwarfcrank wolfboyyang zhuotong akiannillo secice maltek nirbheek krytarowski sploitamos 0xh0b0 davidcatalan llamaonsecurity yqsheng kerasking yangscalvin knight-ops korniltsev st-rnd andreafioraldi cbayet hexploitable cgy1992 kknet sgnls yuzehome amesianx ayrx dweinstein kernullist frankspierings rakhithjk clouds56 xiaoyur347 josiahyan piowind thestr4ng3r 5z1punch lgq2015 lgq20151 igio90 coperius dutchme333 paulyc foxundermoon alvarofe freemanzyq forkkit strazzere heruix r3df09 bannsec k3v1n1990s manouchehri kingking888 bigboysun trinhan0487 chichou davenpcj5542009 youngshingjun 5l1v3r1 jonwilson030981 zuypt rocker9527 hijack2015

frida-gum's Issues

Implement support for stepping

Dalvik.enumerateLoadedClasses crashes

Whenever I try using the enumerateLoadedClasses() function or the sync version of it the following error pops up:

{u'lineNumber': 1932, u'type': u'error', u'description': u'Error: access violation reading 0x0', u'fileName': u'gumscript-runtime-dalvik.js'}

Emulator 4.3.1 armeabi-v7a

Implement filedescriptor API

It would be nice if gum could provide an abstraction to manipulate filedescriptors, list them, dup, close, open, etc from the target process. This is what dd does in r2, and it can be retrieved on linux via /proc/pid/fd. on darwin probably with bruteforcing with fstat.

Wrong float passing

Minimal example

package com.example;

public class Example {
   static String floatTest(float x) {
      return String.valueOf(x);
   }
}

Instrumentation code

Java.perform(() => {
   const Example = Java.use("com.example.Example");
   console.log(Example.floatTest(1));
}

The (wrong) output is -3.6587613E-7

Expose profiler information to the JS API

Frida can be used as a profiler. Gum already have some internal profiling information, but it's not exposed for agent.js (yet).

Add Interceptor.revertAll() method

In pair with the detachAll() one

Return statement doesn't work with own function implementation

I try to overwrite the result of a boolean java method - but it doesn't work. The new implementation will be executed, but the returned value will not be recognized.

function hook(classname, functionname) {
    Dalvik.perform(function () {
        let klass = Dalvik.use(classname);
        klass[functionname].implementation = function () {
                console.log(':)');
                return false;
        };
    });
};

Stalker does not work on Android

The following script does not produce any output on Android:
It is executed with frida -U -l stalker-test.js com.android.contacts

Stalker.follow({
    events: {
        call: true,
        ret: true,
        exec: true
    },
    onReceive: function (events) {
        console.log("onReceive");
    },
    onCallSummary: function (summary) {
        console.log("onCallSummary");
    }
});

send/recv can't handle +Infinity, -Infinity and NaN

This is mostly a problem for the python repl, as it'll display these value as null.

Python's json module already supports +Infinity, -Infinity and NaN out of the box, so I suggest that we use our own JSON.stringify and JSON.parse in send and recv.

For the parsing part we can use JSON.parseMore.

I haven't found anything for JSON.stringify, but we could implement that ourselves fairly easily.

Hooking 2 methods in Dalvik VM with same name in the same class

Concerning hooking methods inside the Dalvik VM (Android),
1 - is it possible to hook two methods with the same name (but differents prototypes) in the same class ?
2 - inside the hook (function) the documentation does not explain how to retreive the function parameters ? Is it just an array of parameters ?
Thanks

Show modulename in memory region list in XNU

Copypasta from r2:

 char module_name[1024];
 module_name[0] = 0;
 int ret = proc_regionfilename (dbg->pid, address, module_name, sizeof (module_name));
 module_name[ret] = 0;

Hook overloaded dalvik function with complex parameter

How to correctly instrument f function from c class if it declared as:

private void f(List<String> l){ .. }
private void f(boolean b){ .. }

Overload for boolean (c.f.overload("boolean").implementation = .. ) works, but if I want to hook first function, either with

var C = Dalvik.use("c");
c.f.overload("java.util.List<java.lang.String>").implementation = function(param){
 ...
}

or with

c.f.overload("java.util.List").implementation = function(param){
 ...
}

then I'm getting "Error: f: specified argument types do not match any overload".

Thanks.

JavaScript API can't handle 64-bit integers

Moved from frida/frida#18

As Numbers in JavaScript are stored as doubles, they can't represent all 64-bit integers.

Problematic example:

$ cat > fail.c
#include <stdio.h>
#include <stdint.h>

uint64_t a = 0x8888888888888888;
uint64_t b = 0x8888888888888889;

int main(void) {
    printf("&a, a: 0x%p, %llu\n", &a, a);
    printf("&b, b: 0x%p, %llu\n", &b, b);
    getchar();

    return 0;
}
^D
$ cc fail.c -o fail
$ ./fail
&a, a: 0x0x108520020, 9838263505978427528
&b, b: 0x0x108520028, 9838263505978427529

(leave running)

$ frida-repl fail
Attaching...
>>> a = Memory.readU64(ptr('0x108520020'))
9838263505978427000
>>> b = Memory.readU64(ptr('0x108520028'))
9838263505978427000
>>> a == b
true

As you can see the JavaScript API thinks that the memory contents of a and b are the same, when they in fact differ by 1.

Add File.read api

Currently, the File API of the agent is write-only. It would be good to have proper support for seek and read too. But for 99% of the cases the use would be like:

dump fs.writeFileSync()
slurp fs.readFileSync()
append fs.appendFileSync()
truncate

Can't create new variables in repl

$ frida Finder
...
[Local::ProcName::Finder]-> var a = 1
SyntaxError: Unexpected token var
[Local::ProcName::Finder]-> a = 1;
ReferenceError: a is not defined

File API not working

This code:

var fh = new File("/tmp/msg.txt", "rw");
fh.write ("Hello World\n");
fh.close();

results into:

ERROR: TypeError: File: failed to open file (No such file or directory)

after touch /tmp/msg.txt I get:

ERROR: TypeError: File: failed to open file (Operation not permitted)

even if the file is chmod 666

Make ObjC.Object a subclass of NativePointer

This would be useful so we can do functionTakingPointer(obj) instead of functionTakingPointer(obj.handle).

