Unlike the existing `newInstance` variants which allocate and return a new object, these new APIs execute constructor logic on an existing, pre-allocated instance (`thisObject`). This separation of allocation and initialization allows for invoking original or super constructors within hook callbacks where the object reference is already established.
The implementation leverages the existing JNI `HookBridge` methods, as `invokeOriginalMethod` and `invokeSpecialMethod` already support void-return signatures required for constructor execution.
Co-authored-by: frknkrc44 <krc440002@gmail.com>
Centralize dependencies and migrate to submodules
Move `apache` and `axml` modules to a unified `external` directory and migrate libxposed API and service interfaces from Maven dependencies to Git submodules.
Included changes:
- Updated .gitmodules with new paths.
- Simplified core.yml CI workflow.
- Updated Gradle project references to use the new directory structure.
- Added documentation for external components.
In the LSPosedDexParser constructor, the methodIds array is allocated correctly, but the loop condition is wrong: its length is divided by 3 twice.
We rewrite this class in Kotlin, marking the first commit of refactoring LSPosed into Vector.
Co-authored-by: Willian Wang <git@willian.wang>
- When the Step 2 (r-xp) mode is not found, implement the lookup logic to fall back to the first r--p segment
- On android 10 Step 1 to Step 2 doesn't match any pattern, but r--p does have a libart.so address
- Log
findModuleBase(): Found 4 filtered map entries for libart.so:
findModuleBase(): 0x70991e8000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x7099327000 --xp /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997de000 rw-p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): 0x70997e1000 r--p /apex/com.android.runtime/lib64/libart.so
findModuleBase(): `r--p` -> `r-xp` pattern not found. Falling back to first `r-xp` entry.
findModuleBase(): `r-xp` pattern not found. Falling back to first `r--p` entry.
findModuleBase(): Found first `r--p` block at 0x70991e8000
findModuleBase(): get module base /apex/com.android.runtime/lib64/libart.so: 0x70991e8000
findModuleBase(): update path: /apex/com.android.runtime/lib64/libart.so
This commit attempts to resolve an issue reported by users on recent OnePlus software updates where LSPosed modules are no longer able to hook the `Application#attach` method.
Android Runtime (ART) on these devices has become more aggressive with method inlining. This optimization can cause the relatively small `Application#attach` method to be directly embedded into its (indirect) calling methods, which makes it invisible to the hooking framework.
This approach is adapted from a reportedly successful commit in a community fork (LSPosed-Irena). It identifies `makeApplication` and `makeApplicationInner` within the `android.app.LoadedApk` class as the key callers to deoptimize. By adding these methods to the `BOOT_IMAGE` list, the goal is to prevent ART from inlining them, thus preserving `Application#attach` as a distinct and hookable method.
Co-authored-by: Irena <140869597+re-zero001@users.noreply.github.com>
Resolves a `SIGSEGV` crash that occurs when co-instrumenting with recent versions of Frida.
The root cause was that the previous parsing logic would select the first memory mapping matching the library name. When Frida is active, it can temporarily create a transient, read-only mapping at a lower address than the real library. This would cause our parser to select the wrong base address.
This commit refactors the `findModuleBase` function to be structurally aware. It now filters all mappings for the target library and specifically searches for the pattern of a read-only (`r--p`) segment immediately followed by an executable (`r-xp`) segment. This allows it to correctly identify the real library mapping and ignore transient artifacts from other instrumentation frameworks.
* Fix warnings of CMake
To completely remove CMake version warnings, one may need to change the CMakeLists.txt file in the NDK installation.
* Add compiler flag -Wpedantic
Show compilation errors for the core subject, while ignore some of them
Even if dladdr could not find function name for an address given by
art_symbol_resolver, we should still process inline hook.
Close#32 as completed, close#39 as merged
1. Remove the usage of `tstring` since it is removed in the upstream.
2. In commit aa98da5, the return value of android::ResStringPool::setup
was mistaken.
3. We should also set a proper symbol resolver for native_api.
Note that RS_SUCCESS = 0 is removed in the commit
f4643b8d14d7cc94516b446ca77d952d0b986d50
of https://github.com/jmpews/Dobby
The CMake option DOBBY_GENERATE_SHARED is removed, we use dobby_static
explicitly.
Convert ScopedLocalRef to its reference, otherwise we get error:
no viable conversion from 'ScopedLocalRef<_jobject *>' (aka 'lsplant::ScopedLocalRef<_jobject *>') to 'jobject' (aka '_jobject *')
Support for stripped library as libart.
We thus need to parse a new section `.gnu_debugdata`, compressed
with xz library, which is in elf header of the library.
After in memory decompression, new elf header is parsed to find
the section `.symtab`.
Co-authored-by: mywalk <66966897+mywalkb@users.noreply.github.com>
1. Use JDK 21
2. Update android plugins for JDK 21
3. Update gradle wrapper
The new R8 engine will change more class names than before, we thus
need to save those needed ones.
JingMatrix
dev
RichardLuo
5ec1cff
LoveSy
南宫雪珊
Nullptr
Howard Wu