Android Art Hook 技术方案

最新推荐文章于 2024-10-10 07:06:30 发布

qq_27403801

最新推荐文章于 2024-10-10 07:06:30 发布

阅读量441

点赞数

0x1 开始

Anddroid上的ART从5.0之后变成默认的选择，可见ART的重要性，目前关于Dalvik Hook方面研究的文章很多，但我在网上却找不到关于ART Hook相关的文章，甚至连鼎鼎大名的XPosed和Cydia Substrate到目前为止也不支持ART的Hook。当然我相信，技术方案他们肯定是的，估计卡在机型适配上的了。

既然网上找不到相关的资料，于是我决定自己花些时间去研究一下，终于黃天不负有心人，我找到了一个切实可行的方法，即本文所介绍的方法。

应该说明的是本文所介绍的方法肯定不是最好的，但大家看完本文之后，如果能启发大家找到更好的ART Hook方法，那我抛砖引玉的目的就达到了。废话不多说，我们开始吧。

运行环境: 4.4.2 ART模式的模拟器
开发环境: Mac OS X 10.10.3

0x2 ART类方法加载及执行

在ART中类方法的执行要比在Dalvik中要复杂得多，Dalvik如果除去JIT部分，可以理解为是一个解析执行的虚拟机，而ART则同时包含本地指令执行和解析执行两种模式，同时所生成的oat文件也包含两种类型，分别是portable和quick。portable和quick的主要区别是对于方法的加载机制不相同，quick大量使用了Lazy Load机制，因此应用的启动速度更快，但加载流程更复杂。其中quick是作为默认选项，因此本文所涉及的技术分析都是基于quick类型的。

由于ART存在本地指令执行和解析执行两种模式，因此类方法之间并不是能直接跳转的，而是通过一些预先定义的bridge函数进行状态和上下文的切换，这里引用一下老罗博客中的示意图：

当执行某个方法时，如果当前是本地指令执行模式，则会执行ArtMethod::GetEntryPointFromCompiledCode()指向的函数，否则则执行ArtMethod::GetEntryPointFromInterpreter()指向的函数。因此每个方法，都有两个入口点，分别保存在ArtMethod::entry_point_from_compiled_code_和ArtMethod::entry_point_from_interpreter_。了解这一点非常重要，后面我们主要就是在这两个入口做文章。

在讲述原理之前，需要先把以下两个流程了解清楚，这里的内容要展开是非常庞大的，我针对Hook的关键点，简明扼要的描述一下，但还是强烈建议大家去老罗的博客里细读一下其中关于ART的几篇文章。

ArtMethod加载流程

这个过程发生在oat被装载进内存并进行类方法链接的时候，类方法链接的代码在art/runtime/class_linker.cc中的LinkCode，如下所示：

<code class="hljs lasso has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">static <span class="hljs-literal" style="color: rgb(0, 102, 102); box-sizing: border-box;">void</span> LinkCode(SirtRef<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;"><</span>mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">>&</span> method, const OatFile<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::OatClass</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> oat_class, uint32_t method_index)
    SHARED_LOCKS_REQUIRED(Locks<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::mutator_lock_</span>) {

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Method shouldn't have already been linked.</span>
  DCHECK(method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetEntryPointFromCompiledCode() <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">==</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>);
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Every kind of method should at least get an invoke stub from the oat_method.</span>
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// non-abstract methods also get their code pointers.</span>
  const OatFile<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::OatMethod</span> oat_method <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> oat_class<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetOatMethod(method_index);

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// 这里默认会把method::entry_point_from_compiled_code_设置oatmethod的code</span>
  oat_method<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>LinkMethod(method<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>get());

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Install entry point from interpreter.</span>
  Runtime<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> runtime <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> Runtime<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Current</span>();
  bool enter_interpreter <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> NeedsInterpreter(method<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>get(), method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetEntryPointFromCompiledCode()); <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">//判断方法是否需要解析执行</span>

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// 设置解析执行的入口点</span>
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (enter_interpreter) {
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromInterpreter(interpreter<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::artInterpreterToInterpreterBridge</span>);
  } <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">else</span> {
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromInterpreter(artInterpreterToCompiledCodeBridge);
  }

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// 下面是设置本地指令执行的入口点</span>
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsAbstract()) {
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span>;
  }

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// 这里比较难理解，如果是静态方法，但不是clinit，但需要把entry_point_from_compiled_code_设置为GetResolutionTrampoline的返回值</span>
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsStatic() <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">&&</span> <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">!</span>method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsConstructor()) {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// For static methods excluding the class initializer, install the trampoline.</span>
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// It will be replaced by the proper entry point by ClassLinker::FixupStaticTrampolines</span>
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// after initializing class (see ClassLinker::InitializeClass method).</span>
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromCompiledCode(GetResolutionTrampoline(runtime<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetClassLinker()));
  } <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">else</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (enter_interpreter) {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Set entry point from compiled code if there's no code or in interpreter only mode.</span>
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromCompiledCode(GetCompiledCodeToInterpreterBridge());
  }

