记App Native Crash分析

记录某APP在我们设备上频繁崩溃(问题病没解决, 只是记录下如何通过ida 分析native crash )

案例1

先看看崩溃栈

--------- beginning of crash
09-28 11:05:49.640  3992  4046 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x732d782f6e6f69 in tid 4046 (Thread-3), pid 3992 (netease.mhxyhtb)
09-28 11:05:49.885 26307 26307 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-28 11:05:49.887  2436  2436 I /system/bin/tombstoned: received crash request for pid 3992
09-28 11:05:49.898 26307 26307 I crash_dump64: performing dump of process 3992 (target tid = 4046)
09-28 11:05:49.898 26307 26307 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-28 11:05:49.898 26307 26307 F DEBUG   : Build fingerprint: 'samsung/GT-P7500/GT-P7500:3.2/HTJ85B/XWKL1:user/release-keys'
09-28 11:05:49.898 26307 26307 F DEBUG   : Revision: '0'
09-28 11:05:49.898 26307 26307 F DEBUG   : ABI: 'arm64'
09-28 11:05:49.898 26307 26307 F DEBUG   : pid: 3992, tid: 4046, name: Thread-3  >>> com.netease.mhxyhtb <<<
09-28 11:05:49.898 26307 26307 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x732d782f6e6f69
09-28 11:05:49.898 26307 26307 F DEBUG   :     x0   70732d782f6e6f69  x1   0000007ebdee9dc8  x2   0000007efd98d290  x3   0000007eb82f8420
09-28 11:05:49.898 26307 26307 F DEBUG   :     x4   0000007f01d65e68  x5   0000007f01d65e88  x6   0000007ebd237060  x7   0000007ebd01e460
09-28 11:05:49.898 26307 26307 F DEBUG   :     x8   0000007eb82e2e70  x9   0000007ecc6725b0  x10  fffffffffffffffe  x11  0000000000000000
09-28 11:05:49.898 26307 26307 F DEBUG   :     x12  0000000000000030  x13  0000007ebd04c4c0  x14  00000000ffffffff  x15  0000000000000000
09-28 11:05:49.898 26307 26307 F DEBUG   :     x16  0000007efe2fa538  x17  0000007efd941478  x18  0000000000000000  x19  0000007ec8170440
09-28 11:05:49.898 26307 26307 F DEBUG   :     x20  0000007eff461f80  x21  0000000000000002  x22  0000007ed030fc58  x23  0000007efd9ac314
09-28 11:05:49.898 26307 26307 F DEBUG   :     x24  0000007efe881d18  x25  0000000000000000  x26  0000000000000000  x27  0000007ee6f7d3b0
09-28 11:05:49.898 26307 26307 F DEBUG   :     x28  0000007ee6f7d3b0  x29  0000007eff9c09e0  x30  0000007efd97703c
09-28 11:05:49.898 26307 26307 F DEBUG   :     sp   0000007eff9c09e0  pc   0000007efd977084  pstate 0000000020000000
09-28 11:05:49.945 26307 26307 F DEBUG   : 
09-28 11:05:49.945 26307 26307 F DEBUG   : backtrace:
09-28 11:05:49.945 26307 26307 F DEBUG   :     #00 pc 0000000002be6084  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #01 pc 0000000002bcd128  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #02 pc 0000000002c1b690  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #03 pc 0000000002bcc434  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyDict_Clear+336)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #04 pc 0000000002bcf694  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #05 pc 0000000002c3c584  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+14244)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #06 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #07 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #08 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #09 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #10 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #11 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #12 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #13 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #14 pc 0000000002c38af4  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalCodeEx+1588)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #15 pc 0000000002c3f088  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #16 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #17 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #18 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #19 pc 0000000002c3f124  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #20 pc 0000000002c3bbd8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11768)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #21 pc 0000000002c38af4  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyEval_EvalCodeEx+1588)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #22 pc 0000000002bdfc88  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #23 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #24 pc 0000000002bb8360  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so (PyObject_CallFunction+216)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #25 pc 0000000002085b14  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #26 pc 0000000002066874  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #27 pc 00000000020665ac  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #28 pc 000000000202d954  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #29 pc 00000000020252ec  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #30 pc 0000000001c6e25c  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #31 pc 0000000001c94f18  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #32 pc 0000000001ca0e3c  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #33 pc 0000000001c952ec  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #34 pc 0000000001c9494c  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #35 pc 0000000001c955c0  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #36 pc 0000000001c919b4  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #37 pc 0000000001ebc2ac  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #38 pc 0000000001ebc3c8  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #39 pc 0000000001eb8e9c  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #40 pc 0000000001d10da4  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #41 pc 0000000001d9bde0  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #42 pc 0000000001d889b4  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #43 pc 00000000017661e0  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #44 pc 0000000001762290  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #45 pc 000000000177f31c  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #46 pc 0000000001c4a120  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #47 pc 00000000025f1140  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #48 pc 00000000025ef880  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #49 pc 00000000025f07f0  /data/app/com.netease.mhxyhtb-5ZfKnU0CHlDE2iBq-p1VSQ==/lib/arm64/libclient.so
09-28 11:05:49.945 26307 26307 F DEBUG   :     #50 pc 0000000000067e70  /system/lib64/libc.so (__pthread_start(void*)+36)
09-28 11:05:49.945 26307 26307 F DEBUG   :     #51 pc 000000000001ebe4  /system/lib64/libc.so (__start_thread+68)
09-28 11:05:50.504  2408  2547 I AudioFlinger: BUFFER TIMEOUT: remove(4098) from active list on thread 0xf2003080
09-28 11:05:51.002  2598 26308 D ActivityManager: addErrorToDropBox:com.netease.mhxyhtb, native_crash

