2024-03-21-Pinehook汇编解析

https://blog.csdn.net/weixin_42298902/article/details/131235976

https://blog.csdn.net/xie__peng/article/details/123577440
https://zhuanlan.zhihu.com/p/594328266?utm_id=0
https://developer.aliyun.com/article/815064

#define FUNCTION(name) \
.data; \
.align 4; \
.global name; \
name:

#define VAR(name) \
.global name; \
name:\
name##_addr:

#define LDVAR(reg, name) \
ldr reg, name##_addr;

FUNCTION(pine_bridge_jump_trampoline) // 跳板方法

LDVAR(x17, pine_bridge_jump_trampoline_target_method) // load origin ArtMethod到x17寄存器，作为参数
cmp x0, x17             // 比较x0 x17寄存器
bne jump_to_original   //如果不相等，则跳转到jump_to_original
LDVAR(x17, pine_bridge_jump_trampoline_extras) // load extras跳板到x17
b acquire_lock  //跳到acquire_lock 

lock_failed: // lock失败
wfe // Wait other thread to release the lock

acquire_lock:
ldaxr w16, [x17] // 独占锁架加载
cbz w16, lock_failed // 如果w16=0，则跳转到 lock_failed
stlxr w16, wzr, [x17] // try set lock_flag to 0
cbnz w16, lock_failed // failed, try again.

// Now we hold the lock!
str x1, [x17, #4]  //  将寄存器x1中的值保存到寄存器x17+0x4位置，这里其实是保存在了Extras
str x2, [x17, #12]
str x3, [x17, #20]
str d0, [x17, #28]
str d1, [x17, #36]
str d2, [x17, #44]
str d3, [x17, #52]
str d4, [x17, #60]
str d5, [x17, #68]
str d6, [x17, #76]
str d7, [x17, #84]
mov x1, x0 // first param = callee ArtMethod
mov x2, x17 // second param = extras (saved x1, x2, x3)
mov x3, sp // third param = sp
LDVAR(x0, pine_bridge_jump_trampoline_bridge_method) // load bridge ArtMethod
LDVAR(x17, pine_bridge_jump_trampoline_bridge_entry) // load bridge 入口函数
br x17 // 跳转到x17寄存器指向的地址

jump_to_original:
LDVAR(x17, pine_bridge_jump_trampoline_call_origin_entry) // 将origin java函数指针load到x17寄存器
br x17 // 跳转到x17寄存器指向的地址

调用bridge的时候，原函数第一个和第二个参数是固定的 第一个参数是origin artmethod，第二个参数是extra，第三个是sp

static void voidBridge(long artMethod, long extras, long sp,
                       long x4, long x5, long x6, long x7) throws Throwable {
    handleBridge(artMethod, extras, sp, x4, x5, x6, x7);
}

x0是bridge ArtMethod
x1是origin ArtMethod
x2是extras，寄存器x17存放的extras
x3是sp 保存的是

* On entry:
*   r0 = method pointer
*   r1 = argument array or null for no argument methods
*   r2 = size of argument array in bytes
*   r3 = (managed) thread pointer
*   [sp] = JValue* result
*   [sp + 4] = result_in_float
*   [sp + 8] = core register argument array
*   [sp + 12] = fp register argument array

* Outgoing registers:
*  x0    - Method*
*  x1-x7 - integer parameters.
*  d0-d7 - Floating point parameters.
*  xSELF = self
*  SP = & of ArtMethod*
*  x1 = "this" pointer.