Be able to get/set all registers not only PC,SP

Frida doesn't works with ASAN

Looks like asan segfault handler is registered before the frida one, so the process dies before frida can handle it.

It will be interesting to have an API for managing the segfault exception in a better way, being able to call asan handler if desired.

Merge contiguous memory ranges with same permissions on XNU

See r2 code if reference needed

o instanceof ObjC.Object doesn't work

I don't know how to fix this, but you should be able to check if a javascript object is an ObjC object.

Memory.readByteArray(x,-1) crashes

Any negative value as length makes the app crash, works fine with 0

console.log only handles 1 argument

console.log(1,2,3,4); should print all of them, not just the first.

Android ART Implementation can't return Object

When I attempt to override a function which returns an int, frida works. However when I attempt to override a function which returns an Object, the Application crashes with the following traceback:

F/libc    ( 1373): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x45852e0 in tid 1373 (r.myapplication)
I/DEBUG   (   60): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (   60): Build fingerprint: 'generic/sdk_phone_armv7/generic:5.0.2/LSY64/1772600:eng/test-keys'
I/DEBUG   (   60): Revision: '0'
I/DEBUG   (   60): ABI: 'arm'
I/DEBUG   (   60): pid: 1373, tid: 1373, name: r.myapplication  >>> com.example.user.myapplication <<<
I/DEBUG   (   60): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x45852e0
I/DEBUG   (   60):     r0 71eb0039  r1 73510788  r2 00000001  r3 b0830a20
I/DEBUG   (   60):     r4 b4db5d61  r5 b4ffefe0  r6 b5069300  r7 73510788
I/DEBUG   (   60):     r8 b4db5d01  r9 00000000  sl b4db5d00  fp b6f7ad94
I/DEBUG   (   60):     ip fffffaac  sp bea8fce8  lr 045852e0  pc b4ee62b2  cpsr 20000030
I/DEBUG   (   60): 
I/DEBUG   (   60): backtrace:
I/DEBUG   (   60):     #00 pc 001d42b2  /system/lib/libart.so (art::mirror::ArtMethod::ToDexPc(unsigned int, bool)+141)
I/DEBUG   (   60):     #01 pc 0021c81d  /system/lib/libart.so (art::CurrentMethodVisitor::VisitFrame()+40)
I/DEBUG   (   60):     #02 pc 0021abf1  /system/lib/libart.so (art::StackVisitor::WalkStack(bool)+240)
I/DEBUG   (   60):     #03 pc 0021d141  /system/lib/libart.so (art::Thread::GetCurrentMethod(unsigned int*, bool) const+44)
I/DEBUG   (   60):     #04 pc 0025ba6f  /system/lib/libart.so (art::CheckReferenceResult(art::mirror::Object*, art::Thread*)+42)
I/DEBUG   (   60):     #05 pc 0008714b  /system/lib/libart.so (art::JniMethodEndWithReference(_jobject*, unsigned int, art::Thread*)+62)
I/DEBUG   (   60):     #06 pc 0027c95f  /system/lib/libart.so (artQuickGenericJniEndTrampoline+286)
I/DEBUG   (   60):     #07 pc 000a3d2d  /system/lib/libart.so (art_quick_generic_jni_trampoline+44)
I/DEBUG   (   60):     #08 pc 00000000  <unknown>
I/DEBUG   (   60):

This is the hook code I'm using:

Dalvik.perform(function() {
    var myclass = Dalvik.use("com.example.user.myapplication.MyClass");
    myclass.handleObject.implementation = function(myObject) {
        send("Handle Object called within Frida!!");
        return this.handleObject(myObject);
    };
});

The send command succeeds however fails on the return.

This is with the latest git build (ba1a8ce)

Confusing/non-consistent type representation in overload(...)

When using Java.method.overload(...), the full name of native types must be used and not the letters representing these types in Java signatures. For instance int instead of I, byte instead of B, etc.

But when the parameter is an array of a native type, the letter must be used and not the full name.
For instance, if the method is method(int x, int y[]), overload must be used like this: method.overload("int", "[I") and not with [int orint[].

While not a big issue, this can be misleading/counter-intuitive.
A simpler way to avoid any confusion could be to use the signature of the method in overload(), for instance for the previous example I[I.

Android 5.0.1 ART: app crash when calling certain functions from frida hook

Hi,

I recently switched from Android 4 to 5.0.1, so in the same time from Dalvik to ART.
Now I'm experiencing some crashes when calling "some functions" from a frida hook that worked just fine with Dalvik. I'm sorry for the approximate description, but I didn't manage to identify which function exactly provoque the crashes.

For instance, in a hook of a method taking a ByteBuffer as only param:

function hook(bbparam) { ... }
Java.use(aclass).amethod.overload("java.nio.ByteBuffer").implementation = hook;

I can call some methods without provoking a crash, like the duplicate method:

var dup = bbparam.duplicate.call(bbparam); // works fine

But not others, like all the different get() methods, or the array() method:

var arr = bbparam.array.call(bbparam); //crash
var bytes = bbparam.get.overload("int").call(bbparam); //crash

The backtrace I observe in logcat is the following:

backtrace:
    /system/lib/libart.so (art::mirror::ArtMethod::ToDexPc(unsigned int, bool)+175)
    /system/lib/libart.so (art::BuildInternalStackTraceVisitor<false>::VisitFrame()+180)
    /system/lib/libart.so (art::StackVisitor::WalkStack(bool)+272)
    /system/lib/libart.so (_jobject* art::Thread::CreateInternalStackTrace<false>(art::ScopedObjectAccessAlreadyRunnable const&) const+324)
    /system/lib/libart.so (art::Throwable_nativeFillInStackTrace(_JNIEnv*, _jclass*)+22)
    /data/dalvik-cache/arm/system@[email protected]

Are there currently similar known issues in android 5.0.1 with ART ?
Thanks.

