frida-java-bridge 7.0.3 → 7.0.5

package/lib/android.js

@@ -956,43 +956,131 @@ function tryGetArtClassLinkerSpec (runtime, runtimeSpec) {
 }
 
 export function getArtClassSpec (vm) {
-  let apiLevel;
-  try {
-    apiLevel = getAndroidApiLevel();
-  } catch (e) {
-    return null;
-  }
+  const MAX_OFFSET = 0x100;
 
-  if (apiLevel >= 34) {
-    return {
-      offset: {
-        ifields: 0x28,
-        methods: 0x28 + 0x8,
-        sfields: 0,
-        copiedMethodsOffset: 0x6c,
-      }
+  let spec = null;
+
+  vm.perform(env => {
+    const fieldSpec = getArtFieldSpec(vm);
+    const methodSpec = getArtMethodSpec(vm);
+
+    const fInfo = {
+      artArrayLengthSize: 4,
+      artArrayEntrySize: fieldSpec.size,
+      // java/lang/Integer has 11 fields on Android 16.
+      artArrayMax: 20
     };
-  } else if (apiLevel >= 26) {
-    return {
-      offset: {
-        ifields: 0x28,
-        methods: 0x28 + 0x8,
-        sfields: 0x28 + 0x10,
-        copiedMethodsOffset: 0x74,
+
+    const mInfo = {
+      artArrayLengthSize: pointerSize,
+      artArrayEntrySize: methodSpec.size,
+      // java/lang/Integer has 66 methods on Android 16.
+      artArrayMax: 100
+    };
+
+    const readArtArray = (objectBase, fieldOffset, lengthSize) => {
+      const header = objectBase.add(fieldOffset).readPointer();
+      if (header.isNull()) {
+        return null;
       }
+
+      const length = (lengthSize === 4) ? header.readU32() : header.readU64().valueOf();
+      if (length === 0) {
+        return null;
+      }
+
+      return {
+        length,
+        data: header.add(lengthSize)
+      };
     };
-  } else if (apiLevel >= 24) {
-    return {
-      offset: {
-        ifields: 0x38,
-        methods: 0x38 + 0x8,
-        sfields: 0x38 + 0x10,
-        copiedMethodsOffset: 0x7c,
+
+    const hasEntry = (objectBase, offset, needle, info) => {
+      try {
+        const artArray = readArtArray(objectBase, offset, info.artArrayLengthSize);
+        if (artArray === null) {
+          return false;
+        }
+
+        for (let i = 0; i !== Math.min(artArray.length, info.artArrayMax); i++) {
+          const fieldPtr = artArray.data.add(i * info.artArrayEntrySize);
+          if (fieldPtr.equals(needle)) {
+            return true;
+          }
+        }
+      } catch {
       }
+
+      return false;
     };
-  } else {
-    return null;
-  }
+
+    const clazz = env.findClass('java/lang/Integer');
+    const clazzRef = env.newGlobalRef(clazz);
+
+    try {
+      let object;
+      withRunnableArtThread(vm, env, thread => {
+        object = getApi()['art::JavaVMExt::DecodeGlobal'](vm, thread, clazzRef);
+      });
+
+      const fieldInstance = env.getFieldId(clazzRef, 'value', 'I');
+      const fieldStatic = env.getStaticFieldId(clazzRef, 'TYPE', 'Ljava/lang/Class;');
+
+      let offsetStatic = -1;
+      let offsetInstance = -1;
+      for (let offset = 0; offset !== MAX_OFFSET; offset += 4) {
+        if (offsetStatic === -1 && hasEntry(object, offset, fieldStatic, fInfo)) {
+          offsetStatic = offset;
+        }
+        if (offsetInstance === -1 && hasEntry(object, offset, fieldInstance, fInfo)) {
+          offsetInstance = offset;
+        }
+      }
+      if (offsetInstance === -1 || offsetStatic === -1) {
+        throw new Error('Unable to find fields in java/lang/Integer; please file a bug');
+      }
+      const sfieldOffset = (offsetInstance !== offsetStatic) ? offsetStatic : 0;
+      const ifieldOffset = offsetInstance;
+
+      let offsetMethods = -1;
+      const methodInstance = env.getMethodId(clazzRef, 'intValue', '()I');
+      for (let offset = 0; offset !== MAX_OFFSET; offset += 4) {
+        if (offsetMethods === -1 && hasEntry(object, offset, methodInstance, mInfo)) {
+          offsetMethods = offset;
+        }
+      }
+      if (offsetMethods === -1) {
+        throw new Error('Unable to find methods in java/lang/Integer; please file a bug');
+      }
+
+      let offsetCopiedMethods = -1;
+      const methodsArray = readArtArray(object, offsetMethods, mInfo.artArrayLengthSize);
+      const methodsArraySize = methodsArray.length;
+      for (let offset = offsetMethods; offset !== MAX_OFFSET; offset += 4) {
+        if (object.add(offset).readU16() === methodsArraySize) {
+          offsetCopiedMethods = offset;
+          break;
+        }
+      }
+      if (offsetCopiedMethods === -1) {
+        throw new Error('Unable to find copied methods in java/lang/Integer; please file a bug');
+      }
+
+      spec = {
+        offset: {
+          ifields: ifieldOffset,
+          methods: offsetMethods,
+          sfields: sfieldOffset,
+          copiedMethodsOffset: offsetCopiedMethods,
+        }
+      };
+    } finally {
+      env.deleteLocalRef(clazz);
+      env.deleteGlobalRef(clazzRef);
+    }
+  });
+
+  return spec;
 }
 
 function _getArtMethodSpec (vm) {

package/lib/class-factory.js

@@ -899,7 +899,7 @@ Object.defineProperties(Wrapper.prototype, {
   $alloc: {
     enumerable: true,
     get () {
-      return this[Symbol.for('$alloc')];
+      return this[Symbol.for('alloc')];
     }
   },
   [Symbol.for('init')]: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "frida-java-bridge",
-  "version": "7.0.3",
+  "version": "7.0.5",
   "description": "Java runtime interop from Frida",
   "keywords": [
     "frida-gum",