  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsNative()) {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Unregistering restores the dlsym lookup stub.</span>
    method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>UnregisterNative(<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Thread</span><span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Current</span>());
  }

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Allow instrumentation its chance to hijack code.</span>
  runtime<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetInstrumentation()<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>UpdateMethodsCode(method<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>get(),method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetEntryPointFromCompiledCode());
}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li><li style="box-sizing: border-box; padding: 0px 5px;">44</li><li style="box-sizing: border-box; padding: 0px 5px;">45</li><li style="box-sizing: border-box; padding: 0px 5px;">46</li><li style="box-sizing: border-box; padding: 0px 5px;">47</li><li style="box-sizing: border-box; padding: 0px 5px;">48</li></ul>

通过上面的代码我们可以得到，一个ArtMethod的入口主要有以下几种：

Interpreter2Interpreter对应artInterpreterToInterpreterBridge(art/runtime/interpreter/interpreter.cc);
Interpreter2CompledCode对应artInterpreterToCompiledCodeBridge(/art/runtime/entrypoints/interpreter/interpreter_entrypoints.cc);
CompliedCode2Interpreter对应art_quick_to_interpreter_bridge(art/runtime/arch/arm/quick_entrypoints_arm.S);
CompliedCode2ResolutionTrampoline对应art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S);
CompliedCode2CompliedCode这个入口是直接指向oat中的指令，详细可见OatMethod::LinkMethod;

其中调用约定主要有两种，分别是：

typedef void (EntryPointFromInterpreter)(Thread* self, MethodHelper& mh, const DexFile::CodeItem* code_item, ShadowFrame* shadow_frame, JValue* result), 这种对应上述1，3两种入口；

剩下的2，4，5三种入口对应的是CompledCode的入口，代码中并没有直接给出，但我们通过分析ArtMethod::Invoke的方法调用，就可以知道其调用约定了。Invoke过程中会调用art_quick_invoke_stub(/art/runtime/arch/arm/quick_entrypoints_arm.S)，代码如下所示：

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;"> <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">/*
 * Quick invocation stub.
 * On entry:
 *   r0 = method pointer
 *   r1 = argument array or NULL for no argument methods
 *   r2 = size of argument array in bytes
 *   r3 = (managed) thread pointer
 *   [sp] = JValue* result
 *   [sp + 4] = result type char
 */</span>
ENTRY art_quick_invoke_stub
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">push</span>   {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>, lr}       @ spill regs
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.save</span>  {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>, lr}
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.pad</span> <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#24</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_adjust_cfa_offset <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">24</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">4</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">8</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">12</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">16</span>
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_rel_offset lr, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">20</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>, sp                         @ save the stack pointer
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_def_cfa_register <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>                          @ move managed thread pointer into <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#SUSPEND_CHECK_INTERVAL     @ reset r4 to suspend check interval</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#16                     @ create space for method pointer in frame</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">and</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#0xFFFFFFF0                 @ align frame size to 16 bytes</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">sub</span>    sp, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>                          @ reserve stack space for argument array
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#4                      @ pass stack pointer + method ptr as dest for memcpy</span>
bl     memcpy                          @ memcpy (dest, src, bytes)
ldr    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, [<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>]                       @ restore method*
ldr    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#4]                    @ copy arg value for r1</span>
ldr    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#8]                    @ copy arg value for r2</span>
ldr    <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#12]                   @ copy arg value for r3</span>
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>    ip, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#0                          @ set ip to 0</span>
str    ip, [sp]                        @ store NULL for method* at bottom of frame
ldr    ip, [<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#METHOD_CODE_OFFSET]   @ get pointer to the code</span>
blx    ip                              @ <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">call</span> the method
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>    sp, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>                         @ restore the stack pointer
ldr    ip, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#24]                   @ load the result pointer</span>
strd   <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, [ip]                        @ store <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>/<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span> into result pointer
<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">pop</span>    {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r11</span>, lr}       @ restore spill regs
<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_adjust_cfa_offset -<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">24</span>
bx     lr
END art_quick_invoke_stub</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li><li style="box-sizing: border-box; padding: 0px 5px;">44</li><li style="box-sizing: border-box; padding: 0px 5px;">45</li></ul>

“ldr ip, [r0, #METHOD_CODE_OFFSET]”其实就是把ArtMethod::entry_point_from_compiled_code_赋值给ip，然后通过blx直接调用。通过这段小小的汇编代码，我们得出如下堆栈的布局：