Thread enumeration does not work on Android

When attached to a process on Android, thread list is always empty.
For instance, with the contact application:

$ frida -U com.android.contacts
...
[USB::com.android.contacts]-> Process.enumerateThreadsSync()
[]

When gdb, attached to the same process, shows the following:

 (gdb) info threads
  Id   Target Id    
  23   Thread 9967  
  22   Thread 9948  
  21   Thread 9946  
  20   Thread 9945  
  19   Thread 9944  
  18   Thread 9940  
  17   Thread 9165  
  16   Thread 9158  
  15   Thread 9156  
  14   Thread 9155  
  13   Thread 9154  
  12   Thread 9153  
  11   Thread 9152  
  10   Thread 9150  
  9    Thread 9149  
  8    Thread 9148  
  7    Thread 9147  
  6    Thread 9146  
  5    Thread 9145  
  4    Thread 9144  
  3    Thread 9143  
  2    Thread 9142  
* 1    Thread 9138

Precision: same behavior on Android 4.4 and Android 5.0

Add console.log on client side

Without having to implicitly pass messages, this is important because most of the time you will not have access to the console of the target app.

as a workaround:

import frida
import sys

pid = int(sys.argv[1])
function_address = int(sys.argv[2], 16)

process = frida.attach(pid)
script = process.session.create_script("""
        function print(x) {
                send({type:"msg",msg:x});
        }
        print ("Hello World");
        """ % function_address)

def on_message(message, data):
        payload = message['payload']
        try:
                type = payload['type']
                if type == 'msg':
                        print payload['msg']
        except:
                print(message)
                pass

script.on('message', on_message)
script.load()

Make tarballs distributable

So distros can package it properly

API for getting executable's entrypoint

How to represent an array in JavaScript when hooking Dalvik methods

Below is the Dalvik method I want to hook:

    public String hookMeArray(String args[])
    {
        return args[0] + args[1];
    }

Below is my hooking code:

Dalvik.perform(function () {
    var hook = Dalvik.use("com.example.godric.fridademo.Hook");
    hook.hookMeArray.overload("java.lang.String[]").implementation = function (s1) {
    //hook.hookMeArray.overload("[java.lang.String]").implementation = function (s1) {
    //hook.hookMeArray.overload("[java.lang.String").implementation = function (s1) {
    //The above three lines all meet a error
    //error messages : {u'lineNumber': 1259, u'type': u'error', u'description': u'Error: hookMeArray: specified argument types do not match any overload', u'fileName': u'gumscript-runtime-dalvik.js'} None
        send("Hook Array:");
        send(s1);
        var ret = hook.hookMeArray.overload("[java.lang.String").call(this, s1);
        send(ret);
        return ret;
    };
});

My question is how to represent the array in arguments?
Many Thanks!

Support plt injection

Right now you can inject code using frida interceptor api, as well as using for example the objc one.

It would be good to have support to patch the plt to redirect import calls to our control, as well as other raw pointer methods like is done by the relocs in all major file formats. Maybe i should fill an issue for that reloc patch injection thing

Support for std::string

Support for string objects would be mighty useful.

Possible naming convention of Memory.readStdString() ?

Unable to handle lowercase thread state indicator on Linux

The following example code makes Frida crash with assertation error:

import frida

pid=frida.spawn("/bin/ls")
process = frida.attach(pid)
script = process.session.create_script("""
    Process.enumerateThreads({
      onMatch:function onMatch(thread){
        send("onMatch");
      },
      onComplete:function onComplete(){
        send("onComplete");
      }
    });
""")
script.load() # This is where we crash

Error message:

ERROR:../../../../frida-gum/gum/backend-linux/gumprocess-linux.c:658:gum_thread_state_from_proc_status_character: code should not be reached

System info:

$ uname -a
Linux buttercup 3.2.0-55-generic #85-Ubuntu SMP Wed Oct 2 12:29:27 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

The problem is that gum_thread_state_from_proc_status_character() is unable to handle tracing-stop state of a thread if it is indicated in lowercase ('t').

Source code:

static GumThreadState
gum_thread_state_from_proc_status_character (gchar c)
{
  switch (c)
  {
    case 'R': return GUM_THREAD_RUNNING;
    case 'S': return GUM_THREAD_WAITING;
    case 'D': return GUM_THREAD_UNINTERRUPTIBLE;
    case 'Z': return GUM_THREAD_UNINTERRUPTIBLE;
    case 'T': return GUM_THREAD_STOPPED;
    case 'W': return GUM_THREAD_UNINTERRUPTIBLE;
    default:
      g_assert_not_reached ();
      break;
  }
}

Thread info:

$ cat /proc/3529/task/3529/stat
3529 (ls) t 3527 3527 2965 34816 3527 4202496 241 0 0 0 0 0 0 0 20 0 9 0 80586 931430400 2631 18446744073709551615 4194304 4296076 140734664679936 140329654353208 4212132 0 0 16781440 1088 18446744071579355164 0 0 17 3 0 0 0 0 0
$ head -n 2 /proc/3529/task/3529/status 
Name:   ls
State:  t (tracing stop)

I don't know if using lowercase status indicator is normal, but looks like major distros work this way so a case conversion could probably help a lot of users.

Android ART not working on 5.1.1

Frida's ART implementation does not work on 5.1.1, only 5.0.1.

This is probably due to the change in the ArtMethod declaration where the they have rearranged the variables.

USB API can't enumerate or select target device

Only the last connected device can be used.

Add support for Swift introspection and injection

Dalvik Android 5 support

Is support for Lollipop on the roadmap? What needs to be done to implement it?

{u'lineNumber': 116, u'type': u'error', u'description': u'Error: Dalvik API not available', u'fileName': u'gumscript-runtime-dalvik.js'}

Emulator 5.1.1 armeabi-v7a

Expose symbol+delta info in backtrace

Interceptor.attach() fail with invalid arguments

App dies right after the repeated start (and 'exit' command) of 'repl.py '

> python repl.py -R se.feomedia.quizkampen.de.lite
[Remote::ProcName::se.feomedia.quizkampen.de.lite]-> exit
> python repl.py -R se.feomedia.quizkampen.de.lite
[Remote::ProcName::se.feomedia.quizkampen.de.lite]-> exit
> python repl.py -R se.feomedia.quizkampen.de.lite
ERROR OCCURS sometimes

Sometimes this error occurs

F/GLib    ( 6751): g_thread_pool_unprocessed: assertion 'real' failed
F/libc    ( 6751): Fatal signal 5 (???) at 0x00001a5f (code=-6), thread 6924 (pool)
F/GLib    ( 6751): g_source_set_ready_time: assertion 'source->ref_count > 0' failed
I/DEBUG   ( 3172): process stopped due to unexpected signal 5
W/CronetSyncConnectionRcs(18046): Upload content type not set.
F/GLib    ( 6751): g_thread_pool_unprocessed: assertion 'real' failed
--------- beginning of /dev/log/system
I/ActivityManager(16617): Process se.feomedia.quizkampen.de.lite (pid 6751) has died.