查看下地址2be6084的反汇编代码

大概问题确定是错误是SEGV_MAPERR, v4解引用的时候, 并且知道向前遍历了内存result + 8 * v3 - 8,取决于函数的传参a1[2]的值

根据上面信息,x0寄存器的值70732d782f6e6f69 ,对比 fault addr 0x732d782f6e6f69一样没错 (别问我为什么前面多个70, 我不知道)

案例2

崩溃栈

--------- beginning of crash
09-28 10:34:19.207  3920  3975 F libc    : Fatal signal 11 (SIGSEGV), code 2, fault addr 0x7f1251e6f8 in tid 3975 (Thread-4), pid 3920 (netease.mhxyhtb)
09-28 10:34:19.484 20726 20726 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-28 10:34:19.485  2472  2472 I /system/bin/tombstoned: received crash request for pid 3920
09-28 10:34:19.488 20726 20726 I crash_dump64: performing dump of process 3920 (target tid = 3975)
09-28 10:34:19.488 20726 20726 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-28 10:34:19.488 20726 20726 F DEBUG   : Build fingerprint: 'samsung/GT-P7500/GT-P7500:3.2/HTJ85B/XWKL1:user/release-keys'
09-28 10:34:19.488 20726 20726 F DEBUG   : Revision: '0'
09-28 10:34:19.488 20726 20726 F DEBUG   : ABI: 'arm64'
09-28 10:34:19.488 20726 20726 F DEBUG   : pid: 3920, tid: 3975, name: Thread-4  >>> com.netease.mhxyhtb <<<
09-28 10:34:19.488 20726 20726 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x7f1251e6f8
09-28 10:34:19.488 20726 20726 F DEBUG   :     x0   0000007eddacb320  x1   0000000000000000  x2   0000000000000010  x3   0000007f11c3ace4
09-28 10:34:19.488 20726 20726 F DEBUG   :     x4   0000007ed7c66e10  x5   0000000000000000  x6   0000007f13c7dcd8  x7   0000000000000000
09-28 10:34:19.488 20726 20726 F DEBUG   :     x8   0000007ed7c66e00  x9   0000007eca905268  x10  0000007f1251e6f8  x11  0000007f11476b71
09-28 10:34:19.488 20726 20726 F DEBUG   :     x12  0000007f15dcea40  x13  0000007f11c8f744  x14  00000000000000d1  x15  0000000000000000
09-28 10:34:19.488 20726 20726 F DEBUG   :     x16  0000007f125bd4c8  x17  0000007faf9844b0  x18  00000000ffffff99  x19  0000000000000001
09-28 10:34:19.488 20726 20726 F DEBUG   :     x20  0000007ec9f89e60  x21  0000000000000000  x22  0000007ec4d08178  x23  000000000000003c
09-28 10:34:19.488 20726 20726 F DEBUG   :     x24  0000000000000000  x25  0000000000000000  x26  0000007ec9f89e60  x27  0000007ec9f89e60
09-28 10:34:19.488 20726 20726 F DEBUG   :     x28  0000000000000000  x29  0000007f13c7dce0  x30  0000007f11c3ad34
09-28 10:34:19.488 20726 20726 F DEBUG   :     sp   0000007f13c7dce0  pc   0000007f11c3ad5c  pstate 0000000020000000
09-28 10:34:19.527 20726 20726 F DEBUG   : 
09-28 10:34:19.527 20726 20726 F DEBUG   : backtrace:
09-28 10:34:19.527 20726 20726 F DEBUG   :     #00 pc 0000000002be4d5c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #01 pc 0000000002c3b900  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalFrameEx+11040)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #02 pc 0000000002c38af4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalCodeEx+1588)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #03 pc 0000000002bdfc88  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #04 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #05 pc 0000000002bc4b1c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #06 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #07 pc 0000000002c17cd4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #08 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #09 pc 0000000002c3c0cc  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalFrameEx+13036)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #10 pc 0000000002c38af4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalCodeEx+1588)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #11 pc 0000000002bdfc88  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #12 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #13 pc 0000000002c3b218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalFrameEx+9272)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #14 pc 0000000002c38af4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_EvalCodeEx+1588)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #15 pc 0000000002bdfc88  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #16 pc 0000000002bb8218  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyObject_Call+116)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #17 pc 0000000002c3ea64  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_CallObjectWithKeywords+200)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #18 pc 0000000002d0c268  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so (PyEval_CallFunction+256)