<code class="hljs oxygene has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">   -(low)
   | caller(<span class="hljs-function" style="box-sizing: border-box;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Method</span> *)   | <- <span class="hljs-title" style="box-sizing: border-box;">sp</span> 
   | <span class="hljs-title" style="box-sizing: border-box;">arg1</span>               | <- <span class="hljs-title" style="box-sizing: border-box;">r1</span>
   | <span class="hljs-title" style="box-sizing: border-box;">arg2</span>               | <- <span class="hljs-title" style="box-sizing: border-box;">r2</span>
   | <span class="hljs-title" style="box-sizing: border-box;">arg3</span>               | <- <span class="hljs-title" style="box-sizing: border-box;">r3</span>
   | ...                | 
   | <span class="hljs-title" style="box-sizing: border-box;">argN</span>               |
   | <span class="hljs-title" style="box-sizing: border-box;">callee</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Method</span> *)</span>   | <- <span class="hljs-title" style="box-sizing: border-box;">r0</span>
   +<span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(high)</span></span></code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li></ul>

这种调用约定并不是平时我们所见的调用约定，主要体现在参数当超过4时，并不是从sp开始保存，而是从sp + 20这个位置开始存储，所以这就是为什么在代码里entry_point_from_compiled_code_的类型是void *的原因了，因为无法用代码表示。

理解好这个调用约定对我们方案的实现至头重要。

ArtMethod执行流程

上面详细讲述了类方法加载和链接的过程，但在实际执行的过程中，其实还不是直接调用ArtMethod的entry_point(解析执行和本地指令执行的入口)，为了加快执行速度，ART为oat文件中的每个dex创建了一个DexCache（art/runtime/mirror/dex_cache.h）结构，这个结构会按dex的结构生成一系列的数组，这里我们只分析它里面的methods字段。 DexCache初始化的方法是Init，实现如下：

<code class="hljs r has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">void DexCache::Init(const DexFile* dex_file,
                    String* location,
                    ObjectArray<String>* strings,
                    ObjectArray<Class>* resolved_types,
                    ObjectArray<ArtMethod>* resolved_methods,
                    ObjectArray<ArtField>* resolved_fields,
                    ObjectArray<StaticStorageBase>* initialized_static_storage) {
  //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
  //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
  Runtime* runtime = Runtime::Current();
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (runtime->HasResolutionMethod()) {
    // Initialize the resolve methods array to contain trampolines <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">for</span> resolution.
    ArtMethod* trampoline = runtime->GetResolutionMethod();
    size_t length = resolved_methods->GetLength();
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">for</span> (size_t i = <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>; i < length; i++) {
      resolved_methods->SetWithoutChecks(i, trampoline);
    }
  }
}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li></ul>

根据dex方法的个数，产生相应长度resolved_methods数组，然后每一个都用Runtime::GetResolutionMethod()返回的结果进行填充，这个方法是由Runtime::CreateResolutionMethod产生的，代码如下：

<code class="hljs lasso has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> Runtime<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::CreateResolutionMethod</span>() {
  mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Class</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> method_class <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::GetJavaLangReflectArtMethod</span>();
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Thread</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">self</span> <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Thread</span><span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Current</span>();
  SirtRef<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;"><</span>mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">></span>
      method(<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">self</span>, down_cast<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;"><</span>mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*></span>(method_class<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>AllocObject(<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">self</span>)));
  method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetDeclaringClass(method_class);
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// TODO: use a special method for resolution method saves</span>
  method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetDexMethodIndex(DexFile<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::kDexNoIndex</span>);
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// When compiling, the code pointer will get set later when the image is loaded.</span>
  Runtime<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> r <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> Runtime<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Current</span>();
  ClassLinker<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> cl <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> r<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetClassLinker();
  method<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetEntryPointFromCompiledCode(r<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsCompiler() <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">?</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span> : GetResolutionTrampoline(cl));
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> method<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>get();
}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li></ul>

从method->SetDexMethodIndex(DexFile::kDexNoIndex)这句得知，所有的ResolutionMethod的methodIndexDexFile::kDexNoIndex。而ResolutionMethod的entrypoint就是我们上面入口分析中的第4种情况，GetResolutionTrampoline最终返回的入口为art_quick_resolution_trampoline(art/runtime/arch/arm/quick_entrypoints_arm.S)。我们看一下其实现代码：

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">    <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.extern</span> artQuickResolutionTrampoline
ENTRY art_quick_resolution_trampoline
    SETUP_REF_AND_ARGS_CALLEE_SAVE_FRAME
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>                 @ pass Thread::Current
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, sp                 @ pass SP
    blx     artQuickResolutionTrampoline  @ (Method* called, receiver, Thread*, SP)
    cbz     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span>f                 @ is code pointer null? goto exception
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r12</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>
    ldr  <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#0]              @ load resolved method in r0</span>
    ldr  <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#8]              @ restore non-callee save r1</span>
    ldrd <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#12]             @ restore non-callee saves r2-r3</span>
    ldr  lr, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#44]             @ restore lr</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>  sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#48                   @ rewind sp</span>
    <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.cfi</span>_adjust_cfa_offset -<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">48</span>
    bx      <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r12</span>                    @ tail-<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">call</span> into actual code
<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span>:
    RESTORE_REF_AND_ARGS_CALLEE_SAVE_FRAME
    DELIVER_PENDING_EXCEPTION
END art_quick_resolution_trampoline
</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li></ul>