but mostly something like this

F/libc    ( 7613): Fatal signal 11 (SIGSEGV) at 0x0000100c (code=1), thread 7613 (zkampen.de.lite)
I/DEBUG   ( 3172): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3172): Build fingerprint: 'google/hammerhead/hammerhead:4.4.4/KTU84P/1227136:user/release-keys'
I/DEBUG   ( 3172): Revision: '11'
I/DEBUG   ( 3172): pid: 7613, tid: 7613, name: zkampen.de.lite  >>> se.feomedia.quizkampen.de.lite <<<
I/DEBUG   ( 3172): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0000100c
I/DEBUG   ( 3172):     r0 02000242  r1 765942c8  r2 765942e8  r3 00001000
I/DEBUG   ( 3172):     r4 00000000  r5 76593008  r6 00001000  r7 3f54629b
I/DEBUG   ( 3172):     r8 76594248  r9 76594228  sl 7486be18  fp bee2b148
I/DEBUG   ( 3172):     ip 90000000  sp bee2afe0  lr 747eefb1  pc 7480e672  cpsr 40010030
I/DEBUG   ( 3172):     d0  0000000000000000  d1  0000000000000000
I/DEBUG   ( 3172):     d2  0000000000000000  d3  0000000000000000
I/DEBUG   ( 3172):     d4  000006f03f41bad0  d5  44de000000000438
I/DEBUG   ( 3172):     d6  000001c03f800000  d7  4487000043e00000
I/DEBUG   ( 3172):     d8  0000003cae49176d  d9  002e777d95a0f15e
I/DEBUG   ( 3172):     d10 0000000000000000  d11 0000000000000000
I/DEBUG   ( 3172):     d12 0000000000000000  d13 0000000000000000
I/DEBUG   ( 3172):     d14 0000000000000000  d15 0000000000000000
I/DEBUG   ( 3172):     d16 c1d46dae010072b0  d17 3f50624dd2f1a9fc
I/DEBUG   ( 3172):     d18 4192189164000000  d19 0000000000000000
I/DEBUG   ( 3172):     d20 3ff0000000000000  d21 0000000000000000
I/DEBUG   ( 3172):     d22 0000000000000000  d23 bff0000000000000
I/DEBUG   ( 3172):     d24 3f61111120000000  d25 8000000000000000
I/DEBUG   ( 3172):     d26 3ff0000000000000  d27 bf8b4e81c0000000
I/DEBUG   ( 3172):     d28 8000000000000000  d29 0000000000000000
I/DEBUG   ( 3172):     d30 0000000000000000  d31 0000000000000000
I/DEBUG   ( 3172):     scr 20000013
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): backtrace:
I/DEBUG   ( 3172):     #00  pc 0009c672  /system/vendor/lib/egl/libGLESv2_adreno.so (oxili_blt_2d_internal+745)
I/DEBUG   ( 3172):     #01  pc 00076f3f  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_perform_unresolve+634)
I/DEBUG   ( 3172):     #02  pc 00077457  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_perform_binning_resolve+958)
I/DEBUG   ( 3172):     #03  pc 00077ec3  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_perform_resolve+262)
I/DEBUG   ( 3172):     #04  pc 00078249  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_resolve+364)
I/DEBUG   ( 3172):     #05  pc 000a72fb  /system/vendor/lib/egl/libGLESv2_adreno.so (oxili_context_setrendertargets+66)
I/DEBUG   ( 3172):     #06  pc 0007c7a3  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_context_setrendertargets+162)
I/DEBUG   ( 3172):     #07  pc 0005570b  /system/vendor/lib/egl/libGLESv2_adreno.so (set_framebuffer+146)
I/DEBUG   ( 3172):     #08  pc 0005e8e3  /system/vendor/lib/egl/libGLESv2_adreno.so (core_glBindRenderbuffer+142)
I/DEBUG   ( 3172):     #09  pc 00041099  /system/vendor/lib/egl/libGLESv2_adreno.so (glBindRenderbuffer+20)
I/DEBUG   ( 3172):     #10  pc 00344fbb  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #11  pc 0031616b  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #12  pc 00316393  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #13  pc 0031a061  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #14  pc 0033080d  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #15  pc 003418eb  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #16  pc 00330675  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #17  pc 00326ae3  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #18  pc 0030c6cd  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #19  pc 0030c6fd  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #20  pc 0030ddf3  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #21  pc 001e4981  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #22  pc 0030cebb  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #23  pc 0030de7f  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #24  pc 00188b4d  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #25  pc 00189501  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #26  pc 0030c55b  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #27  pc 0030cdcb  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #28  pc 00d59f69  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #29  pc 00ea1ad1  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #30  pc 00b4f79b  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172):     #31  pc 00d3ff77  /system/lib/libwebviewchromium.so
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): stack:
I/DEBUG   ( 3172):          bee2afa0  00000000  
I/DEBUG   ( 3172):          bee2afa4  ffffffff  
I/DEBUG   ( 3172):          bee2afa8  00000003  
I/DEBUG   ( 3172):          bee2afac  763a96c0  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afb0  3f800000  
I/DEBUG   ( 3172):          bee2afb4  3f54629b  
I/DEBUG   ( 3172):          bee2afb8  76594248  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afbc  747e3163  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_cmdbuffer_addcmds_immediate+10)
I/DEBUG   ( 3172):          bee2afc0  7558fdf0  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afc4  763a96c0  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afc8  763aa840  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afcc  747eefad  /system/vendor/lib/egl/libGLESv2_adreno.so (rb_invalidate_cache+20)
I/DEBUG   ( 3172):          bee2afd0  ffffffff  
I/DEBUG   ( 3172):          bee2afd4  00000000  
I/DEBUG   ( 3172):          bee2afd8  76593008  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afdc  7480e65f  /system/vendor/lib/egl/libGLESv2_adreno.so (oxili_blt_2d_internal+726)
I/DEBUG   ( 3172):     #00  bee2afe0  bee2b148  [stack]
I/DEBUG   ( 3172):          bee2afe4  76593008  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2afe8  00000000  
I/DEBUG   ( 3172):          bee2afec  00000000  
I/DEBUG   ( 3172):          bee2aff0  76593008  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2aff4  7659420c  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2aff8  00000000  
I/DEBUG   ( 3172):          bee2affc  3ff00000  
I/DEBUG   ( 3172):          bee2b000  00000001  
I/DEBUG   ( 3172):          bee2b004  00000000  
I/DEBUG   ( 3172):          bee2b008  00000001  
I/DEBUG   ( 3172):          bee2b00c  00000001  
I/DEBUG   ( 3172):          bee2b010  00000001  
I/DEBUG   ( 3172):          bee2b014  0000000e  
I/DEBUG   ( 3172):          bee2b018  00000000  
I/DEBUG   ( 3172):          bee2b01c  00000000  
I/DEBUG   ( 3172):          ........  ........
I/DEBUG   ( 3172):     #01  bee2b0e0  000001c0  
I/DEBUG   ( 3172):          bee2b0e4  000001b0  
I/DEBUG   ( 3172):          bee2b0e8  bee2b8d4  [stack]
I/DEBUG   ( 3172):          bee2b0ec  000001c0  
I/DEBUG   ( 3172):          bee2b0f0  00000540  
I/DEBUG   ( 3172):          bee2b0f4  000001c0  
I/DEBUG   ( 3172):          bee2b0f8  000001b0  
I/DEBUG   ( 3172):          bee2b0fc  00000000  
I/DEBUG   ( 3172):          bee2b100  00000001  
I/DEBUG   ( 3172):          bee2b104  00000000  
I/DEBUG   ( 3172):          bee2b108  0000000f  
I/DEBUG   ( 3172):          bee2b10c  3ff00000  
I/DEBUG   ( 3172):          bee2b110  00000004  
I/DEBUG   ( 3172):          bee2b114  00000000  
I/DEBUG   ( 3172):          bee2b118  00000000  
I/DEBUG   ( 3172):          bee2b11c  00000000  
I/DEBUG   ( 3172):          ........  ........
I/DEBUG   ( 3172):     #02  bee2c088  00000000  
I/DEBUG   ( 3172):          bee2c08c  00000001  
I/DEBUG   ( 3172):          bee2c090  00000000  
I/DEBUG   ( 3172):          bee2c094  00000012  
I/DEBUG   ( 3172):          bee2c098  00000000  
I/DEBUG   ( 3172):          bee2c09c  00000005  
I/DEBUG   ( 3172):          bee2c0a0  00000007  
I/DEBUG   ( 3172):          bee2c0a4  763a9fe4  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2c0a8  00000001  
I/DEBUG   ( 3172):          bee2c0ac  763aaec8  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2c0b0  00000001  
I/DEBUG   ( 3172):          bee2c0b4  00000000  
I/DEBUG   ( 3172):          bee2c0b8  7558fdf0  [anon:libc_malloc]
I/DEBUG   ( 3172):          bee2c0bc  00000000  
