Patch up Bionic linker for aarch64.

CosineMath · CosineMath · commit cc679407fe01 · 2021-02-07T12:58:02.000+08:00
diff --git a/jni/boat/loadme.c b/jni/boat/loadme.c
@@ -4,6 +4,7 @@
 #include <dlfcn.h>
 #include <stdlib.h>
 #include <android/log.h>
+#include <sys/mman.h>
 
 JNIEXPORT void JNICALL Java_cosine_boat_LoadMe_redirectStdio(JNIEnv* env, jclass clazz, jstring path){
 	
@@ -51,7 +52,157 @@ JNIEXPORT jint JNICALL Java_cosine_boat_LoadMe_dlopen(JNIEnv* env, jclass clazz,
         return 0;
 }
 
+#ifdef __aarch64__
+unsigned gen_ldr_pc(unsigned rt, signed long off) {
+	// 33 222 2 22 2222111111111100000 00000
+	// 10 987 6 54 3210987654321098765 43210
+	// 01 011 0 00 1111111111111111011 00010
+	//             imm                 rt
+	unsigned result = 0x0;
+	
+	result |= 0x58; // 01 011 0 00;
+	result <<= 19;
+	
+	signed long imm = off / 4;
+	imm &= 0x7ffff;
+	result |= imm;
+	result <<= 5;
+	
+	rt &= 0x1f;
+	result |= rt;
+	
+	return result;
+	
+}
+unsigned gen_ret(unsigned lr) {
+	// 3322222 2 2 22 21111 1111 1 1 00000 00000
+	// 1098765 4 3 21 09876 5432 1 0 98765 43210
+	// 1101011 0 0 10 11111 0000 0 0 11110 00000
+	//                               lr
+	unsigned result = 0x0;
+	
+	result |= 0x3597c0;  // 1101011 0 0 10 11111 0000 0 0
+	result <<= 5;
+	lr &= 0x1f;
+	result |= lr;
+	result <<= 5;
+	result |= 0x0;
+	return result;
+}
+unsigned gen_mov_reg(unsigned tr, unsigned sr) {
+	// 3 32 22222 22 2 21111 111111 00000 00000
+	// 1 09 87654 32 1 09876 543210 98765 43210
+	// 1 01 01010 00 0 11110 000000 11111 00010
+	//                 sr                 tr
+	unsigned result = 0x0;
+	
+	result |= 0x550;  // 1 01 01010 00 0
+	result <<= 5;
+	
+	sr &= 0x1f;
+	result |= sr;
+	result <<= 11;
+	
+	result |= 0x1f;  // 000000 11111
+	result <<= 5;
+	
+	tr &= 0x1f;
+	result |= tr;
+	
+	return result;
+}
+
+unsigned gen_mov_imm(unsigned tr, signed short imm) {
+	// 3 32 222222 22 2111111111100000 00000
+	// 1 09 876543 21 0987654321098765 43210
+	// 1 10 100101 00 0000000001111111 00000
+	//                imm              tr
+	unsigned result = 0x0;
+	
+	result |= 0x694;  // 1 10 100101 00
+	result <<= 16;
+	
+	result |= imm;
+	result <<= 5;
+	
+	tr &= 0x1f;
+	result |= tr;
+	
+	return result;
+}
 
+void stub() {
+	
+}
+#endif
+JNIEXPORT void JNICALL Java_cosine_boat_LoadMe_patchLinker(JNIEnv *env, jclass clazz) {
+
+#ifdef __aarch64__
+#define PAGE_START(x) ((void*)((unsigned long)(x) & ~((unsigned long)getpagesize() - 1)))
+
+	void* libdl_handle = dlopen("libdl.so", RTLD_LAZY);
+	
+	unsigned* dlopen_addr = (unsigned*)dlsym(libdl_handle, "dlopen");
+	unsigned* dlsym_addr = (unsigned*)dlsym(libdl_handle, "dlsym");
+	unsigned* dlvsym_addr = (unsigned*)dlsym(libdl_handle, "dlvsym");
+	unsigned* buffer = (unsigned*)dlsym(libdl_handle, "android_get_LD_LIBRARY_PATH");
+	
+	mprotect(PAGE_START(buffer), getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC );
+	mprotect(PAGE_START(dlopen_addr), getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC );
+	mprotect(PAGE_START(dlsym_addr), getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC );
+	mprotect(PAGE_START(dlvsym_addr), getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC );
+	
+	unsigned ins_ret = gen_ret(30);
+	unsigned ins_mov_x0_0 = gen_mov_imm(0, 0);
+	
+	buffer[0] = ins_mov_x0_0;
+	buffer[1] = ins_ret;
+	
+	void** tmp_addr = (void**)(buffer + 2);
+	*tmp_addr = stub;
+	
+	unsigned ins_mov_x2_x30 = gen_mov_reg(2, 30);
+	unsigned ins_mov_x3_x30 = gen_mov_reg(3, 30);
+	
+	int dlopen_hooked = 0;
+	int dlsym_hooked = 0;
+	int dlvsym_hooked = 0;
+	for (int i = 0; dlopen_addr[i] != ins_ret; i++){
+		if (dlopen_addr[i] == ins_mov_x2_x30) {
+			dlopen_addr[i] = gen_ldr_pc(2, (unsigned long)tmp_addr - (unsigned long)&dlopen_addr[i]);
+			dlopen_hooked = 1;
+			break;
+		}
+	}
+	for (int i = 0; dlsym_addr[i] != ins_ret; i++){
+		if (dlsym_addr[i] == ins_mov_x2_x30) {
+			dlsym_addr[i] = gen_ldr_pc(2, (unsigned long)tmp_addr - (unsigned long)&dlsym_addr[i]);
+			dlsym_hooked = 1;
+			break;
+		}
+	}
+	for (int i = 0; dlvsym_addr[i] != ins_ret; i++){
+		if (dlvsym_addr[i] == ins_mov_x3_x30) {	
+			dlvsym_addr[i] = gen_ldr_pc(3, (unsigned long)tmp_addr - (unsigned long)&dlvsym_addr[i]);
+			dlvsym_hooked = 1;
+			break;
+		}
+	}
+	
+	if (dlopen_hooked == 0) {
+		__android_log_print(ANDROID_LOG_ERROR, "Boat", "dlopen() not patched");
+	}
+	if (dlsym_hooked == 0) {
+		__android_log_print(ANDROID_LOG_ERROR, "Boat", "dlsym() not patched");
+	}
+	if (dlvsym_hooked == 0) {
+		__android_log_print(ANDROID_LOG_ERROR, "Boat", "dlvsym() not patched");
+	}
+#undef PAGE_START
+#else  // !__aarch64__
+    __android_log_print(ANDROID_LOG_ERROR, "Boat", "Nothing to patch.");
+#endif  // __aarch64__
+}
 
 // copy from java.c
 
diff --git a/src/cosine/boat/LoadMe.java b/src/cosine/boat/LoadMe.java
@@ -12,6 +12,7 @@ public class LoadMe {
     public static native void setenv(String str, String str2);
     public static native void setupJLI();
     public static native int dlopen(String name);
+    public static native void patchLinker();
 	
     static {
         System.loadLibrary("boat");
@@ -33,7 +34,9 @@ public static int exec(LauncherConfig config) {
             
             setenv("HOME", home);
             setenv("JAVA_HOME" ,runtimePath + "/j2re-image");
-			
+            
+	    patchLinker();
+	    
             // openjdk
             dlopen(runtimePath + "/j2re-image/lib/aarch32/libfreetype.so");
             dlopen(runtimePath + "/j2re-image/lib/aarch32/jli/libjli.so");
