0000c968 < dlopen@plt-0x14>:
c968: e52de004 push {lr} ; (str lr, [sp, #-4]!)
c96c: e59fe004 ldr lr, [pc, #4] ; c978 < dlopen@plt-0x4>
c970: e08fe00e add lr, pc, lr
c974: e5bef008 ldr pc, [lr, #8]!
c978: 0005b664 andeq fp, r5, r4, ror #12
0000c97c < dlopen@plt>:
c97c: e28fc600 add ip, pc, #0, 12
c980: e28cca5b add ip, ip, #372736 ; 0x5b000
c984: e5bcf664 ldr pc, [ip, #1636]! ; 0x664
0000c988 < dlsym@plt>:
c988: e28fc600 add ip, pc, #0, 12
c98c: e28cca5b add ip, ip, #372736 ; 0x5b000
c990: e5bcf65c ldr pc, [ip, #1628]! ; 0x65c
0000c994 < dlclose@plt>:
c994: e28fc600 add ip, pc, #0, 12
c998: e28cca5b add ip, ip, #372736 ; 0x5b000
c99c: e5bcf654 ldr pc, [ip, #1620]! ; 0x654
0000c9a0 < dl_unwind_find_exidx@plt>:
c9a0: e28fc600 add ip, pc, #0, 12
c9a4: e28cca5b add ip, ip, #372736 ; 0x5b000
c9a8: e5bcf64c ldr pc, [ip, #1612]! ; 0x64c
0000c9ac < __cxa_begin_cleanup@plt>:
c9ac: e28fc600 add ip, pc, #0, 12
c9b0: e28cca5b add ip, ip, #372736 ; 0x5b000
c9b4: e5bcf644 ldr pc, [ip, #1604]! ; 0x644
0000c9b8 < __cxa_type_match@plt>:
c9b8: e28fc600 add ip, pc, #0, 12
c9bc: e28cca5b add ip, ip, #372736 ; 0x5b000
c9c0: e5bcf63c ldr pc, [ip, #1596]! ; 0x63c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dlfcn.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <sys/select.h>
#include <string.h>
#include <termios.h>
#include <sys/time.h>
#include <pthread.h>
#include <time.h>
#include <stdlib.h>
#include <android/log.h>
#include "command.h"
#undef log
#define DEBUG_INFO 1
#define log(...) __android_log_print(ANDROID_LOG_DEBUG, "HOOK_YY", __VA_ARGS__);
#define log(...)
#define COMMAND_PORT 32455//default port will be decreased automaticlly to find usable one
#define MAX_COMMAND_SIZE 1024
//orig function copy
int (*gettimeofday_orig)(struct timeval *tv, struct timezone *tz) = INVALID_FUNC_ADDR;
int (*clock_gettime_orig)(clockid_t clk_id, struct timespec *tp) = INVALID_FUNC_ADDR;
//local V
double time_velocity = 1.0;
int listenfd, connectfd, suc_port = 0;
struct sockaddr_in server;
struct sockaddr_in client;
socklen_t addrlen;
pthread_t thread;
uint64_t g_gettimeofday_saved_usecs = 0;
uint64_t g_last_returned_max_real_usecs = 0;
uint64_t g_last_returned_max_usecs = 0;
//local function
int gettimeofday_local(struct timeval *tv, struct timezone *tz) {
int64_t diff;
int64_t cur_usecs;
int64_t ret_usecs;
int ret = gettimeofday_orig(tv, tz);
if (0 != ret) {
return ret;
if (g_gettimeofday_saved_usecs == 0) {
g_gettimeofday_saved_usecs = (tv->tv_sec * 1000000LL) + tv->tv_usec;
// g_last_returned_max_real_usecs = g_gettimeofday_saved_usecs;
// g_last_returned_max_usecs = g_gettimeofday_saved_usecs;
} else {
cur_usecs = (tv->tv_sec * 1000000LL) + tv->tv_usec;
diff = cur_usecs - g_gettimeofday_saved_usecs;
diff = diff * time_velocity;
ret_usecs = g_gettimeofday_saved_usecs + diff;
// if (ret_usecs < g_last_returned_max_usecs)
// {
// log("!!!time error1!!!\n")
// ret_usecs = g_last_returned_max_usecs + 1000;
// g_last_returned_max_usecs = ret_usecs;
// }
// else {
// g_last_returned_max_real_usecs = cur_usecs;
// g_last_returned_max_usecs = ret_usecs;
// }
tv->tv_sec = (time_t)(ret_usecs / 1000000LL);
tv->tv_usec = (suseconds_t)(ret_usecs % 1000000LL);
return ret;
int clock_gettime_local(clockid_t clk_id, struct timespec *tp) {
int ret = clock_gettime_orig(clk_id, tp);
if (0 == ret) {
tp->tv_sec *= time_velocity;
tp->tv_nsec *= time_velocity;
//log("clock_gettime:%d", ret);
return ret;
void *hook_params[HOOK_FUNC_COUNT][4] = {\
{"/system/lib/libc.so", "gettimeofday", gettimeofday_local, &gettimeofday_orig},\
{"/system/lib/libc.so", "clock_gettime", clock_gettime_local, &clock_gettime_orig}\
void hookSubstrate(const char *dlLocation) {
void (*MSHookFunction)(void *symbol, void *replace, void **result) = INVALID_FUNC_ADDR;
log("hookSubstrate:%s\n", dlLocation);
void *substrate_sub = dlopen(dlLocation, RTLD_NOW);
if (!substrate_sub) {
log("open libsubstrate.so fail:%s\n", dlLocation);
MSHookFunction = dlsym(substrate_sub, "MSHookFunction");
if (INVALID_FUNC_ADDR == MSHookFunction) {
log("can't find MSHookFunction\n");
//hook now
int i;
for (i = 0; i < HOOK_FUNC_COUNT - 1; i++) {
char *target_lib = hook_params[i][0];
char *target_func = hook_params[i][1];
void *local_func = hook_params[i][2];
void *orig_func = hook_params[i][3];
log ("start hook func(%s) in lib(%s), local(%d), orig(%d)", target_func, target_lib, local_func, orig_func);