I/DEBUG   ( 3172):          bee2c0c0  00000000  
I/DEBUG   ( 3172):          bee2c0c4  00000000  
I/DEBUG   ( 3172):          ........  ........
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r0:
I/DEBUG   ( 3172):     02000220 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000230 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000240 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000250 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000260 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000270 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000280 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000290 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002a0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002b0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002c0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002d0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002e0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     020002f0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000300 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     02000310 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r1:
I/DEBUG   ( 3172):     765942a8 00000000 065a003c 06ef03fb 038001c0  
I/DEBUG   ( 3172):     765942b8 053f037f 44070000 4406e000 c45e0000  
I/DEBUG   ( 3172):     765942c8 445de000 3efffee0 3efffee0 000220b7  
I/DEBUG   ( 3172):     765942d8 00000001 00001000 00000010 00000000  
I/DEBUG   ( 3172):     765942e8 00000008 ffc00010 00000000 00000000  
I/DEBUG   ( 3172):     765942f8 02000242 00000001 00000008 00000000  
I/DEBUG   ( 3172):     76594308 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594318 00e01010 00000000 08480004 fcfc0001  
I/DEBUG   ( 3172):     76594328 00000155 0100060b 763b6000 00000000  
I/DEBUG   ( 3172):     76594338 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594348 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594358 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594368 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594378 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594388 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594398 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r2:
I/DEBUG   ( 3172):     765942c8 445de000 3efffee0 3efffee0 000220b7  
I/DEBUG   ( 3172):     765942d8 00000001 00001000 00000010 00000000  
I/DEBUG   ( 3172):     765942e8 00000008 ffc00010 00000000 00000000  
I/DEBUG   ( 3172):     765942f8 02000242 00000001 00000008 00000000  
I/DEBUG   ( 3172):     76594308 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594318 00e01010 00000000 08480004 fcfc0001  
I/DEBUG   ( 3172):     76594328 00000155 0100060b 763b6000 00000000  
I/DEBUG   ( 3172):     76594338 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594348 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594358 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594368 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594378 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594388 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594398 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765943a8 00000000 2c00009f 00000000 00000000  
I/DEBUG   ( 3172):     765943b8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r3:
I/DEBUG   ( 3172):     00000fe0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00000ff0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001000 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001010 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001020 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001030 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001040 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001050 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001060 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001070 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001080 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001090 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010a0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010b0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010c0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010d0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r5:
I/DEBUG   ( 3172):     76592fe8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76592ff8 00000000 00000000 00000000 000077ab  
I/DEBUG   ( 3172):     76593008 c2878307 0000001b 00000001 00000000  
I/DEBUG   ( 3172):     76593018 00000001 763b6000 763b6000 00001000  
I/DEBUG   ( 3172):     76593028 00000000 100c0900 00000005 00002000  
I/DEBUG   ( 3172):     76593038 00000000 00000002 7558ff20 7558ff50  
I/DEBUG   ( 3172):     76593048 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76593058 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76593068 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76593078 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76593088 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76593098 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765930a8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765930b8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765930c8 775b2000 775b2000 00002000 00000000  
I/DEBUG   ( 3172):     765930d8 100c0900 00000007 00003000 00000000  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r6:
I/DEBUG   ( 3172):     00000fe0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00000ff0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001000 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001010 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001020 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001030 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001040 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001050 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001060 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001070 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001080 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     00001090 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010a0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010b0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010c0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     000010d0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r7:
I/DEBUG   ( 3172):     3f546278 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546288 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546298 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462a8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462b8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462c8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462d8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462e8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f5462f8 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546308 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546318 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546328 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546338 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546348 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546358 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     3f546368 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r8:
I/DEBUG   ( 3172):     76594228 00700088 00000080 00000080 00000080  
I/DEBUG   ( 3172):     76594238 00062002 00000038 00062000 00000038  
I/DEBUG   ( 3172):     76594248 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594258 ff0000ff ff0000ff 00000014 00700702  
I/DEBUG   ( 3172):     76594268 27010701 27010701 27010701 27010701  
I/DEBUG   ( 3172):     76594278 0f002c38 0f000008 0f000008 0f000008  
I/DEBUG   ( 3172):     76594288 070020e0 ffff0400 01bc0438 00000000  
I/DEBUG   ( 3172):     76594298 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765942a8 00000000 065a003c 06ef03fb 038001c0  
I/DEBUG   ( 3172):     765942b8 053f037f 44070000 4406e000 c45e0000  
I/DEBUG   ( 3172):     765942c8 445de000 3efffee0 3efffee0 000220b7  
I/DEBUG   ( 3172):     765942d8 00000001 00001000 00000010 00000000  
I/DEBUG   ( 3172):     765942e8 00000008 ffc00010 00000000 00000000  
I/DEBUG   ( 3172):     765942f8 02000242 00000001 00000008 00000000  
