如何找到插件hook的函数

我想找到一个编译好的插件所hook的函数。反编译后，我找到了所有调用substrate框架函数的指令，但是不清楚具体hook了哪些函数（r0）。

1. 如何用gdb运行app，而不是attach一个已经运行的进程。我直接gdb那个app(/var/mobile/Applications/…/…app/…)会直接SIGABRT。调用栈是
   #0 0x39ee91f0 in __pthread_kill ()
   #1 0x39f53796 in pthread_kill ()
   #2 0x39e99fdc in abort ()
   #3 0x33bdec10 in GSRegisterPurpleNamedPort ()
   #4 0x33bde890 in _GSEventInitialize ()
   #5 0x31604f38 in UIApplicationMain ()
   #6 0x0022d97c in ?? ()
   #7 0x000910c8 in ?? ()

2. 尝试hook substrate本身的框架函数MSHookFunction。
   #include <CydiaSubstrate.h>

void (*oldMSHookFunction)(void *, void *, void **);

void newMSHookFunction(void *symbol, void *hook, void **old) {
printf(“CC_HOOKED\n”);
oldMSHookFunction(symbol, hook, old);
}

attribute((constructor))
static void initialize() {
NSLog(@“CC_LOADED”);
MSHookFunction(MSHookFunction, &newMSHookFunction, &oldMSHookFunction);
}

通过syslog，我的插件在需要逆向的插件前被载入。CC_LOADED被打印了，但是后载入其他插件时没有打印CC_HOOKED。这是为什么？

另外，怎么保证我的插件在我想逆向的插件前被载入？

第二个方法可以成功注入，printf不会输出到syslog貌似插件载入顺序是字母表顺序。

谁能告诉我第一个方法怎么弄？

参考这个帖子，换lldb吧

多谢～

另外问个问题：用MSFindSymbol可以找到符号对应的地址，有没有办法在运行时从地址得到符号。我需要这个是因为在我之前帖子中第一种方法hook得到的是函数地址，但我想知道函数的名字。

我参考过《OS X ABI Dynamic Loader Reference》，但并没有找到合适得函数。我现在是用gdb附上进程，然后info symbol查看的。有人知道gdb中是怎么实现的吗？
我还试过禁用app的ASLR，然后想用nm直接查看，但nm的输出都是些c标准函数，难道其他的符号都设成私有的了？

知道了，dladdr
而且好像MSHookFunction可以hook任意内存地址，并不局限于函数，很好很强大

最终Tweak：
#include <CydiaSubstrate.h>
#include <dlfcn.h>

void resolveSymbol(const void *addr) {
Dl_info info;
if (dladdr(addr, &info)) {
NSLog(@“ Resolved symbol at address %p: dli_fname %s, dli_fbase %p, dli_sname %s, dli_saddr %p”, addr, info.dli_fname, info.dli_fbase, info.dli_sname, info.dli_saddr);
}
else {
NSLog(@“ Can’t resolve symbol at address %p”, addr);
}
}

void (*oldMSHookFunction)(void *, void *, void **);

void newMSHookFunction(void *symbol, void *hook, void **old) {
NSLog(@“ MSHookFunction: old %p, new %p”, symbol, hook);
resolveSymbol(symbol);
resolveSymbol(hook);
oldMSHookFunction(symbol, hook, old);
}

void (*oldMSHookMessageEx)(Class, SEL, IMP, IMP *);

void newMSHookMessageEx(Class c/lass/, SEL s/elector/, IMP replacement, IMP *result) {
NSLog(@“ MSHookMessageEx: class %@, selector %@, new %p”, NSStringFromClass(c/lass/), NSStringFromSelector(s/elector/), replacement);
resolveSymbol((const void *) *replacement);
oldMSHookMessageEx(c/lass/, s/elector/, replacement, result);
}

attribute((constructor))
static void initialize() {
MSHookFunction(MSHookMessageEx, &newMSHookMessageEx, &oldMSHookMessageEx);
MSHookFunction(MSHookFunction, &newMSHookFunction, &oldMSHookFunction);
NSLog(@“ Hooked into MSHookFunction & MSHookMessageEx”);
}

对COC叉叉助手分析，查看syslog

cat /dev/null > /var/log/syslog
cat /var/log/syslog | grep “Loading”
Sep 12 17:06:54 iPad Clash of Clans[2372]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/HookSubstrate.dylib
Sep 12 17:06:54 iPad Clash of Clans[2372]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib
cat /var/log/syslog | grep “”
Sep 12 17:06:54 iPad Clash of Clans[2372]: Hooked into MSHookFunction & MSHookMessageEx
Sep 12 17:06:54 iPad Clash of Clans[2372]: MSHookFunction: old 0x845fd, new 0x3af4fd
Sep 12 17:06:54 iPad Clash of Clans[2372]: Resolved symbol at address 0x845fd: dli_fname /var/mobile/Applications/1A631C27-CE93-4845-B7FB-0637D600E10C/Clash of Clans.app/Clash of Clans, dli_fbase 0x4000, dli_sname (null), dli_saddr 0x0
Sep 12 17:06:54 iPad Clash of Clans[2372]: Resolved symbol at address 0x3af4fd: dli_fname /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib, dli_fbase 0x3a7000, dli_sname _Z20func_hook_new_searchi, dli_saddr 0x3af4fd
Sep 12 17:06:54 iPad Clash of Clans[2372]: MSHookMessageEx: class AppController, selector application:didFinishLaunchingWithOptions:, new 0x3afdb5
Sep 12 17:06:54 iPad Clash of Clans[2372]: Resolved symbol at address 0x3afdb5: dli_fname /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib, dli_fbase 0x3a7000, dli_sname Z60hook_AppController_application_didFinishLaunchingWithOptionsP11objc_objectP13objc_selectorS0_S0, dli_saddr 0x3afdb5

第一个hook的位置并不对应任何symbol。