Or Continue to Thread: Xposed - Legacy thread. Don't …
Find Your Device:
8th June 2013, 02:30 AM   |  #1701  
rovo89's Avatar
OP Senior Recognized Developer
Thanks Meter: 15,026
 
2,383 posts
Join Date:Joined: Jan 2012
More
Quote:
Originally Posted by rovo89

I managed to get a copy.. and for some reason it calls "pm clear <package>" to clear the userdata of an Xposed module (which is of course not allowed and crashes). WTF?

Ok, whatever Final Fantasy does there: It looks like some very dirty coding.

What's going on there:
- com/square_enix/android_googleplay/FFIV_GP/MainActivitya loads lib__57d5__.so and then calls native function MainActivityb.a(I)I with some random (?) integer constants
- Actually already the library loading fails because somewhere during the initialization, it calls "sh -c pm clear <package>" for the Xposed modules, which fails with a permission error and crashes the process
- The library seems to be obfuscated - I can read some assembler, but I couldn't find the real code. mprotect/memset functions are called, maybe for decoding
- With trial and error, I think I found the place where FF reads the package names: /proc/self/maps (or /proc/<pid>/maps)
- This file contains the memory regions of a process and the files from which they are mapped
- As Xposed has loaded the modules, they are in the memory for FF as well
- When I rename the module file, the new path is also updated in the mapping file
- After renaming /data/app/xyz-1.apk to /data/app/abc-1.apk, the call is no longer "pm clear xyz", but "pm clear abc" (even though that package doesn't exist and probably nothing in the systems can know about the renaming)
- After renaming to /data/app/xyz-1.apkx, the calls continue with the next package; once all are renamed the calls stop and FF continues to load
- However, it seems to detect itself - if I move the game apk to /data/app, it doesn't hang

To summarize: A strange native library in FF seems to get all /data/app/*-?.apk entries from the memory mapping file and tries to clear the data for them. Why? I don't know what this should be good for. I assume it targets the app itself, but why does it go such a complicated way? Why is the library obfuscated (the others aren't)? The best explanation I could think of was that it wants to clean up previous versions, but then I discovered that it doesn't clean for its own apk... so I have no idea.

After spending 2.5 hours looking at this, I don't think I have any chance or need to fix something in my code. I can't avoid that the modules are in the memory, I couldn't even unload them if I wanted to. Sorry, but it seems that you need to disable Xposed and reboot to play. Or ask the vendor to fix their code, there is no reason to clear data for foreign packages - but I'm not sure if they will listen to it.
The Following 17 Users Say Thank You to rovo89 For This Useful Post: [ View ]