调整好寄存器后，直接跳转至artQuickResolutionTrampoline(art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc)，接下来我们分析这个方法的实现（大家不要晕了。。。，我会把无关紧要的代码去掉）：

<code class="hljs r has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">// Lazily resolve a method <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">for</span> quick. Called by stub code.
extern <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"C"</span> const void* artQuickResolutionTrampoline(mirror::ArtMethod* called,
                                                    mirror::Object* receiver,
                                                    Thread* thread, mirror::ArtMethod** sp)
    SHARED_LOCKS_REQUIRED(Locks::mutator_lock_) {
  FinishCalleeSaveFrameSetup(thread, sp, Runtime::kRefsAndArgs);
  // Start new JNI local reference state
  JNIEnvExt* env = thread->GetJniEnv();
  ScopedObjectAccessUnchecked soa(env);
  ScopedJniEnvLocalRefState env_state(env);
  const char* old_cause = thread->StartAssertNoThreadSuspension(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"Quick method resolution set up"</span>);

  // Compute details about the called method (avoid GCs)
  ClassLinker* linker = Runtime::Current()->GetClassLinker();
  mirror::ArtMethod* caller = QuickArgumentVisitor::GetCallingMethod(sp);
  InvokeType invoke_type;
  const DexFile* dex_file;
  uint32_t dex_method_idx;
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (called->IsRuntimeMethod()) {
    //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
    //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
  } <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">else</span> {
    invoke_type = kStatic;
    dex_file = &MethodHelper(called).GetDexFile();
    dex_method_idx = called->GetDexMethodIndex();
  }

  //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>

  // Resolve method filling <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">in</span> dex cache.
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (called->IsRuntimeMethod()) {
    called = linker->ResolveMethod(dex_method_idx, caller, invoke_type);
  }

  const void* code = <span class="hljs-literal" style="color: rgb(0, 102, 102); box-sizing: border-box;">NULL</span>;
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (LIKELY(!thread->IsExceptionPending())) {
    //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>

    linker->EnsureInitialized(called_class, true, true);

    //<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
  }
  // <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">...</span>
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> code;
}
</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li><li style="box-sizing: border-box; padding: 0px 5px;">44</li><li style="box-sizing: border-box; padding: 0px 5px;">45</li><li style="box-sizing: border-box; padding: 0px 5px;">46</li></ul>

<code class="hljs objectivec has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">inline</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">bool</span> ArtMethod::IsRuntimeMethod() <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> {
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> GetDexMethodIndex() == DexFile::kDexNoIndex;
}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li></ul>

called->IsRuntimeMethod()用于判断当前方法是否为ResolutionMethod。如果是，那么就走ClassLinker::ResolveMethod流程去获取真正的方法，见代码：

<code class="hljs lasso has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> ClassLinker<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ResolveMethod</span>(const DexFile<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">&</span> dex_file,
                                                   uint32_t method_idx,
                                                   mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::DexCache</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> dex_cache,
                                                   mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ClassLoader</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> class_loader,
                                                   const mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">referrer</span>,
                                                   InvokeType <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">type</span>) {
  DCHECK(dex_cache <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">!=</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>);
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Check for hit in the dex cache.</span>
  mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::ArtMethod</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> dex_cache<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetResolvedMethod(method_idx);
  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">!=</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>) {
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> resolved;
  }
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Fail, get the declaring class.</span>
  const DexFile<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::MethodId</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">&</span> method_id <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> dex_file<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>GetMethodId(method_idx);
  mirror<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Class</span><span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> klass <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> ResolveType(dex_file, method_id<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>class_idx_, dex_cache, class_loader);

  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (klass <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">==</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>) {
    DCHECK(<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Thread</span><span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::Current</span>()<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsExceptionPending());
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>;
  }

  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Scan using method_idx, this saves string compares but will only hit for matching dex</span>
  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// caches/files.</span>
  switch (<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">type</span>) {
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kDirect:  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Fall-through.</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kStatic:
      resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindDirectMethod(dex_cache, method_idx);
      break;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kInterface:
      resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindInterfaceMethod(dex_cache, method_idx);
      DCHECK(resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">==</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span> <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">||</span> resolved<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetDeclaringClass()<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsInterface());
      break;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kSuper:  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Fall-through.</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kVirtual:
      resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindVirtualMethod(dex_cache, method_idx);
      break;
    default:
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">LOG</span>(FATAL) <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;"><<</span> <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"Unreachable - invocation type: "</span> <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;"><<</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">type</span>;
  }

