iOS9.3.2 iPhone6 MSHookFunction无效

MotoSc 2016-09-10 05:49:05 UTC #1

做示例2symbol中查到了对应函数名的地址，调用MSHookFunction之后，打印的内容还是之前的内容。

MotoSc 2016-09-10 05:53:15 UTC #2

Tweak:

#import <substrate.h>

void (*old__ZN8CPPClass11CPPFunctionEPKc)(void *, const char *);

void new__ZN8CPPClass11CPPFunctionEPKc(void * hiddenThis, const char * arg0) {
	if (strcmp(arg0, "This is a short C function!") == 0) {
		old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked short C function from new__ZN8CPPClass11CPPFunctionEPKc");
	} else {
		old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked C++ function!");
	}
}

void (*old_CFunction) (const char *);
void new_CFunction(const char * arg0) {
	old_CFunction("This is a hijacked C function!");
}


void (*old_ShortCFunction)(const char *);
void new_ShortCFunction(const char *arg0) {
	old_CFunction("This is a hijacked short C function from new_ShortCFunction!");
}

%ctor
{
	@autoreleasepool
	{
		MSImageRef image = MSGetImageByName("/Applications/iOSRETargetApp.app/iOSRETargetApp");
		void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image, "__ZN8CPPClass11CPPFunctionEPKc");
		if (__ZN8CPPClass11CPPFunctionEPKc) {
			NSLog(@"iOSRE: Found CPPFuction!");
		}
		MSHookFunction((void *)__ZN8CPPClass11CPPFunctionEPKc, (void *)&new__ZN8CPPClass11CPPFunctionEPKc, (void **)&old__ZN8CPPClass11CPPFunctionEPKc);

		void *_CFunction = MSFindSymbol(image, "_CFunction");
		if (_CFunction) {
			NSLog(@"iOSRE: Found CFunction!");
		}
		MSHookFunction((void *)_CFunction, (void *)&new_CFunction, (void **)&old_CFunction);
		void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction");
		if (_ShortCFunction) {
			NSLog(@"iOSRE: Found ShortCFunction!");
		}
		MSHookFunction((void *)_ShortCFunction, (void *)&new_ShortCFunction, (void **)&old_ShortCFunction);
	}
}

RootViewController:

#import "RootViewController.h"

class CPPClass
{
	public:
		void CPPFunction(const char *);
};

void CPPClass::CPPFunction(const char *arg0)
{
	NSLog(@"iOSRE: CPPFuction: %s", arg0);
}

extern "C" void CFunction(const char *arg0)
{
	NSLog(@"iOSRE: CFunction: %s", arg0);
}

extern "C" void ShortCFunction(const char *arg0)
{
	CPPClass cppClass;
	cppClass.CPPFunction(arg0);
}

@implementation RootViewController
- (void)loadView
{
	NSLog(@"- loadView -");
	self.view = [[[UIView alloc] initWithFrame:[[UIScreen mainScreen] applicationFrame]] autorelease];
	self.view.backgroundColor = [UIColor redColor];
}

- (void)viewDidLoad
{
	[super viewDidLoad];
	NSLog(@"- viewDidLoad -");
	CPPClass cppClass;
	cppClass.CPPFunction("This is a C++ function!");
	CFunction("This is a C function!");
	ShortCFunction("This is a short c function!");
}
@end

MotoSc 2016-09-10 05:54:45 UTC #3

Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/MAServiceEx.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/TEMain.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: ==================================================
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: VERSION: 9.300000
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: ==================================================
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Error>: MS:Error: binary not signed (use ldid -S)
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Error>: MS:Error: failure to check iOSREGreetings.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/iOSREHookerTweak.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: Found CPPFuction!
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: Found CFunction!
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: Found ShortCFunction!
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Error>: MS:Error: binary does not support this cpu type
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Error>: MS:Error: failure to check xCon.dylib
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: - main -
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: - applicationDidFinishLaunching -
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: - loadView -
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: - viewDidLoad -
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: CPPFuction: This is a C++ function!
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: CFunction: This is a C function!
Sep 10 13:53:49 sunguozhideiPhone-6s iOSRETargetApp[3570] <Warning>: iOSRE: CPPFuction: This is a short c function!

MotoSc 2016-09-10 09:06:19 UTC #4

MS:Error: binary does not support this cpu type

打印的结果，这个指的是不支持当前cpu类型么？

Zhang 2016-09-10 11:41:40 UTC #5

是

Zhang 2016-09-10 11:42:08 UTC #6

把设备上的 iOSREGreetings.dylib复制到Mac上ldid -S一下再放回去

MotoSc 2016-09-10 13:44:44 UTC #7

这个文件在哪个路径下了？