Merge pull request #1512 from HackTricks-wiki/update_Patching_Android_ARM64_library_initializers_for_ea_20251021_183104

Patching Android ARM64 library initializers for easy Frida i...

Author: carlospolop

src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md

@@ -130,19 +130,172 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ---
 
-### Resources
+### Neutralizing early native initializers (.init_array) and JNI_OnLoad for early instrumentation (ARM64 ELF)
+
+Highly protected apps often place root/emulator/debug checks in native constructors that run extremely early via `.init_array`, before `JNI_OnLoad` and long before any Java code executes. You can make those implicit initializers explicit and regain control by:
+- Removing `INIT_ARRAY`/`INIT_ARRAYSZ` from the DYNAMIC table so the loader does not auto-execute `.init_array` entries.
+- Resolving the constructor address from RELATIVE relocations and exporting it as a regular function symbol (e.g., `INIT0`).
+- Renaming `JNI_OnLoad` to `JNI_OnLoad0` to prevent ART from calling it implicitly.
+
+Why this works on Android/arm64
+- On AArch64, `.init_array` entries are often populated at load time by `R_AARCH64_RELATIVE` relocations whose addend is the target function address inside `.text`.
+- The bytes of `.init_array` may look empty statically; the dynamic linker writes the resolved address during relocation processing.
+
+Identify the constructor target
+- Use the Android NDK toolchain for accurate ELF parsing on AArch64:
+  ```bash
+  # Adjust paths to your NDK; use the aarch64-linux-android-* variants
+  readelf -W -a ./libnativestaticinit.so | grep -n "INIT_ARRAY" -C 4
+  readelf -W --relocs ./libnativestaticinit.so
+  ```
+- Find the relocation that lands inside the `.init_array` virtual address range; the `addend` of that `R_AARCH64_RELATIVE` is the constructor (e.g., `0xA34`, `0x954`).
+- Disassemble around that address to sanity check:
+  ```bash
+  objdump -D ./libnativestaticinit.so --start-address=0xA34 | head -n 40
+  ```
+
+Patch plan
+1) Remove `INIT_ARRAY` and `INIT_ARRAYSZ` DYNAMIC tags. Do not delete sections.
+2) Add a GLOBAL DEFAULT FUNC symbol `INIT0` at the constructor address so it can be called manually.
+3) Rename `JNI_OnLoad` → `JNI_OnLoad0` to stop ART from invoking it implicitly.
+
+Validation after patch
+```bash
+readelf -W -d libnativestaticinit.so.patched | egrep -i 'init_array|fini_array|flags'
+readelf -W -s libnativestaticinit.so.patched | egrep 'INIT0|JNI_OnLoad0'
+```
+
+Patching with LIEF (Python)
+
+<details>
+<summary>Script: remove INIT_ARRAY/INIT_ARRAYSZ, export INIT0, rename JNI_OnLoad→JNI_OnLoad0</summary>
+
+```python
+import lief
+
+b = lief.parse("libnativestaticinit.so")
+
+# Locate .init_array VA range
+init = b.get_section('.init_array')
+va, sz = init.virtual_address, init.size
+
+# Compute constructor address from RELATIVE relocation landing in .init_array
+ctor = None
+for r in b.dynamic_relocations:
+    if va <= r.address < va + sz:
+        ctor = r.addend
+        break
+if ctor is None:
+    raise RuntimeError("No R_*_RELATIVE relocation found inside .init_array")
+
+# Remove auto-run tags so loader skips .init_array
+for tag in (lief.ELF.DYNAMIC_TAGS.INIT_ARRAYSZ, lief.ELF.DYNAMIC_TAGS.INIT_ARRAY):
+    try:
+        b.remove(b[tag])
+    except Exception:
+        pass
+
+# Add exported FUNC symbol INIT0 at constructor address
+sym = lief.ELF.Symbol()
+sym.name = 'INIT0'
+sym.value = ctor
+sym.size = 0
+sym.binding = lief.ELF.SYMBOL_BINDINGS.GLOBAL
+sym.type = lief.ELF.SYMBOL_TYPES.FUNC
+sym.visibility = lief.ELF.SYMBOL_VISIBILITY.DEFAULT
+
+# Place symbol in .text index
+text = b.get_section('.text')
+for idx, sec in enumerate(b.sections):
+    if sec == text:
+        sym.shndx = idx
+        break
+b.add_dynamic_symbol(sym)
+
+# Rename JNI_OnLoad -> JNI_OnLoad0 to block implicit ART init
+j = b.get_symbol('JNI_OnLoad')
+if j:
+    j.name = 'JNI_OnLoad0'
+
+b.write('libnativestaticinit.so.patched')
+```
+</details>
+
+Notes and failed approaches (for portability)
