【4.1.1例子】[83页] iOSREHookTweak能够作用于短函数

chensh · 2016 年7 月 1 日 07:27

大家好，我的书籍版本是第二版。

在4.1.1这一小节里面，构建了一个 iOSREHookTweak 来Hook iOSRETargetApp 这个应用的三个函数。

书中第83页，说Tweak安装后，再次运行应用的时候，输入预期为：

Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found CPPFunction!
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found CFunction!
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found Short C Function!

Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CPPFunction: This is a hijacked C++ function!
Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CFunction: This is a hijacked C function!
Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CPPFunction: This is a hijacked short C function from new__ZN8CPPClass11CPPFunctionEPKc!

书中说，最后一个输入是因为对ShortCFunction的直接Hook失效了。

但是我根据上面的Tweak编写后，得到的结果却是：

Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found CPPFunction!
Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found CFunction!
Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found Short C Function!

Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CPPFunction: This is a hijacked C++ function!
Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CFunction: This is a hijacked C function!
Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CFunction: This is a hijacked short C function from new_ShortCFunction!

这应该说明我对 ShortCFunction的Hook是有效的。以下是Tweak.xm的代码，跟书上一模一样。

#import <substrate.h>

void (*old__ZN8CPPClass11CPPFunctionEPKc)(void *, const char *);
void new__ZN8CPPClass11CPPFunctionEPKc(void * hiddenThis, const char * arg0) {
	if (strcmp(arg0, "This is a short C function!") == 0) {
		old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked short C function from new__ZN8CPPClass11CPPFunctionEPKc");
	} else {
		old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked C++ function!");
	}
}


void (*old_CFunction) (const char *);
void new_CFunction(const char * arg0) {
	old_CFunction("This is a hijacked C function!");
}

void (*old_ShortCFunction)(const char *);
void new_ShortCFunction(const char *arg0) {
	old_CFunction("This is a hijacked short C function from new_ShortCFunction!");
}

%ctor
{
	@autoreleasepool {
		MSImageRef image = MSGetImageByName("/Applications/targetApp.app/targetApp");

		void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image, "__ZN8CPPClass11CPPFunctionEPKc");
		if(__ZN8CPPClass11CPPFunctionEPKc) {
			NSLog(@"iOSRE: Found CPPFunction!");
		}
		MSHookFunction((void *)__ZN8CPPClass11CPPFunctionEPKc, (void *)&new__ZN8CPPClass11CPPFunctionEPKc, (void **)&old__ZN8CPPClass11CPPFunctionEPKc);

		void *_CFunction = MSFindSymbol(image, "_CFunction");
		if (_CFunction) {
			NSLog(@"iOSRE: Found CFunction!");
		}
		MSHookFunction((void *)_CFunction, (void*)&new_CFunction, (void**)&old_CFunction);

		void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction");
		if (_ShortCFunction) {
			NSLog(@"iOSRE: Found Short C Function!");
		}
		MSHookFunction((void *)_ShortCFunction, (void *)&new_ShortCFunction, (void **)&old_ShortCFunction);

	}
}

我的系统是 9.0.2，机型是5s，theos的版本是??,怎么看版本来着，跟github的库同步。

那上面的例子是否说明， MSHookFunction 已经能够对短函数起作用了，还是说因为其它什么原因导致的？

chensh · 2016 年7 月 1 日 07:32

我写了个更加简单的例子，发现现在的 MSHookFunction 确实能够 Hook 到短函数了。

// App
// YTRootViewController.mm

#import "YTRootViewController.h"

extern "C" void ShortCFunction(const char * arg0) {
	NSLog(@"==== CShortFunction: %s", arg0);
}

@implementation YTRootViewController
- (void)loadView {
	[super loadView];
	ShortCFunction("This is a short C function!");
}
@end

// Tweak
// Tweak.xm

#import <substrate.h>
void (*old_ShortCFunction)  (const char *);
void new_ShortCFunction(const char *arg0) {
	old_ShortCFunction("This is a hijacked short C function!");
}

%ctor
{
	@autoreleasepool {
		MSImageRef image = MSGetImageByName("/Application/shortFunction.app/shortFunction");
		void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction");
		if (_ShortCFunction) {
			NSLog(@"====== Find Short C Function!");
		}
		MSHookFunction((void*)_ShortCFunction, (void*)&new_ShortCFunction, (void **)&old_ShortCFunction);

	}
}

结果打印出来为：

Jul 1 15:26:22 ChenSH shortFunction[1373]: ====== Find Short C Function!

Jul 1 15:26:23 ChenSH shortFunction[1373]: ==== CShortFunction: This is a hijacked short C function!

我想这应该可以说明确实可以Hook到短函数了吧？

snakeninny · 2016 年7 月 2 日 09:56

我测了一下，貌似是可以了

zhahao · 2017 年2 月 25 日 12:38

现在可以了

Zhang · 2017 年2 月 25 日 13:54

感谢您重复我们在2016年7月就知道的知识ji

fll · 2019 年8 月 23 日 08:52

我就纳闷了，如果hook短函数成功，shortfunction的“This is a short C function!”不是应该会被hook为“This is a hijacked short C function from new_ShortCFunction!”吗，为什么会判断相等继而输出“This is a hijacked short C function from new_ZN8CPPClass11CPPFunctionEPKc!”，不是应该输出“This is a hijacked C++ function!吗？