需求:
本人最近在研究hook一个Mac程序,通过这几天在论坛的学习已经学会了使用logos语法hookOC方法,但是各位肯定知道这远远是不够的_(:」∠)
所以我现在又开始研究如何hook一个Mac软件的C/C++函数。
通过看了论坛里请问私有函数怎么hook。。。](http://bbs.iosre.com/t/hook/345/10) 、怎么hook C++类的方法?等文章已经查阅了相关资料后,本人开始尝试hook我自己写的一个私有的C方法。
操作步骤:
- 编写了一个小demo,核心代码如下
#import "ViewController.h"
size_t abcd(int x,int y,int z) {
return x + y + z;
}
@interface ViewController ()
@property (weak) IBOutlet NSTextField *ll;
@property(nonatomic,assign) size_t length;
@end
@implementation ViewController
- (void)viewDidLoad {
[super viewDidLoad];
_length = abcd(1, 2, 3);
}
- (IBAction)cc:(id)sender {
_ll.stringValue = [NSString stringWithFormat:@"%zu",_length];
}
@end
简单来说,就是点击按钮,软件上会显示一个数字,这个数字是由函数abcd生成,我写死了为6
-
编写hook代码
- 我首先写了一个Tweak.xm,内容如下,想要把返回值改为8
%config(generator=internal)
#import <Foundation/Foundation.h>
#include "substrate.h"
/*
size_t abcd(int x,int y,int z) {
return x + y + z;
}
*/
size_t (*ori_abcd)(int x,int y,int z);
size_t new_abcd(int x,int y,int z) {
return 8;
}
%ctor {
NSLog(@"!!!!!!inject success!!!!!!!");
void *abcd = MSFindSymbol(NULL,"_abcd");
if (abcd) {
MSHookFunction(abcd, new_abcd, &ori_abcd);
}else{
NSLog(@"!!!!!!inject fail!!!!!!!");
}
}
- 把要注入的app包和substrate.h放在同一个目录,运行了下面这个脚本
#!/bin/
function getName {
ls | grep *.app
}
path=$(getName)
temp='temp'
name=${path%.app}
$THEOS/bin/logos.pl ./Tweak.xm > ./$temp.mm
clang -shared -undefined dynamic_lookup -o ./$path/Contents/MacOS/lib.dylib ./$temp.mm
optool install -c load -p @executable_path/lib.dylib -t ./$path/Contents/MacOS/$name
rm -f ./$temp.mm
- 终端显示没有任何异常
Found thin header...
Load command already exists
Successfully inserted a LC_LOAD_DYLIB command for x86_64
Writing executable to Target.app/Contents/MacOS/Target...
- 但是运行就崩溃
2017-09-07 02:00:21.358 Target[10039:636481] !!!!!!inject success!!!!!!!
dyld: lazy symbol binding failed: Symbol not found: _MSFindSymbol
Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
Expected in: flat namespace
dyld: Symbol not found: _MSFindSymbol
Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
Expected in: flat namespace
[1] 10039 abort
[进程已完成]
- 然后我又仔细研究了一下请问私有函数怎么hook。。。,将Tweak.xm改为以下内容
%config(generator=internal)
#import <Foundation/Foundation.h>
#include "substrate.h"
/*
size_t abcd(int x,int y,int z) {
return x + y + z;
}
*/
extern "C" size_t abcd(int x,int y,int z);
size_t (*ori_abcd)(int x,int y,int z);
size_t new_abcd(int x,int y,int z) {
return 8;
}
%ctor {
NSLog(@"!!!!!!inject success!!!!!!!");
MSHookFunction((void *)abcd, (void *)new_abcd, (void **)&ori_abcd);
}
其他同上,最后依然失败,失败信息如下:
dyld: Symbol not found: _abcd
Referenced from: ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
Expected in: flat namespace
in ~/Desktop/Target/abc/Target.app/Contents/MacOS/lib.dylib
[1] 10310 abort
[进程已完成]
请问各位大大我的姿势哪里出错了,感觉应该可以成功的啊_(:」∠)