  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">==</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>) {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Search by name, which works across dex files.</span>
    const char<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">*</span> name <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> dex_file<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>StringDataByIdx(method_id<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>name_idx_);
    std<span class="hljs-tag" style="color: rgb(0, 102, 102); box-sizing: border-box;">::string</span> signature(dex_file<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>CreateMethodSignature(method_id<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">.</span>proto_idx_, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>));
    switch (<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">type</span>) {
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kDirect:  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Fall-through.</span>
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kStatic:
        resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindDirectMethod(name, signature);
        break;
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kInterface:
        resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindInterfaceMethod(name, signature);
        DCHECK(resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">==</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span> <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">||</span> resolved<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>GetDeclaringClass()<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>IsInterface());
        break;
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kSuper:  <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Fall-through.</span>
      <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">case</span> kVirtual:
        resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">=</span> klass<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>FindVirtualMethod(name, signature);
        break;
    }
  }


  <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> (resolved <span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">!=</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">NULL</span>) {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// Be a good citizen and update the dex cache to speed subsequent calls.</span>
    dex_cache<span class="hljs-subst" style="color: rgb(0, 0, 0); box-sizing: border-box;">-></span>SetResolvedMethod(method_idx, resolved);
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> resolved;
  } <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">else</span> {
    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// ...</span>
    }
}
</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li><li style="box-sizing: border-box; padding: 0px 5px;">44</li><li style="box-sizing: border-box; padding: 0px 5px;">45</li><li style="box-sizing: border-box; padding: 0px 5px;">46</li><li style="box-sizing: border-box; padding: 0px 5px;">47</li><li style="box-sizing: border-box; padding: 0px 5px;">48</li><li style="box-sizing: border-box; padding: 0px 5px;">49</li><li style="box-sizing: border-box; padding: 0px 5px;">50</li><li style="box-sizing: border-box; padding: 0px 5px;">51</li><li style="box-sizing: border-box; padding: 0px 5px;">52</li><li style="box-sizing: border-box; padding: 0px 5px;">53</li><li style="box-sizing: border-box; padding: 0px 5px;">54</li><li style="box-sizing: border-box; padding: 0px 5px;">55</li><li style="box-sizing: border-box; padding: 0px 5px;">56</li><li style="box-sizing: border-box; padding: 0px 5px;">57</li><li style="box-sizing: border-box; padding: 0px 5px;">58</li><li style="box-sizing: border-box; padding: 0px 5px;">59</li><li style="box-sizing: border-box; padding: 0px 5px;">60</li><li style="box-sizing: border-box; padding: 0px 5px;">61</li><li style="box-sizing: border-box; padding: 0px 5px;">62</li><li style="box-sizing: border-box; padding: 0px 5px;">63</li><li style="box-sizing: border-box; padding: 0px 5px;">64</li><li style="box-sizing: border-box; padding: 0px 5px;">65</li><li style="box-sizing: border-box; padding: 0px 5px;">66</li><li style="box-sizing: border-box; padding: 0px 5px;">67</li><li style="box-sizing: border-box; padding: 0px 5px;">68</li><li style="box-sizing: border-box; padding: 0px 5px;">69</li><li style="box-sizing: border-box; padding: 0px 5px;">70</li></ul>

其实这里发生了“连锁反应”，ClassLinker::ResolveType走的流程，跟ResolveMethod是非常类似的，有兴趣的朋友可以跟一下。
找到解析后的klass，再经过一轮疯狂的搜索，把找到的resolved通过DexCache::SetResolvedMethod覆盖掉之前的“替身”。当再下次再通过ResolveMethod解析方法时，就可以直接把该方法返回，不需要再解析了。

我们回过头来再重新“复现”一下这个过程，当我们首次调用某个类方法，其过程如下所示：

调用ResolutionMethod的entrypoint，进入art_quick_resolution_trampoline；
art_quick_resolution_trampoline跳转到artQuickResolutionTrampoline；
artQuickResolutionTrampoline调用ClassLinker::ResolveMethod解析类方法；
ClassLinker::ResolveMethod调用ClassLinkder::ResolveType解析类，再从解析好的类寻找真正的方法；
调用DexCache::SetResolvedMethod，用真正的方法覆盖掉“替身”方法；
调用真正方法的entrypoint代码；

也许你会问，为什么要把过程搞得这么绕？一切都是为了延迟加载，提高启动速度，这个过程跟ELF Linker的PLT/GOT符号重定向的过程是何其相似啊，所以技术都是想通的，一通百明。

0x3 Hook ArtMethod

通过上述ArtMethod加载和执行两个流程的分析，对于如何Hook ArtMethod，我想到了两个方案，分别

修改DexCach里的methods，把里面的entrypoint修改为自己的，做一个中转处理；
直接修改加载后的ArtMethod的entrypoint，同样做一个中转处理；