I/DEBUG   ( 3172):     76594308 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594318 00e01010 00000000 08480004 fcfc0001  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near r9:
I/DEBUG   ( 3172):     76594208 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594218 00000000 00000000 00000000 00008000  
I/DEBUG   ( 3172):     76594228 00700088 00000080 00000080 00000080  
I/DEBUG   ( 3172):     76594238 00062002 00000038 00062000 00000038  
I/DEBUG   ( 3172):     76594248 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     76594258 ff0000ff ff0000ff 00000014 00700702  
I/DEBUG   ( 3172):     76594268 27010701 27010701 27010701 27010701  
I/DEBUG   ( 3172):     76594278 0f002c38 0f000008 0f000008 0f000008  
I/DEBUG   ( 3172):     76594288 070020e0 ffff0400 01bc0438 00000000  
I/DEBUG   ( 3172):     76594298 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     765942a8 00000000 065a003c 06ef03fb 038001c0  
I/DEBUG   ( 3172):     765942b8 053f037f 44070000 4406e000 c45e0000  
I/DEBUG   ( 3172):     765942c8 445de000 3efffee0 3efffee0 000220b7  
I/DEBUG   ( 3172):     765942d8 00000001 00001000 00000010 00000000  
I/DEBUG   ( 3172):     765942e8 00000008 ffc00010 00000000 00000000  
I/DEBUG   ( 3172):     765942f8 02000242 00000001 00000008 00000000  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near sl:
I/DEBUG   ( 3172):     7486bdf8 7482c987 7482c98f 7482c999 7482c9a3  
I/DEBUG   ( 3172):     7486be08 74826f29 7485f7dc 7485f790 40084218  
I/DEBUG   ( 3172):     7486be18 00000000 00000000 00000000 4009f799  
I/DEBUG   ( 3172):     7486be28 4009f6a5 40098fcd 74736b21 400f4c79  
I/DEBUG   ( 3172):     7486be38 400a26a1 40099c3d 4009d109 4005cf31  
I/DEBUG   ( 3172):     7486be48 4005ce81 74731d55 4005cdfd 40088ef5  
I/DEBUG   ( 3172):     7486be58 400d2919 400990dc 400d2927 74731d59  
I/DEBUG   ( 3172):     7486be68 7473242d 7473189b 4008bb0d 4009c52d  
I/DEBUG   ( 3172):     7486be78 4009c331 74731d81 4008b495 747320b5  
I/DEBUG   ( 3172):     7486be88 74731d65 4008b929 74732341 4008ba2d  
I/DEBUG   ( 3172):     7486be98 4009c545 74731c21 74731d49 74731c85  
I/DEBUG   ( 3172):     7486bea8 74731be9 74731d5d 74731c6d 400b12b4  
I/DEBUG   ( 3172):     7486beb8 400b135c 400b1458 74731e4d 74731e89  
I/DEBUG   ( 3172):     7486bec8 747320cd 74731d99 74731e05 74731d4d  
I/DEBUG   ( 3172):     7486bed8 747320ab 7473010f 74729885 747297f1  
I/DEBUG   ( 3172):     7486bee8 400b137c 400ea1d0 400b2128 74732525  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near fp:
I/DEBUG   ( 3172):     bee2b128 000001c0 00000540 0000000f 00000000  
I/DEBUG   ( 3172):     bee2b138 00000000 763aa01c 7489f424 fffffff0  
I/DEBUG   ( 3172):     bee2b148 00000102 000001c0 000001c0 00000000  
I/DEBUG   ( 3172):     bee2b158 00000001 00000000 0000000e 000001c0  
I/DEBUG   ( 3172):     bee2b168 00000000 00000000 00000004 00000000  
I/DEBUG   ( 3172):     bee2b178 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b188 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b198 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1a8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1b8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1c8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1d8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1e8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b1f8 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b208 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b218 00000000 00000000 00000000 00000000  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near ip:
I/DEBUG   ( 3172):     8fffffe0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     8ffffff0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000000 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000010 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000020 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000030 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000040 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000050 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000060 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000070 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000080 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     90000090 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     900000a0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     900000b0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     900000c0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172):     900000d0 ffffffff ffffffff ffffffff ffffffff  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory near sp:
I/DEBUG   ( 3172):     bee2afc0 7558fdf0 763a96c0 763aa840 747eefad  
I/DEBUG   ( 3172):     bee2afd0 ffffffff 00000000 76593008 7480e65f  
I/DEBUG   ( 3172):     bee2afe0 bee2b148 76593008 00000000 00000000  
I/DEBUG   ( 3172):     bee2aff0 76593008 7659420c 00000000 3ff00000  
I/DEBUG   ( 3172):     bee2b000 00000001 00000000 00000001 00000001  
I/DEBUG   ( 3172):     bee2b010 00000001 0000000e 00000000 00000000  
I/DEBUG   ( 3172):     bee2b020 78e9cec0 00000000 01900800 00000000  
I/DEBUG   ( 3172):     bee2b030 7489f424 00000102 00000000 00000001  
I/DEBUG   ( 3172):     bee2b040 00000000 00000000 02000242 00001000  
I/DEBUG   ( 3172):     bee2b050 00000014 070020e0 0f002c38 0f000008  
I/DEBUG   ( 3172):     bee2b060 00062002 00008000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b070 00000001 00000000 00000000 00000000  
I/DEBUG   ( 3172):     bee2b080 00000000 01bf01bf 00000000 000001c0  
I/DEBUG   ( 3172):     bee2b090 00000000 000001c0 78dea4c0 78dea4c0  
I/DEBUG   ( 3172):     bee2b0a0 00000040 00000000 00000000 3ff00000  
I/DEBUG   ( 3172):     bee2b0b0 00000080 00000000 00000000 7480e389  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): code around pc:
I/DEBUG   ( 3172):     7480e650 615e611f f5054620 f7e05892 f505fc9d  
I/DEBUG   ( 3172):     7480e660 f5055196 f5045297 694e5380 5991f505  
I/DEBUG   ( 3172):     7480e670 68df6910 f505961b f8d85693 901a3018  
I/DEBUG   ( 3172):     7480e680 97106930 5794f505 683a6971 5790f505  
I/DEBUG   ( 3172):     7480e690 901e931c 3010f8d9 0ad4f8d4 911f921d  
I/DEBUG   ( 3172):     7480e6a0 270069fa 93206841 f8d46047 92213ad4  
I/DEBUG   ( 3172):     7480e6b0 f8d39122 f8c3208c f8d4708c f8d40ae8  
I/DEBUG   ( 3172):     7480e6c0 9b111b6c 90249223 7ae8f8c4 f8c49125  
I/DEBUG   ( 3172):     7480e6d0 b1a37b6c f00b980d f8dbfdfb 227f1030  
I/DEBUG   ( 3172):     7480e6e0 094b970d 1003ea40 0010f8c9 2018f8c8  
I/DEBUG   ( 3172):     7480e6f0 f0216931 f02c6c70 61330308 994ae012  
I/DEBUG   ( 3172):     7480e700 7018f8d8 030ff001 4200f027 f022061f  
I/DEBUG   ( 3172):     7480e710 f4470007 9f136240 0018f8c8 b9076132  
I/DEBUG   ( 3172):     7480e720 6172e000 46204659 fdecf7ff 5683f504  
I/DEBUG   ( 3172):     7480e730 46012200 f7d94620 6830fd3f d50206c1  
I/DEBUG   ( 3172):     7480e740 f7e04620 6831fc29 d504064a 0240f021  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): code around lr:
I/DEBUG   ( 3172):     747eef90 463a4631 bdf84798 f500b538 4604558c  
I/DEBUG   ( 3172):     747eefa0 479869eb 46204601 f8e8f7f4 478869a9  
I/DEBUG   ( 3172):     747eefb0 09fcf8d4 d50b0743 681368a2 d1072b01  
I/DEBUG   ( 3172):     747eefc0 478869e9 46204601 f8c6f7f4 479069aa  
I/DEBUG   ( 3172):     747eefd0 5483f504 f0206820 60230310 0000bd38  
I/DEBUG   ( 3172):     747eefe0 4ff0e92d 8b02ed2d 49c7460c 7d17f5ad  
I/DEBUG   ( 3172):     747eeff0 44794bc6 91099008 682858cd f7b99095  
I/DEBUG   ( 3172):     747ef000 2100ec1e 900a2212 f7b9a850 2202ebdc  
I/DEBUG   ( 3172):     747ef010 f88d2120 f88d2142 22101150 46219808  
I/DEBUG   ( 3172):     747ef020 f7ffab0f 9808ff7b 4621ab10 f7ff2211  
I/DEBUG   ( 3172):     747ef030 6823ff75 1e58950b f2002804 e8df8158  
I/DEBUG   ( 3172):     747ef040 0009f010 00050009 00090156 f04f1d25  
I/DEBUG   ( 3172):     747ef050 e0020b06 f04f1d25 eeb70b01 4fac8a00  
I/DEBUG   ( 3172):     747ef060 0900f04f 970d447f 2a036822 4620d104  
I/DEBUG   ( 3172):     747ef070 f0054649 4605f996 9b108a69 42999f0f  
I/DEBUG   ( 3172):     747ef080 9110bf94 e1299310 26181c7a 5002fb06  
I/DEBUG   ( 3172): 
I/DEBUG   ( 3172): memory map around fault addr 0000100c:
I/DEBUG   ( 3172):     (no map below)
I/DEBUG   ( 3172):     (no map for address)
I/DEBUG   ( 3172):     21000000-2102b000 rw-

