Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to resolve Landroid/telephony/SmsManager; #3

Open
flankerhqd opened this issue May 7, 2014 · 21 comments
Open

Unable to resolve Landroid/telephony/SmsManager; #3

flankerhqd opened this issue May 7, 2014 · 21 comments

Comments

@flankerhqd
Copy link

Hi thanks for the great tool! However I found I cannot hook functions like android.telephony.SmsManager.sendTextMessage. By turning the debug option in dalvik_hook.c (h->debug_me = 1), I found the reason is class android.telephony.SmsManager resolved to NULL

The log is:

E/hook-dexstuff(  238): dvmInitClass = 0x4075bd49
E/hook-dexstuff(  238):   _Z36dvmFindVirtualMethodHierByDescriptorPK11ClassObjectPKcS3_ = 0x4075c72d
E/hook-dexstuff(  238): _Z31dvmFindDirectMethodByDescriptorPK11ClassObjectPKcS3_ = 0x4075c7c1
E/hook-dexstuff(  238): _Z17dvmIsStaticMethodPK6Method = 0x40739fed
E/hook-dexstuff(  238): dvmAllocObject = 0x40746715
E/hook-dexstuff(  238): _Z14dvmCallMethodVP6ThreadPK6MethodP6ObjectbP6JValueSt9__va_list = 0x40751481
E/hook-dexstuff(  238): _Z14dvmCallMethodAP6ThreadPK6MethodP6ObjectbP6JValuePK6jvalue = 0x40751339
E/hook-dexstuff(  238): _Z22dvmAddToReferenceTableP14ReferenceTableP6Object = 0x40742995
E/hook-dexstuff(  238): _Z16dvmSetNativeFuncP6MethodPFvPKjP6JValuePKS_P6ThreadEPKt = 0x4075a637
E/hook-dexstuff(  238): _Z15dvmUseJNIBridgeP6MethodPv = 0x4073ef75
E/hook-dexstuff(  238): _Z20dvmDecodeIndirectRefP6ThreadP8_jobject = 0x4073bc99
E/hook-dexstuff(  238): _Z21dvmLinearSetReadWriteP6ObjectPv = 0x4074004b
E/hook-dexstuff(  238): _Z22dvmGetCurrentJNIMethodv = 0x4073f169
E/hook-dexstuff(  238): _Z20dvmFindInstanceFieldPK11ClassObjectPKcS3_ = 0x4075c59d
E/hook-dexstuff(  238): _Z16dvmCallJNIMethodPKjP6JValuePK6MethodP6Thread = 0x4073ece1
E/hook-dexstuff(  238): _Z17dvmDumpAllClassesi = 0x4075a685
E/hook-dexstuff(  238): _Z12dvmDumpClassPK11ClassObjecti = 0x4075a681
E/hook-dexstuff(  238): _Z18dvmFindLoadedClassPKc = 0x4075a645
E/hook-dexstuff(  238): _Z16dvmHashTableLockP9HashTable = 0x4073a1a7
E/hook-dexstuff(  238): _Z18dvmHashTableUnlockP9HashTable = 0x4073a1ad
E/hook-dexstuff(  238): _Z14dvmHashForeachP9HashTablePFiPvS1_ES1_ = 0x407374a1
E/hook-dexstuff(  238): _Z13dvmInstanceofPK11ClassObjectS1_ = 0x40736025
E/hook-dexstuff(  238): gDvm = 0x4079c1a8
E/hook-dexstuff(  238): dalvik_hook: class Landroid/telephony/SmsManager;
E/hook-dexstuff(  238): class = 0x0
E/hook-dexstuff(  238): target_cls == 0
E/hook-dexstuff(  238): dalvik_hook: class Ljava/lang/String;
E/hook-dexstuff(  238): class = 0x40a060b8
E/hook-dexstuff(  238): equalsIgnoreCase((Ljava/lang/String;)Z) = 0x435fb6a8
E/hook-dexstuff(  238): nativeFunc 0
E/hook-dexstuff(  238): insSize = 0x2  registersSize = 0xe  outsSize = 0x2
E/hook-dexstuff(  238): shorty ZL
E/hook-dexstuff(  238): name equalsIgnoreCase
E/hook-dexstuff(  238): arginfo 0
E/hook-dexstuff(  238): noref 
E/hook-dexstuff(  238): access 1
E/hook-dexstuff(  238): access 101
E/hook-dexstuff(  238): patched equalsIgnoreCase to: 0x4a19e344

Why the class cannot be resolved? java.lang.String works fine.
@flankerhqd
Copy link
Author

My hook code is like:

    dalvik_hook_setup(&dpdu, "Landroid/telephony/SmsManager;", "sendTextMessage", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V", 6, my_dispatch);
dalvik_hook(&d, &dpdu);

However my_dispatch will never get executed, since Landroid/telephony/SmsManager cannot be resolved in dalvik_hook_setup, thus dalvik_hook_setup fails.

@flankerhqd
Copy link
Author

I'm using a 4.1.2 arm emulator in SDK.

@crmulliner
Copy link
Owner

I guess the class name is wrong, look at the internal classes such as: com.android.internal.telephony.....

@flankerhqd
Copy link
Author

Can't find com.android.internal.telephony.SmsManager.sendTextMessage or com.android.internal.telephony.sendTextMessage, however one can find android.telephony.SmsManager.sendTextMessage at http://grepcode.com/file/repository.grepcode.com/java/ext/com.google.android/android/4.1.2_r1/android/telephony/SmsManager.java#SmsManager.sendTextMessage%28java.lang.String%2Cjava.lang.String%2Cjava.lang.String%2Candroid.app.PendingIntent%2Candroid.app.PendingIntent%29

@crmulliner
Copy link
Owner

if you find android.telephony.SmsManager, you can call
dalvik_dump_class(dexstuff_ptr, "android.telephony.SmsManager"); to show all methods of that class.