上面两个方法都是可行的，但由于我希望整个项目可以在NDK环境(而不是在源码下)下编译，因为就采用了方案2，因为通过JNI的接口就可以直接获取解析之后的ArtMethod，可以减少很多文件依赖。

回到前面的调用约定，每个ArtMethod都有两个约定，按道理我们应该准备两个中转函数的，但这里我们不考虑强制解析模式执行，所以只要处理好entry_point_from_compiled_code的中转即可。

首先，我们找到对应的方法，先保存其entrypoint，然后再把我们的中转函数art_quick_dispatcher覆盖，代码如下所示：

<code class="hljs cpp has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">extern</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">int</span> __attribute__ ((visibility (<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"hidden"</span>))) art_java_method_hook(JNIEnv* env, HookInfo *info) {
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">char</span>* classDesc = info->classDesc;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">char</span>* methodName = info->methodName;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">char</span>* methodSig = info->methodSig;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">bool</span> isStaticMethod = info->isStaticMethod;

    <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// TODO we can find class by special classloader what do just like dvm</span>
    jclass claxx = env->FindClass(classDesc);
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(claxx == NULL){
        LOGE(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[-] %s class not found"</span>, classDesc);
        <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> -<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span>;
    }

    jmethodID methid = isStaticMethod ?
            env->GetStaticMethodID(claxx, methodName, methodSig) :
            env->GetMethodID(claxx, methodName, methodSig);

    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(methid == NULL){
        LOGE(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[-] %s->%s method not found"</span>, classDesc, methodName);
        <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> -<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span>;
    }

    ArtMethod *artmeth = <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">reinterpret_cast</span><ArtMethod *>(methid);

    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(art_quick_dispatcher != artmeth->GetEntryPointFromCompiledCode()){
        uint64_t (*entrypoint)(ArtMethod* method, Object *thiz, u4 *arg1, u4 *arg2);
        entrypoint = (uint64_t (*)(ArtMethod*, Object *, u4 *, u4 *))artmeth->GetEntryPointFromCompiledCode();

        info->entrypoint = (<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">void</span> *)entrypoint;
        info->nativecode = artmeth->GetNativeMethod();

        artmeth->SetEntryPointFromCompiledCode((<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">void</span> *)art_quick_dispatcher);

        <span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">// save info to nativecode :)</span>
        artmeth->SetNativeMethod((<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">const</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">void</span> *)info);

        LOGI(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[+] %s->%s was hooked\n"</span>, classDesc, methodName);
    }<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">else</span>{
        LOGW(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[*] %s->%s method had been hooked"</span>, classDesc, methodName);
    }

    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>;
}</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li></ul>

我们关键的信息通过ArtMethod::SetNativeMethod保存起来了。

考虑到ART特殊的调用约定，art_quick_dispatcher只能用汇编实现了，把寄存器适当的调整一下，再跳转到另一个函数artQuickToDispatcher，这样就可以很方便用c/c++访问参数了。

先看一下art_quick_dispatcher函数的实现如下：

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;"><span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">/*
 * Art Quick Dispatcher.
 * On entry:
 *   r0 = method pointer
 *   r1 = arg1
 *   r2 = arg2
 *   r3 = arg3
 *   [sp] = method pointer
 *   [sp + 4] = addr of thiz
 *   [sp + 8] = addr of arg1
 *   [sp + 12] = addr of arg2
 *   [sp + 16] = addr of arg3
 * and so on
 */</span>
    <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.extern</span> artQuickToDispatcher
ENTRY art_quick_dispatcher
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">push</span>    {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, lr}           @ sp - <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">12</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>                 @ pass <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span> to method
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(12 + 4)]</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(12 + 8)]</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(12 + 12)]</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>                 @ pass <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span> to thread
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(12 + 4)      @ pass r2 to args array</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#12            @ pass r3 to old SP</span>
    blx     artQuickToDispatcher   @ (Method* method, Thread*, u4 **, u4 **)
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">pop</span>     {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, pc}           @ return on success, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">and</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span> hold the result
END art_quick_dispatcher</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li></ul>

我把r2指向参数数组，这样就我们就可以非常方便的访问所有参数了。另外，我用r3保存了旧的sp地址，这样是为后面调用原来的entrypoint做准备的。我们先看看artQuickToDispatcher的实现：

<code class="hljs coffeescript has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;">extern <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"C"</span> uint64_t artQuickToDispatcher(ArtMethod* method, Thread *self, u4 **args, u4 **old_sp){
    HookInfo *info = (HookInfo *)method->GetNativeMethod();
    LOGI(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[+] entry ArtHandler %s->%s"</span>, info->classDesc, info->methodName);