How to call a static Dalvik method in JavaScript

Below is the class I want to hook.

public class Hook 
{
    public String hookMe(String arg0, String arg1)
    {
        return arg0 + arg1;
    }

    public static String hookMeStatic(String arg0, String arg1)
    {
        return arg0 + arg1;
    }
}

Below is my JS code to hook these to methods, I can call the non-static method but don't know how to call the static one as "this" pointer cannot be used any more. I want to ask how to invoke it with the class name regardless of the instance of the class?

Dalvik.perform(function () {

    var hook = Dalvik.use("com.example.godric.fridademo.Hook");
    hook.hookMe.overload("java.lang.String","java.lang.String").implementation = function (s1,s2) {
        send(s1);
        send(s2);
        var ret = hook.hookMe.overload("java.lang.String", "java.lang.String").call(this, s1,s2);
        send(ret);
        return ret;
    };

    hook.hookMeStatic.overload("java.lang.String","java.lang.String").implementation = function (s1,s2) {
        send(s1);
        send(s2);
        var ret = hook.hookMeStatic.overload("java.lang.String", "java.lang.String").call(this, s1, s2);
        //var ret = hook.hookMeStatic.overload("java.lang.String", "java.lang.String").call(s1, s2);
        //var ret = hook.hookMeStatic.overload("java.lang.String", "java.lang.String").call(hook, s1, s2);
        //var ret = hook.hookMeStatic(s1, s2);
        //All of the above four lines are wrong
        //Error Message is：”{u'type': u'error', u'description': u'TypeError: expected NativePointer object'} None“
        //My question is how to write it? 
        send(ret);
        return ret;
    };
});

Many thanks!