@flankerhqd
Copy link
Author

Thanks for your kind reply. The problem is the class "android.telephony.SmsManager" cannot be resolved or found in ddi's world, dalvik_dump_class(&d, "Landroid/telephony/SmsManager;"); output nothing and I think there is no problem with spelling.

@crmulliner
Copy link
Owner

What process are you hooking?

On May 8, 2014 9:03:41 PM EDT, flankerhqd [email protected] wrote:

Thanks for your kind reply. The problem is
"android.telephony.SmsManager" cannot be resolved or found in ddi's
world, dalvik_dump_class(dexstuff_ptr, "android.telephony.SmsManager");
output nothing.

Reply to this email directly or view it on GitHub:
#3 (comment)

@flankerhqd
Copy link
Author

Tried com.android.phone, com.android.mms and a custom application calling sendTextMessage, none succeeded in resolving and hooking Landroid/telephony/SmsManager; . Lcom/android/internal/telephony/SMSDispatcher; and Ljava/lang/String are OK.

@crmulliner
Copy link
Owner

can you try the system_server?

@flankerhqd
Copy link
Author

Tried system_server without luck, still cannot resolve

E/hook-dexstuff(  149): dalvik_hook: class Landroid/telephony/SmsManager;
E/hook-dexstuff(  149): class = 0x0
E/hook-dexstuff(  149): target_cls == 0

@flankerhqd
Copy link
Author

source pasted here: https://gist.github.com/flankerhqd/afbe1a40531837d09f32

@VirtualBim
Copy link

I came here to add an issue and found this, its describes my problem exactly. Has this been resolved in anyway?

@crmulliner
Copy link
Owner

can you try to see what classes are present in .phone/.mms ? using dalvik_dump_class(XX, NULL); <- dumps all loaded classes in a process. My guess is that there is just some renaming or name mangle going on.

example:

static int my_epoll_wait(int epfd, struct epoll_event _events, int maxevents, int timeout)
{
int (_orig_epoll_wait)(int epfd, struct epoll_event events, int maxevents, int timeout);
orig_epoll_wait = (void)eph.orig;
// remove hook for epoll_wait
hook_precall(&eph);
// resolve symbols from DVM
dexstuff_resolv_dvm(&d);

// dump all classes
dalvik_dump_class(&d, 0);

// call original function
int res = orig_epoll_wait(epfd, events, maxevents, timeout);
return res;
}

@VirtualBim
Copy link

I have tried this several times now. each time the emulator disconnects.
I have captured the logcat which covers the time frame, upto the point where the interface is reset. It shows an error in the m.android.phone caused by the call to dalvik_dump_class as seen in dexdump.c.
I also tested doing the class dump on SmsDispatch and on SmsManager. Dispatch returned a full list of the methods available and Manager returned nothing, not even the header section.

@flankerhqd
Copy link
Author

Class dump pasted here: https://gist.github.com/flankerhqd/c47916dc61386cd9f6e4, no sign of SMS

@VirtualBim
Copy link

to avoid the problem of SmsManager not being available I have attempted to hook the SmsDispatcher.
I have added:
dalvik_hook_setup(&srpdu, "Lcom/android/internal/telephony/SMSDispatcher;", "sendRawPdu", "([B[BLandroid/app/PendingIntent;Landroid/app/PendingIntent;Ljava/lang/String;)V", 6, my_sendRawPdu);
dalvik_hook(&d, &srpdu);
log ("hooked srpdu\n")

to the example smsdipatch.c provided, however this causes the hooks to fail and the log file remains empty. I have taken the method name and signature directly from the output of dalvik dump. Is there something I have missed?

@crmulliner
Copy link
Owner

sendRawPdu is only available on a few HTC devices. Are you sure your
phone supports this?

the class name and method + signature look good.

is your "my_sendRawPdu" function called at all?

@flankerhqd
Copy link
Author

@VirtualBim try dalvik_dump_class(&d, "");
0 a.k.a NULL will cause SF on strlen, thus crashing the process

@VirtualBim
Copy link

No, I am not certain, I am using the Emulator and trying to catch all the Sms leaving the device. Following the code it looked as though all sms went through sendRawPdu on their way to sendSms.
With those 2 (hook setup & hook) calls that I added the hooks do not run at all. i.e. it seems the epoll function does not complete. So no, my function is definitely not called.

I assumed that sendRawPdu being in the dalivk dump meant it was available.

My only real question is where should I hook to catch the sms leaving the machine? given that SmsManager is not available.

Thanks for all your help btw :)

@flankerhqd thank you, i'll try that.

@VirtualBim
Copy link

I have discovered that most if not all messages go through the call SendSMS in the dispatcher class, however as this is abstract you have to catch the calls to it in gsmDispatcher and cmdaDispatcher. I have hooked on there and caught calls sent through smsManager. Unfortunately the smsbody needs pulling out of the tracker which I have not yet solved. I can get the address string but the hashmap is proving resilient.

@hardikjoshi
Copy link

Hello,

I am facing same issue.
I found some how below mentioned dalvik symbol not hooking method.
ddi/dalvikhook/jni/dalvik_hook.c

dex->dvmUseJNIBridge_fnPtr(h->method, h->native_func);

I want to know how to debug into the line.

Thanks & Regards
Hardik Joshi

@zmxsa zmxsa mentioned this issue Nov 22, 2015
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hardikjoshi @flankerhqd @crmulliner @VirtualBim