    <span class="hljs-regexp" style="color: rgb(0, 136, 0); box-sizing: border-box;">//</span> If it <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">not</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">is</span> static method, <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">then</span> args[<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>] was pointing to <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">this</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(!info->isStaticMethod){
        Object *thiz = reinterpret_cast<Object *>(args[<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>]);
        <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(thiz != NULL){
            char *bytes = get_chars_from_utf16<span class="hljs-function" style="box-sizing: border-box;"><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(thiz->GetClass()->GetName())</span>;
            <span class="hljs-title" style="box-sizing: border-box;">LOGI</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[+] thiz class is %s"</span>, bytes)</span>;
            <span class="hljs-title" style="box-sizing: border-box;">delete</span> <span class="hljs-title" style="box-sizing: border-box;">bytes</span>;
        }
    }

    <span class="hljs-title" style="box-sizing: border-box;">const</span> <span class="hljs-title" style="box-sizing: border-box;">void</span> *<span class="hljs-title" style="box-sizing: border-box;">entrypoint</span> = <span class="hljs-title" style="box-sizing: border-box;">info</span>-></span>entrypoint;
    method->SetNativeMethod(info->nativecode); <span class="hljs-regexp" style="color: rgb(0, 136, 0); box-sizing: border-box;">//</span>restore nativecode <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">for</span> JNI method
    uint64_t res = art_quick_call_entrypoint(method, self, args, old_sp, entrypoint);

    JValue* result = (JValue* )&res;
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(result != NULL){
        Object *obj = result->l;
        char *raw_class_name = get_chars_from_utf16<span class="hljs-function" style="box-sizing: border-box;"><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(obj->GetClass()->GetName())</span>;

        <span class="hljs-title" style="box-sizing: border-box;">if</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(strcmp(raw_class_name, <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"java.lang.String"</span>) == <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0</span>)</span>{
            <span class="hljs-title" style="box-sizing: border-box;">char</span> *<span class="hljs-title" style="box-sizing: border-box;">raw_string_value</span> = <span class="hljs-title" style="box-sizing: border-box;">get_chars_from_utf16</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">((String *)obj)</span>;
            <span class="hljs-title" style="box-sizing: border-box;">LOGI</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"result-class %s, result-value \"%s\""</span>, raw_class_name, raw_string_value)</span>;
            <span class="hljs-title" style="box-sizing: border-box;">free</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(raw_string_value)</span>;
        }<span class="hljs-title" style="box-sizing: border-box;">else</span>{
            <span class="hljs-title" style="box-sizing: border-box;">LOGI</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"result-class %s"</span>, raw_class_name)</span>;
        }

        <span class="hljs-title" style="box-sizing: border-box;">free</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(raw_class_name)</span>;
    }

    // <span class="hljs-title" style="box-sizing: border-box;">entrypoid</span> <span class="hljs-title" style="box-sizing: border-box;">may</span> <span class="hljs-title" style="box-sizing: border-box;">be</span> <span class="hljs-title" style="box-sizing: border-box;">replaced</span> <span class="hljs-title" style="box-sizing: border-box;">by</span> <span class="hljs-title" style="box-sizing: border-box;">trampoline</span>, <span class="hljs-title" style="box-sizing: border-box;">only</span> <span class="hljs-title" style="box-sizing: border-box;">once</span>.
//  <span class="hljs-title" style="box-sizing: border-box;">if</span><span class="hljs-params" style="color: rgb(102, 0, 102); box-sizing: border-box;">(method->IsStatic() && !method->IsConstructor())</span>{

    <span class="hljs-title" style="box-sizing: border-box;">entrypoint</span> = <span class="hljs-title" style="box-sizing: border-box;">method</span>-></span>GetEntryPointFromCompiledCode();
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span>(entrypoint != (<span class="hljs-reserved" style="box-sizing: border-box;">const</span> <span class="hljs-reserved" style="box-sizing: border-box;">void</span> *)art_quick_dispatcher){
        LOGW(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"[*] entrypoint was replaced. %s->%s"</span>, info->classDesc, info->methodName);

        method->SetEntryPointFromCompiledCode((<span class="hljs-reserved" style="box-sizing: border-box;">const</span> <span class="hljs-reserved" style="box-sizing: border-box;">void</span> *)art_quick_dispatcher);
        info->entrypoint = entrypoint;
        info->nativecode = method->GetNativeMethod();
    }

    method->SetNativeMethod((<span class="hljs-reserved" style="box-sizing: border-box;">const</span> <span class="hljs-reserved" style="box-sizing: border-box;">void</span> *)info);

<span class="hljs-regexp" style="color: rgb(0, 136, 0); box-sizing: border-box;">//</span>  }

