Substitute_hook_functions return SUBSTITUTE_ERR_FUNC_BAD_INSN_AT_START


#1

Jailbreak iPhone6 iOS11.1.2
Electra version: 1.0.4
Substitute version: 0.0.6-coolstar

Firstly I checked the function of _MGCopyAnswer and it is enough long in iOS11.

__text:00000001813C0AAC ; =============== S U B R O U T I N E =======================================
__text:00000001813C0AAC
__text:00000001813C0AAC
__text:00000001813C0AAC                 EXPORT _MGCopyAnswer
__text:00000001813C0AAC _MGCopyAnswer
__text:00000001813C0AAC
__text:00000001813C0AAC arg_18          =  0x18
__text:00000001813C0AAC arg_20          =  0x20
__text:00000001813C0AAC arg_28          =  0x28
__text:00000001813C0AAC arg_B8          =  0xB8
__text:00000001813C0AAC arg_C0          =  0xC0
__text:00000001813C0AAC arg_C8          =  0xC8
__text:00000001813C0AAC arg_D8          =  0xD8
__text:00000001813C0AAC arg_E0          =  0xE0
__text:00000001813C0AAC arg_E8          =  0xE8
__text:00000001813C0AAC arg_F8          =  0xF8
__text:00000001813C0AAC arg_108         =  0x108
__text:00000001813C0AAC arg_110         =  0x110
__text:00000001813C0AAC arg_118         =  0x118
__text:00000001813C0AAC
__text:00000001813C0AAC                 ADD             X8, X10, X8,LSL#3
__text:00000001813C0AB0                 STP             X8, X15, [SP,#arg_18]
__text:00000001813C0AB4                 SBFM            X8, X12, #0x3D, #0x1F
__text:00000001813C0AB8                 STR             X8, [SP,#arg_D8]
__text:00000001813C0ABC
__text:00000001813C0ABC loc_1813C0ABC                           ; CODE XREF: _MGCopyAnswer+12C�j
__text:00000001813C0ABC                 STR             W14, [SP,#arg_B8]
__text:00000001813C0AC0                 MOV             X20, #0
__text:00000001813C0AC4                 MOV             X24, #0
__text:00000001813C0AC8                 LDR             X8, [SP,#arg_118]
__text:00000001813C0ACC                 MOV             X21, X8
__text:00000001813C0AD0
__text:00000001813C0AD0 loc_1813C0AD0                           ; CODE XREF: _MGCopyAnswer+B4�j
__text:00000001813C0AD0                 LDR             X8, [SP,#arg_110]
__text:00000001813C0AD4                 CBZ             W8, loc_1813C0AE4
__text:00000001813C0AD8                 LDRH            W3, [X27]
__text:00000001813C0ADC                 CBNZ            W3, loc_1813C0AE8
__text:00000001813C0AE0                 B               loc_1813C0B2C
__text:00000001813C0AE4 ; ---------------------------------------------------------------------------
__text:00000001813C0AE4
__text:00000001813C0AE4 loc_1813C0AE4                           ; CODE XREF: _MGCopyAnswer+28�j
__text:00000001813C0AE4                 MOV             W3, #0xFFFF
__text:00000001813C0AE8
__text:00000001813C0AE8 loc_1813C0AE8                           ; CODE XREF: _MGCopyAnswer+30�j
__text:00000001813C0AE8                 CBZ             W13, loc_1813C0B04
__text:00000001813C0AEC                 LDRH            W1, [X28,X24]
__text:00000001813C0AF0                 CBNZ            W1, loc_1813C0B08
__text:00000001813C0AF4                 LDR             X8, [X23]
__text:00000001813C0AF8                 STR             X8, [X19,X20]
__text:00000001813C0AFC                 STRH            W3, [X28,X24]
__text:00000001813C0B00                 B               loc_1813C0B2C
__text:00000001813C0B04 ; ---------------------------------------------------------------------------
__text:00000001813C0B04
__text:00000001813C0B04 loc_1813C0B04                           ; CODE XREF: _MGCopyAnswer:loc_1813C0AE8�j
__text:00000001813C0B04                 MOV             W1, #0xFFFF
__text:00000001813C0B08
__text:00000001813C0B08 loc_1813C0B08                           ; CODE XREF: _MGCopyAnswer+44�j
__text:00000001813C0B08                 LDR             X0, [X19,X20]
__text:00000001813C0B0C                 LDR             X2, [X23]
__text:00000001813C0B10                 MOV             X26, X30
__text:00000001813C0B14                 BL              sub_1813CA6F8
__text:00000001813C0B18                 MOV             X30, X26
__text:00000001813C0B1C                 LDR             X13, [SP,#arg_108]
__text:00000001813C0B20                 STR             X0, [X19,X20]
__text:00000001813C0B24                 CBZ             W13, loc_1813C0B2C
__text:00000001813C0B28                 STRH            W1, [X28,X24]
__text:00000001813C0B2C
__text:00000001813C0B2C loc_1813C0B2C                           ; CODE XREF: _MGCopyAnswer+34�j
__text:00000001813C0B2C                                         ; _MGCopyAnswer+54�j ...
__text:00000001813C0B2C                 LDP             X9, X8, [SP,#arg_E8]
__text:00000001813C0B30                 ADD             X8, X23, X8,LSL#3
__text:00000001813C0B34                 ADD             X9, X27, X9,LSL#1
__text:00000001813C0B38                 ADD             X10, X8, X25,LSL#3
__text:00000001813C0B3C                 ADD             X11, X9, X25,LSL#1
__text:00000001813C0B40                 CMP             X8, X30
__text:00000001813C0B44                 CSEL            X27, X9, X11, CC
__text:00000001813C0B48                 CSEL            X23, X8, X10, CC
__text:00000001813C0B4C                 LDR             X8, [SP,#arg_E0]
__text:00000001813C0B50                 ADD             X24, X24, X8
__text:00000001813C0B54                 LDR             X8, [SP,#arg_D8]
__text:00000001813C0B58                 ADD             X20, X20, X8
__text:00000001813C0B5C                 SUB             W21, W21, #1
__text:00000001813C0B60                 CBNZ            W21, loc_1813C0AD0
__text:00000001813C0B64                 LDP             X15, X14, [SP,#arg_C8]
__text:00000001813C0B68                 LDP             X17, X0, [SP,#arg_F8]
__text:00000001813C0B6C                 ADD             X8, X17, X15,LSL#3
__text:00000001813C0B70                 ADD             X9, X0, X14,LSL#1
__text:00000001813C0B74                 LDP             X12, X11, [SP,#arg_28]
__text:00000001813C0B78                 ADD             X10, X8, X11,LSL#3
__text:00000001813C0B7C                 ADD             X11, X30, X11,LSL#3
__text:00000001813C0B80                 ADD             X12, X9, X12,LSL#1
__text:00000001813C0B84                 LDR             X16, [SP,#arg_C0]
__text:00000001813C0B88                 CMP             X8, X16
__text:00000001813C0B8C                 CSEL            X11, X30, X11, CC
__text:00000001813C0B90                 ADD             X11, X11, X15,LSL#3
__text:00000001813C0B94                 CSEL            X9, X9, X12, CC
__text:00000001813C0B98                 CSEL            X8, X8, X10, CC
__text:00000001813C0B9C                 ADD             X10, X27, X14,LSL#1
__text:00000001813C0BA0                 CMP             X16, #0
__text:00000001813C0BA4                 CSEL            X0, X9, X0, NE
__text:00000001813C0BA8                 CSEL            X27, X9, X10, NE
__text:00000001813C0BAC                 CSEL            X30, X11, X30, NE
__text:00000001813C0BB0                 CSEL            X17, X8, X17, NE
__text:00000001813C0BB4                 STP             X17, X0, [SP,#arg_F8]
__text:00000001813C0BB8                 ADD             X9, X23, X15,LSL#3
__text:00000001813C0BBC                 CSEL            X23, X8, X9, NE
__text:00000001813C0BC0                 LDR             X8, [SP,#arg_20]
__text:00000001813C0BC4                 ADD             X28, X28, X8
__text:00000001813C0BC8                 LDR             X8, [SP,#arg_18]
__text:00000001813C0BCC                 ADD             X19, X19, X8
__text:00000001813C0BD0                 LDR             W14, [SP,#arg_B8]
__text:00000001813C0BD4                 SUB             W14, W14, #1
__text:00000001813C0BD8                 CBNZ            W14, loc_1813C0ABC
__text:00000001813C0BDC                 B               loc_1813C14B0
__text:00000001813C0BDC ; End of function _MGCopyAnswer