Linting a bit

Start all js files with /* jshint esnext: true */ to allow joshing parse.

bindings/gumjs/gumscript-runtime-objc.js: line 85, col 29, 'hasOwnProperty' is a really bad name.
bindings/gumjs/gumscript-runtime-objc.js: line 183, col 29, 'hasOwnProperty' is a really bad name.
bindings/gumjs/gumscript-runtime-objc.js: line 298, col 21, Bad line breaking before '?'.
bindings/gumjs/gumscript-runtime-objc.js: line 332, col 21, Bad line breaking before '?'.
bindings/gumjs/gumscript-runtime-objc.js: line 394, col 23, eval can be harmful.


bindings/gumjs/gumscript-runtime-dalvik.js: line 287, col 13, eval can be harmful.
bindings/gumjs/gumscript-runtime-dalvik.js: line 690, col 17, eval can be harmful.
bindings/gumjs/gumscript-runtime-dalvik.js: line 924, col 13, eval can be harmful.
bindings/gumjs/gumscript-runtime-dalvik.js: line 1353, col 51, Possible strict violation.

the gumscript-runtime-core.js passes with 0 warnings

Cannot instanciate an array of native type

Hi,

How can I instanciate an array of native Java type, say "int" ?
The goal would be to be able to pass it to a method that will write to this array, something similar to this :

var intArray = /* ??? allocate java int array ??? */;
this.fillMethod.call(this, intArray, intArray.length);
send('data', intArray);

Thank you,

Catch more types for the second argument of send()

Like [] or 0, null, ..

Can't hook into constructor

this.hookConstructor = function () {
        Dalvik.perform(function() {
            klass = Dalvik.use('o.ᓙ');
            klass.$new.implementation = function(str, i) {
                const result = this.$new(str, i);
                return result;
            }
        });
    };

Results with a crash.

As far as I know it depends on the this.$classHandle.
env.getObjectRefType(this.$classHandle) says it's a global reference. But when I'm trying to get the classname of it with env.getClassName(this.$classHandle) the app crashes with (+ dump)

E/dalvikvm(13974): JNI ERROR (app bug): attempt to use stale weak global reference 0x3
E/dalvikvm(13974): VM aborting

So this.$classHandle is actually no valid reference - but I don't know why.

Update:

const Singleton = Dalvik.use("....Singleton");
Singleton.$new.overload("int").implementation = function (value) {
  return null;
  // return this.$new.overload("int")(value);
};

It works... But the value we get is completely wrong.

ObjC integration does not support struct types

Failing test here:

{
    type: "error",
    fileName: "gumscript-runtime-objc.js",
    lineNumber: 1248,
    description: "Error: No parser for type {CGRect={CGPoint=dd}{CGSize=dd}}"
}

/cc @bnovc

Add api for enumerating malloc zones and ranges

I'll probably do this in a couple of days.

Implement async API's as generators instead of using callbacks

Basically like the *Sync API's, but using generators instead, so we don't have to loop through every match if we want to stop early. This will also means that we could get rid of all the *Sync API's.

If we some of the async functions actually runs async*, we may want to use Promises as they are really nice instead of the current needed callback hell.

* So that the output of the following code is 1 3 2:

console.log('1');
FooBar.enumerateFoos({
    onMatch: (foo) => console.log('2'),
    onComplete: () => {}
});
console.log('3');

Before:

var result = null;
Process.enumerateRanges('r--', {
    onMatch: (base, size, protection, file) => {
        Memory.scanRange(base, size, '66 72 69 64 61 20 72 6f 63 6b 73 21', {
            onMatch: function(address, size) {
                result = size;
                return 'stop';
            },
            onError: () => {},
            onComplete: () => {}
        });
        if(result) {
            return 'stop';
        }
    },
    onComplete: () => {}
});
console.log('Found string at address:', result);

After:

var result = null;
loopy: for(var range of Process.enumerateRanges('r--')) {
    for(var match of Memory.scanRange(range.base, range.size, '66 72 69 64 61 20 72 6f 63 6b 73 21')) {
        result = match.address;
        break loopy;
    }
}
console.log('Found string at address:', result);

Undefined behavior when hooking certain APIs on Windows

I was trying to hook some function on a program using Frida (see script attached). Specifically, I was trying to hook the Kernel32!HeapAlloc function (https://msdn.microsoft.com/en-us/library/windows/desktop/aa366597%28v=vs.85%29.aspx)

For some reason, I was getting the following error (see attached image).

I decided to investigate a bit about that error. What I found was that even though Frida could hook the ntdll.dll!RtlAllocateHeap (internal call from HeapAlloc) (see log below), for some reason, it tried to resolve or hook the "HeapAlloc" per se but as the function was not found then the error was raised.

See, here the hook for RtlAllocateHeap:

76FC209D RtlAllocateHeap - E9 92E17189 JMP 006E0234 --> JUMP TO TRAMPOLINE
76FC20A2 83EC 60 SUB ESP,60
76FC20A5 53 PUSH EBX
76FC20A6 56 PUSH ESI
76FC20A7 33F6 XOR ESI,ESI
76FC20A9 817D 10 FFFFFF7>CMP DWORD PTR SS:[EBP+10],7FFFFFFF
76FC20B0 57 PUSH EDI
76FC20B1 8975 F8 MOV DWORD PTR SS:[EBP-8],ESI
76FC20B4 0F87 3F900200 JA ntdll.76FEB0F9
[...]

@oleavr told me that some sanity checks are done before hooking a function, like:

the first byte of the address is readable
that we can parse the first instructions

These two sentences are satisfied in this case, because the address I'm calculating for HeapAlloc is readable and has "code". However, as HeapAlloc is forwarder to RtlAllocateHeap, you are not going to find any code for the HeapAlloc resolved address.

So, Frida could resolve the hook on the first place but then, for some reason (I couldn't find the real cause) tries to resolve the "HeapAlloc" per se.

So, maybe, you can add some heuristics to determine if the address to hook is a real function, maybe analyzing the prologue of the function. I assume this depends on the calling convention but it is just an idea.

In order to reproduce the issue, just launch "nopetad.exe" and run the script to attach to it. Then, navigate to File->Open. Error is raised.

Script and screenshot: https://www.dropbox.com/s/ng4lf1xfokcvv4p/frida-interceptor-error.zip?dl=0