    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">return</span> res;
}
</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li><li style="box-sizing: border-box; padding: 0px 5px;">34</li><li style="box-sizing: border-box; padding: 0px 5px;">35</li><li style="box-sizing: border-box; padding: 0px 5px;">36</li><li style="box-sizing: border-box; padding: 0px 5px;">37</li><li style="box-sizing: border-box; padding: 0px 5px;">38</li><li style="box-sizing: border-box; padding: 0px 5px;">39</li><li style="box-sizing: border-box; padding: 0px 5px;">40</li><li style="box-sizing: border-box; padding: 0px 5px;">41</li><li style="box-sizing: border-box; padding: 0px 5px;">42</li><li style="box-sizing: border-box; padding: 0px 5px;">43</li><li style="box-sizing: border-box; padding: 0px 5px;">44</li><li style="box-sizing: border-box; padding: 0px 5px;">45</li><li style="box-sizing: border-box; padding: 0px 5px;">46</li><li style="box-sizing: border-box; padding: 0px 5px;">47</li><li style="box-sizing: border-box; padding: 0px 5px;">48</li><li style="box-sizing: border-box; padding: 0px 5px;">49</li><li style="box-sizing: border-box; padding: 0px 5px;">50</li><li style="box-sizing: border-box; padding: 0px 5px;">51</li><li style="box-sizing: border-box; padding: 0px 5px;">52</li><li style="box-sizing: border-box; padding: 0px 5px;">53</li></ul>

这里参数解析就不详细说了，接下来是最棘手的问题——如何重新调回原来的entrypoint。

这里的关键点是要还原之前的堆栈布局，art_quick_call_entrypoint就是负责完成这个工作的，其实现如下所示：

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; background-color: transparent; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-top-left-radius: 0px; border-top-right-radius: 0px; border-bottom-right-radius: 0px; border-bottom-left-radius: 0px; word-wrap: normal; background-position: initial initial; background-repeat: initial initial;"><span class="hljs-comment" style="color: rgb(136, 0, 0); box-sizing: border-box;">/*
 *
 * Art Quick Call Entrypoint
 * On entry:
 *  r0 = method pointer
 *  r1 = thread pointer
 *  r2 = args arrays pointer
 *  r3 = old_sp
 *  [sp] = entrypoint
 */</span>
ENTRY art_quick_call_entrypoint
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">push</span>    {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, lr}           @ sp - <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">12</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">sub</span>     sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 20)         @ sp - 40 - 20</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 0)]    @ var_40_0 = method_pointer</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 4)]    @ var_40_4 = thread_pointer</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 8)]    @ var_40_8 = args_array</span>
    str     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 12)]   @ var_40_12 = old_sp</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, sp
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, =<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">40</span>
    blx     memcpy                 @ memcpy(dest, src, size_of_byte)
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 0)]    @ restore method to r0</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 4)]</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">mov</span>     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>                 @ restore thread to <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r9</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 8)]    @ pass r5 to args_array</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span>, [<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>]               @ restore arg1
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r2</span>, [<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#4]           @ restore arg2</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r3</span>, [<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#8]           @ restore arg3</span>
    ldr     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, [sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 20 + 12)] @ pass ip to entrypoint</span>
    blx     <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">add</span>     sp, <span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">#(40 + 20)</span>
    <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">pop</span>     {<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r4</span>, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r5</span>, pc}           @ return on success, <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r0</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">and</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">r1</span> hold the result
END art_quick_call_entrypoint</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; background-color: rgb(238, 238, 238); top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right;"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li><li style="box-sizing: border-box; padding: 0px 5px;">16</li><li style="box-sizing: border-box; padding: 0px 5px;">17</li><li style="box-sizing: border-box; padding: 0px 5px;">18</li><li style="box-sizing: border-box; padding: 0px 5px;">19</li><li style="box-sizing: border-box; padding: 0px 5px;">20</li><li style="box-sizing: border-box; padding: 0px 5px;">21</li><li style="box-sizing: border-box; padding: 0px 5px;">22</li><li style="box-sizing: border-box; padding: 0px 5px;">23</li><li style="box-sizing: border-box; padding: 0px 5px;">24</li><li style="box-sizing: border-box; padding: 0px 5px;">25</li><li style="box-sizing: border-box; padding: 0px 5px;">26</li><li style="box-sizing: border-box; padding: 0px 5px;">27</li><li style="box-sizing: border-box; padding: 0px 5px;">28</li><li style="box-sizing: border-box; padding: 0px 5px;">29</li><li style="box-sizing: border-box; padding: 0px 5px;">30</li><li style="box-sizing: border-box; padding: 0px 5px;">31</li><li style="box-sizing: border-box; padding: 0px 5px;">32</li><li style="box-sizing: border-box; padding: 0px 5px;">33</li></ul>

这里我偷懒了，直接申请了10个参数的空间，再使用之前传进入来的old_sp进行恢复，使用memcpy直接复制40字节。之后就是还原r0, r1, r2, r3, r9的值了。调用entrypoint完后，结果保存在r0和r1，再返回给artQuickToDispatcher。

至此，整个ART Hook就分析完毕了。