void *target_lib_sub = dlopen(target_lib, RTLD_NOW);
if (!target_lib_sub) {
log("can't find lib(%s) to hook\n", target_lib);
void *target_func_symbol = dlsym(target_lib_sub, target_func);
if (!target_func_symbol) {
log("can't find func(%s) in (%s)", target_func, target_lib);
MSHookFunction(target_func_symbol, local_func, (void **)orig_func);
void handleCommand(char *command, size_t command_size) {
char param[250];
int param_size;
int command_type = parseCommand(command, command_size, param, 250, param_size);
log("handleCommand:%d param:%s\n", command_type, param);
switch (command_type) {
case Command_Set_Time_Velocity :
if (param) {
double new_time_velocity = strtod(param, NULL);
if (new_time_velocity < 1) {
//g_gettimeofday_saved_usecs = g_last_returned_max_real_usecs;
time_velocity = new_time_velocity;
log("set time velocity2:%f\n", time_velocity);
default :
log("invalid command:%d", command_type);
int acceptClient(void) {
//keep one client alive
if (0 != connectfd) {
return 1;
log("server accept client\n");
addrlen = sizeof(client);
if((connectfd = accept(listenfd,(struct sockaddr*)&client,&addrlen)) == -1) {
return 0;
log("You got a connection from cient's ip is %s, port is %d\n",inet_ntoa(client.sin_addr), htons(client.sin_port));
return 1;
void listenerRun(void) {
//jsut keep for one client in queue
if(listen(listenfd,1) == -1) {
log("listen error:%d\n", errno);
thread = 0;
log("start listen at ip:%s, port:%d\n", inet_ntoa(server.sin_addr), htons(server.sin_port))
char command_buf[MAX_COMMAND_SIZE];
int command_size = 0;
//read command
while (1) {
if (1 == acceptClient()) {
if ((command_size = recv(connectfd, command_buf, MAX_COMMAND_SIZE - 1, 0)) == -1) {
log("recv error:%d\n", errno);
connectfd = 0;
else if (command_size > 0) {
command_buf[command_size] = '\0';
log("server received command:%s\n", command_buf)
handleCommand(command_buf, command_size);
else {
log("client closed\n");
connectfd = 0;
else {
int startListener() {
//bind port firstly to report valid port for caller
if((listenfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
log("Creating socket failed\n");
thread = 0;
return 0;
//reusable port
int opt = 1;
setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
int index;
for (index = 0;index < 100; index++) {
server.sin_family = AF_INET;
server.sin_port = htons(COMMAND_PORT + index);
server.sin_addr.s_addr = htonl (INADDR_ANY);
if(bind(listenfd, (struct sockaddr *)&server, sizeof(server)) == -1) {
log("Binderror:(port:%d, error:%d)\n", COMMAND_PORT + index, errno);
else {
suc_port = COMMAND_PORT + index;
if (suc_port == 0) {
log("can't find usable port to listen\n");
thread = 0;
return 0;
//create sub thread
int ret = pthread_create(&thread, NULL, (void*)listenerRun, NULL);
if (ret !=0)
log("create listener thread fail\n");
return suc_port;
hook entry, param a must point where the so located
int hook_entry(const char * a){
if (thread != 0) {
log("hook_entry already called before, serverPort:%d\n", suc_port);
return suc_port;
const char *process_name = a;
log("Hook start------(pid:%d)\n", getpid());
int port = startListener();
log("Hook end------port:%d\n", port)
return port;
3、hook_postcall 把hook的指令写回去
int hook_lwp(int pid, char *libname, char *funcname, void *hook_arm, void **origFunc) {
unsigned long int addr;
struct hook_t hookT;
struct hook_t *h = &hookT;
int i;
if (find_name(pid, funcname, libname, &addr) < 0) {
log("can't find: %s\n", funcname)
return 0;
log("hooking: %s = 0x%lx ", funcname, addr)
strncpy(h->name, funcname, sizeof(h->name)-1);
if (addr % 4 == 0) {
log("ARM using 0x%lx\n", (unsigned long)hook_arm)
h->thumb = 0;
h->patch = (unsigned int)hook_arm;
h->orig = addr;
//LDR pc, [pc, #0],既把h->jump[1]的内容写入PC,则发生了跳转;
h->jump[0] = 0xe59ff000;
h->jump[1] = h->patch;
h->jump[2] = h->patch;
for (i = 0; i < 3; i++)
h->store[i] = ((int*)h->orig)[i];
for (i = 0; i < 3; i++)
((int*)h->orig)[i] = h->jump[i];
//mmap memory to replace origFunc entry
void *mmap_base = mmap(0, 0x20, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
log("mmap_base:0x%lx\n", (unsigned long)mmap_base);
//write instrucment
int i;
for (i = 0; i < 3; ++i)
((int*)mmap_base)[i] = h->store[i];
((int*)mmap_base)[3] = 0xe59ff000;
((int*)mmap_base)[4] = h->orig + 12;
((int*)mmap_base)[5] = h->orig + 12;
*origFunc = mmap_base;
log("origFunc:0x%lx, jump:0x%lx\n", *origFunc, h->orig + 12);