But I got another problem from substitute_hook_functions return:

/* substitute_hook_functions: can't patch a function because one of the
 * instructions within the patch region is one of a few special problematic
 * cases - if you get this on real code, the library should probably be
 * updated to handle that case properly */
SUBSTITUTE_ERR_FUNC_BAD_INSN_AT_START = 2,

Here is my hook code in Tweak.xm:

%ctor {
  substitute_image *im = substitute_open_image("/usr/lib/libMobileGestalt.dylib");
  assert(im);
  const char *names[] = { "_MGCopyAnswer" };
  void* symbol = NULL;
  assert(!substitute_find_private_syms(im, names, (void **)&symbol, 1));
  assert(symbol);
  substitute_function_hook hooks[] = {
    {symbol, (void*)new_MGCopyAnswer, (void*)&orig_MGCopyAnswer},
  };
  int ret = substitute_hook_functions(hooks, sizeof(hooks)/sizeof(*hooks), NULL, 0);
  LOG(@"%d", ret);
  %init(HZGroup);
}

static CFPropertyListRef (*orig_MGCopyAnswer)(CFStringRef prop);
CFPropertyListRef new_MGCopyAnswer(CFStringRef prop) {
  CFPropertyListRef tval = orig_MGCopyAnswer(prop);
  LOG(@"MGCopyAnswer - %@ : %@\n", (__bridge NSString*)prop, (__bridge id)tval);
  return tval;
}

Actually I also got crashed when i used MSHookFunction or %hookf.

Any ideas?
Thanks


#2

You guys suck


#3

Thanks really!! @Zhang