09-28 10:34:19.527 20726 20726 F DEBUG   :     #19 pc 00000000021cc48c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #20 pc 00000000022146b8  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #21 pc 0000000001cbc038  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #22 pc 0000000001cbbfc0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #23 pc 0000000001cbbfc0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #24 pc 0000000001cbc840  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #25 pc 0000000001cc751c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #26 pc 000000000202d480  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #27 pc 000000000202d9ec  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #28 pc 00000000020252ec  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #29 pc 0000000001c6e25c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #30 pc 0000000001c94f18  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #31 pc 0000000001ca0e3c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #32 pc 0000000001c952ec  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #33 pc 0000000001c9494c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #34 pc 0000000001c955c0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #35 pc 0000000001c919b4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #36 pc 0000000001ebc2ac  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #37 pc 0000000001ebc3c8  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #38 pc 0000000001eb8e9c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #39 pc 0000000001d10da4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.527 20726 20726 F DEBUG   :     #40 pc 0000000001d9bde0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #41 pc 0000000001d889b4  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #42 pc 00000000017661e0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #43 pc 0000000001762290  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #44 pc 000000000177f31c  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #45 pc 0000000001c4a120  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #46 pc 00000000025f1140  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #47 pc 00000000025ef880  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #48 pc 00000000025f07f0  /data/app/com.netease.mhxyhtb-TkLvqcrhdBljRG8kCSetYg==/lib/arm64/libclient.so
09-28 10:34:19.528 20726 20726 F DEBUG   :     #49 pc 0000000000067e70  /system/lib64/libc.so (__pthread_start(void*)+36)
09-28 10:34:19.528 20726 20726 F DEBUG   :     #50 pc 000000000001ebe4  /system/lib64/libc.so (__start_thread+68)

查看地址2be4d5c

又是循环遍历,又是解引用, fault addr是 0x7f1251e6f8 正好是x10寄存器

结合上面的情况,

1. 两次崩溃都是根据函数传参过来的指针做遍历,解引用导致崩溃.
2. 都是在程序运行一段时间.
3. 整个崩溃栈都没是在APP SO 内部

2次崩溃核心都是是传递给函数的这个参数,而调用栈完全是游戏本身,并未经过任何系统库

本栏目推荐文章
• Next.js 开发指南 路由篇 | App Router
• 如何再造宇宙厂所有App?
• 免费APP分发，支持应用合并、内测分发、扫码下载，下载量安装量统计，版本记录和应用在线封装打包app
• app跳转小程序免登录
• 10.App 抓包实战练习
• 【APP逆向04】Frida的下载与安装
• TVBox等智能电视第三方APP可用直播源接口【截止24.01.12】
• uniapp生成的app怎么上架到iphone的app store
• unipp框架开发的app跳转至小程序页面
• uni-app,微信小程序,组件样式无法穿透修改的解决办法

Native Crash Appnative crash app create-react-native-app create-react-native-app creative-tim creative native unidbg app 环境native unidbg app native unidbg app ida native unidbg frida app 过程native react app app native web native react app vue