Solved game with my mod menu works fine on emulator but keeps crashing on phone

[Sbyky]

hi everyone i modded this game with mod menu, it works fine on emulator but when i install it to a phone it crashes after 2 seconds

Modded APK: TrafficRacerv3.7b370SbykyModMenu.apk

Spoiler: Preview

the emulator is Android 7 32bit Rooted and the mobiles that i tested on were Android 11 & 9 Not Rooted, how do i fix, any ideas? please share

 

[Mika Cybertron]

check if your apk has 2 architecture libs, if does then you need to remove the other libs folder, for example the apk has 2 architecture libs (armeabi-v7a & arm64-v8a) then you only make mod for architecture armeabi-v7a, so then you have to delete the rest architecture folder

 

[Sbyky]

check if your apk has 2 architecture libs, if does then you need to remove the other libs folder, for example the apk has 2 architecture libs (armeabi-v7a & arm64-v8a) then you only make mod for architecture armeabi-v7a, so then you have to delete the rest architecture folder

i already have deleted the arm64-v8a and have only left the armeabi-v7a there, also check my code calls under onCreate, could 2 calls be causing this?

.method protected onCreate(Landroid/os/Bundle;)V
    .locals 2

    const/4 v0, 0x1

    invoke-static {p0}, Lcom/android/support/Main;->StartWithoutPermission(Landroid/content/Context;)V

    invoke-static {p0}, LJZTV/Restore;->Start(Landroid/content/Context;)V

 

[Backshift]

Your apk crashed here too, testing on a Pixel 2 XL.

A crash log is generated which says the cause is due to a null pointer dereference.

The backtrace mentions your libSbyky.so twice.

First is here where it calls sub_6C960:

Then it gets to a line in this function that it crashes on:

The line it crashes at is indicating the same as the crashlog, from the code *a1 = 0xE51FF004; a1 is a pointer being dereferencee and assigned the value 0xE51FF004 but a1 is 0 aka NULL so its crashing.

a1 is default IDA naming for the first function parameter of the function we are currently in, which in this case according to the first screenshot is whatever v17 is being set to which in your first screenshot is this line v17 = sub_58CD4(&dword_C0F9C);.

Problem is from the rest of the functions there is ALOT of xor'ing which looks like string decryption which would take time to reverse to give more specific info to what this code is actually doing, if this helps great, if you need more help though you should post source so we can see what your code actually looks like.

As to why this might be happening on real devices only depends, the first 2 lines of the function that crashes has this code:

  if ( byte_C18A0 )
    printf("SubstrateHookFunction(%p, %p, %p, %p)\n", 0, a1, a2, (const void *)fd);

To me this looks like it could be Substrate's hooking function although I havent confirmed that and have never personally used substrate for hooking. Considering it works on emulators but not on real android devices might suggest its a timing thing in the sense that the function to be hooked isnt in memory yet or is not being found at all or something like that. Without source I dont want to say it for sure, if you dont want to send your actual source for any reason then I would suggest you add logging to your code to see if your addresses are actually correct that you are trying to hook, if one of them prints as 0 aka NULL then that could be the your null pointer dereference thats crashing you.

 

[Sbyky]

Your apk crashed here too, testing on a Pixel 2 XL.

A crash log is generated which says the cause is due to a null pointer dereference.

The backtrace mentions your libSbyky.so twice.

First is here where it calls sub_6C960:
View attachment 606485
Then it gets to a line in this function that it crashes on:
View attachment 606486
The line it crashes at is indicating the same as the crashlog, from the code *a1 = 0xE51FF004; a1 is a pointer being dereferencee and assigned the value 0xE51FF004 but a1 is 0 aka NULL so its crashing.

a1 is default IDA naming for the first function parameter of the function we are currently in, which in this case according to the first screenshot is whatever v17 is being set to which in your first screenshot is this line v17 = sub_58CD4(&dword_C0F9C);.

Problem is from the rest of the functions there is ALOT of xor'ing which looks like string decryption which would take time to reverse to give more specific info to what this code is actually doing, if this helps great, if you need more help though you should post source so we can see what your code actually looks like.

As to why this might be happening on real devices only depends, the first 2 lines of the function that crashes has this code:

  if ( byte_C18A0 )
    printf("SubstrateHookFunction(%p, %p, %p, %p)\n", 0, a1, a2, (const void *)fd);

To me this looks like it could be Substrate's hooking function although I havent confirmed that and have never personally used substrate for hooking. Considering it works on emulators but not on real android devices might suggest its a timing thing in the sense that the function to be hooked isnt in memory yet or is not being found at all or something like that. Without source I dont want to say it for sure, if you dont want to send your actual source for any reason then I would suggest you add logging to your code to see if your addresses are actually correct that you are trying to hook, if one of them prints as 0 aka NULL then that could be the your null pointer dereference thats crashing you.

thank you for such thorough investigation and detailed reply, it was right on target, since i wasn't hooking anything so i deleted all the hooking functions from the Main.cpp, there was an error in And64InlineHook/And64InlineHook.hpp and a couple of errors in Substrate/Buffer.hpp etc i fixed them anyways, long story short it works now, thank you once again, i really appreciate it