+- Zeroing `.init_array` bytes or setting the section length to 0 does not help: the dynamic linker repopulates it via relocations.
+- Setting `INIT_ARRAY`/`INIT_ARRAYSZ` to 0 can break the loader due to inconsistent tags. Clean removal of those DYNAMIC entries is the reliable lever.
+- Deleting the `.init_array` section entirely tends to crash the loader.
+- After patching, function/layout addresses might shift; always recompute the constructor from `.rela.dyn` addends on the patched file if you need to re-run the patch.
+
+Bootstrapping a minimal ART/JNI to invoke INIT0 and JNI_OnLoad0
+- Use JNIInvocation to spin up a tiny ART VM context in a standalone binary. Then call `INIT0()` and `JNI_OnLoad0(vm)` manually before any Java code.
+- Include the target APK/classes on the classpath so any `RegisterNatives` finds its Java classes.
+
+<details>
+<summary>Minimal harness (CMake and C) to call INIT0 → JNI_OnLoad0 → Java method</summary>
+
+```cmake
+# CMakeLists.txt
+project(caller)
+cmake_minimum_required(VERSION 3.8)
+include_directories(AFTER ${CMAKE_SOURCE_DIR}/include)
+link_directories(${CMAKE_SOURCE_DIR}/lib)
+find_library(log-lib log REQUIRED)
+add_executable(caller "caller.c")
+add_library(jenv SHARED "jnihelper.c")
+target_link_libraries(caller jenv nativestaticinit)
+```
+
+```c
+// caller.c
+#include <jni.h>
+#include "jenv.h"
+JavaCTX ctx;
+void INIT0();
+void JNI_OnLoad0(JavaVM* vm);
+int main(){
+  char *jvmopt = "-Djava.class.path=/data/local/tmp/base.apk"; // include app classes
+  if (initialize_java_environment(&ctx,&jvmopt,1)!=0) return -1;
+  INIT0();                   // manual constructor
+  JNI_OnLoad0(ctx.vm);       // manual JNI init
+  jclass c = (*ctx.env)->FindClass(ctx.env, "eu/nviso/nativestaticinit/MainActivity");
+  jmethodID m = (*ctx.env)->GetStaticMethodID(ctx.env,c,"stringFromJNI","()Ljava/lang/String;");
+  jstring s = (jstring)(*ctx.env)->CallStaticObjectMethod(ctx.env,c,m);
+  const char* p = (*ctx.env)->GetStringUTFChars(ctx.env,s,NULL);
+  printf("Native string: %s\n", p);
+  cleanup_java_env(&ctx);
+}
+```
+
+```bash
+# Build (adjust NDK/ABI)
+cmake -DANDROID_PLATFORM=31 \
+  -DCMAKE_TOOLCHAIN_FILE=$HOME/Android/Sdk/ndk/26.1.10909125/build/cmake/android.toolchain.cmake \
+  -DANDROID_ABI=arm64-v8a ..
+make
+```
+</details>
+
+
+**Common Pitfalls:**
+- Constructor addresses change after patching due to re-layout; always recompute from `.rela.dyn` on the final binary.
+- Ensure `-Djava.class.path` covers every class used by `RegisterNatives` calls.
+- Behavior may vary with NDK/loader versions; the consistently reliable step was removing `INIT_ARRAY`/`INIT_ARRAYSZ` DYNAMIC tags.
 
-- **Learning ARM Assembly:** [Azeria Labs – ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
-- **JNI & NDK Documentation:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
-- **Debugging Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
 
 ### References
 
+- **Learning ARM Assembly:** [Azeria Labs – ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/)
+- **JNI & NDK Documentation:** [Oracle JNI Spec](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) · [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) · [NDK Guides](https://developer.android.com/ndk/guides/)
+- **Debugging Native Libraries:** [Debug Android Native Libraries Using JEB Decompiler](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3)
 - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
 - NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
 - SoTap Releases – [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases)
 - How to work with SoTap? – [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13)
 - [CoRPhone — JNI memory-only execution pattern and packaging](https://github.com/0xdevil/corphone)
+- [Patching Android ARM64 library initializers for easy Frida instrumentation and debugging](https://blog.nviso.eu/2025/10/14/patching-android-arm64-library-initializers-for-easy-frida-instrumentation-and-debugging/)
+- [LIEF Project](https://github.com/lief-project/LIEF)
+- [JNIInvocation](https://github.com/Ch0pin/JNIInvocation)
 
 {{#include ../../banners/hacktricks-training.md}}