环境: Ios12 越狱
现象: HOOK后,当运行被HOOK 代码后,目标 APP 直接闪退!
XCODE:
Hook 代码:
hack_this_function_ptr=( (uint64_t)_dyld_get_image_vmaddr_slide(0) ) + 0x10108F390;
ZzDynamicBinaryInstrumentation((void *)hack_this_function_ptr, (STUBCALL)OnPubKey);
//------------
int m_ntest=0;
void OnPubKey(RegState *rs, const HookEntryInfo *info)
{
m_ntest++;
}
IDA:
//--------------------------------------------------------------
目标APP 汇编 代码:
__text:000000010108F390 LDP X29, X30, [SP,#0x30+var_s0]
__text:000000010108F394 LDP X20, X19, [SP,#0x30+var_10]
__text:000000010108F398 LDP X22, X21, [SP,#0x30+var_20]
__text:000000010108F39C ADD SP, SP, #0x40
__text:000000010108F3A0 RET
Hook 是没有问题的。
因为 HOOK 里什么 都没有做.也不会修改内存。
在LLDB 中,错误信息:
(lldb) c
Process 1947 resuming
Process 1947 stopped
- thread #8, stop reason = EXC_BAD_ACCESS (code=1, address=0x204f7fcd0)
frame #0: 0x000000018da35e48 libsystem_platform.dylib_platform_memmove + 280 libsystem_platform.dylib_platform_memmove:
→ 0x18da35e48 <+280>: ldr x6, [x1], #0x8
0x18da35e4c <+284>: str x6, [x3], #0x8
0x18da35e50 <+288>: subs x2, x2, #0x8 ; =0x8
0x18da35e54 <+292>: b.hs 0x18da35e48 ; <+280>
是 内存访问 失败。
X1 有值,但是地址不能访问。是无效的内存地址!
bt 如下:
(lldb) bt
- thread #8, stop reason = EXC_BAD_ACCESS (code=1, address=0x204f7fcd0)
- frame #0: 0x000000018da35e48 libsystem_platform.dylib
_platform_memmove + 280 frame #1: 0x000000018d876c84 libdyld.dylibtlv_allocate_and_initialize_for_key + 404
frame #2: 0x000000018d8773d4 libdyld.dylibtlv_get_addr + 104. <--------------------------------- frame #3: 0x0000000101ecc8ac myapp___lldb_unnamed_symbol112809$$myapp + 52
frame #4: 0x0000000101ecd850 myapp___lldb_unnamed_symbol112818$$myapp + 56 frame #5: 0x00000001018e71c0 myapp___lldb_unnamed_symbol72976$$myapp + 76
frame #6: 0x00000001018e6d90 myapp___lldb_unnamed_symbol72971$$myapp + 448 frame #7: 0x00000001018ea2c4 myapp___lldb_unnamed_symbol73013$$myapp + 152
frame #8: 0x00000001018e58c4 myapp___lldb_unnamed_symbol72960$$myapp + 48 frame #9: 0x000000010336ec68 myapp___lldb_unnamed_symbol215171$$myapp + 480
frame #10: 0x0000000103288810 myapp___lldb_unnamed_symbol211048$$myapp + 1276 frame #11: 0x0000000101806fa8 myapp___lldb_unnamed_symbol69723$$myapp + 32
frame #12: 0x000000010129ce18 myapp___lldb_unnamed_symbol36609$$myapp + 2704 frame #13: 0x0000000102348820 myapp___lldb_unnamed_symbol133967$$myapp + 1520
frame #14: 0x000000018e8dd23c Foundation__NSThread__start__ + 1040 frame #15: 0x000000018da4425c libsystem_pthread.dylib_pthread_body + 128
frame #16: 0x000000018da441bc libsystem_pthread.dylib_pthread_start + 48 frame #17: 0x000000018da47cf4 libsystem_pthread.dylibthread_start + 4
- frame #0: 0x000000018da35e48 libsystem_platform.dylib
tlv_get_addr 这个是用来做什么的 ,目标 APP 就是用 tlv_bootstrap+ tlv_get_addr + tlv_atexit
操作 数据指针〜〜〜