Cydia Substrate Android: MSHookFunction crashes with Fatal signal 11

Question

I am using external .so library and trying to replace a its function with mine, using MSHookFunction from Cydia Substrate.

Here is the code:

void *handle = dlopen("libmylib.so", RTLD_LAZY);
void *sym = dlsym(mcpelibhandle, "_ZN5Level4tickEv");
__android_log_print(ANDROID_LOG_DEBUG, "test", "handle: %p dlsym: %p", handle, sym);
MSHookFunction(sym, (void*) tick_hook, (void**) tick_original);

MSHookFunction throws this error:

Fatal signal 11 (SIGSEGV), code 2, fault addr 0xdfc849f0 in tid 7472

libmylib.so is loaded before loading this code, both handle and symbol are not null, and I also checked it existence in the the lib, using IDA, so its no doubt, that that part is correct. I will appreciate any help.

UPDATE

Its crashes with same error, if I call it on my own function in same file by getting its pointer:

MSHookFunction((void*) &func_to_hook, (void*) &func_hook, (void**) &func_real);

Answer 1

It seems I found the solution.

MSHookFunction incorrectly uses mprotect to give itself access to the address, its modifying. I called mprotect for memory pages before and after and it started working perfectly in both cases.

This code works perfectly for me:

bool hookLibFunction(void *origin, void *hook, void **result) {
    int pagesize = sysconf(_SC_PAGESIZE);
    int protectsize = pagesize * 4;
    void *protectaddr = (void*) ((int) origin - ((int) origin % pagesize) - pagesize);

    int protectresult = mprotect(protectaddr, protectsize, PROT_EXEC | PROT_READ | PROT_WRITE );

    if (protectresult == 0) { // success
        MSHookFunction(origin, hook, result);
        __android_log_print(ANDROID_LOG_DEBUG, LOGGER_TAG, "function hook for address %p successed.");
        return true;
    }
    else { // fail
        __android_log_print(ANDROID_LOG_DEBUG, LOGGER_TAG, "function hook for address %p failed: mprotect=%i, err=%i", origin, protectresult, errno);
        return false;
    }
}