一款写的Unity游戏, 通过il2cpp后, 找到了目标的偏移量, MonkeyDev跑起来用 dis -a 地址查看汇编, 和IDA内看到的一直, 但用MSHookFunction hook缺无法hook, crash的地址是我自己写的hook函数,非原始函数.
哪位大佬知道这是为啥啊?
struct stat buf;
intptr_t g_slide;
int (*old_GetCreateID)(void);
int new_GetCreateID(void)
{
int create_id = old_GetCreateID();
NSLog(@"Room Create ID: %d", create_id);
return create_id;
}
static void _register_func_for_add_image(const struct mach_header *header, intptr_t slide) {
Dl_info image_info;
int result = dladdr(header, &image_info);
if (result == 0) {
NSLog(@"load mach_header failed");
return;
}
NSString *execName = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"CFBundleExecutable"];
NSString *execPath = [[[NSBundle mainBundle] bundlePath] stringByAppendingFormat:@"/%@", execName];
if (strcmp([execPath UTF8String], image_info.dli_fname) == 0) {
g_slide = slide;
}
}
static void __attribute__((constructor)) __init__() {
_dyld_register_func_for_add_image(_register_func_for_add_image);
intptr_t address = g_slide + 0x1021B30 + 0x100000000;
// crash的地址并非 address的地址, 但 address 地址查看汇编却能和IDA对应上
MSHookFunction((void *)address, (void *)&old_GetCreateID, (void **)&new_GetCreateID);
}
补充:
发现了个奇怪的现象, 具体描述如下
(lldb) im li -f -o
[ 0] 模糊模糊 0x0000000002ac0000
计算地址
offset = 0x1021B30
address = 0x0000000002ac0000 + offset + 0x100000000 = 0x103ae1b30
动态查看汇编如下 汇编内容确实为目标函数
(lldb) dis -a 0x103ae1b30
Run It`___lldb_unnamed_symbol91713$$Run It:
0x103ae1b30 <+0>: stp x20, x19, [sp, #-0x20]!
0x103ae1b34 <+4>: stp x29, x30, [sp, #0x10]
0x103ae1b38 <+8>: add x29, sp, #0x10 ; =0x10
0x103ae1b3c <+12>: mov w1, #-0x1
0x103ae1b40 <+16>: bl 0x103ae58d8 ; ___lldb_unnamed_symbol91722$$Run It
0x103ae1b44 <+20>: cbz x0, 0x103ae1b84 ; <+84>
0x103ae1b48 <+24>: mov x19, x0
0x103ae1b4c <+28>: mov x1, #0x0
0x103ae1b50 <+32>: bl 0x103b75788 ; ___lldb_unnamed_symbol95305$$Run It
0x103ae1b54 <+36>: cbz x0, 0x103ae1b84 ; <+84>
0x103ae1b58 <+40>: mov x0, x19
0x103ae1b5c <+44>: mov x1, #0x0
0x103ae1b60 <+48>: bl 0x103b75788 ; ___lldb_unnamed_symbol95305$$Run It
0x103ae1b64 <+52>: mov x19, x0
0x103ae1b68 <+56>: cbnz x0, 0x103ae1b70 ; <+64>
0x103ae1b6c <+60>: bl 0x102d15a34 ; ___lldb_unnamed_symbol27898$$Run It
0x103ae1b70 <+64>: mov x0, x19
0x103ae1b74 <+68>: mov x1, #0x0
0x103ae1b78 <+72>: ldp x29, x30, [sp, #0x10]
0x103ae1b7c <+76>: ldp x20, x19, [sp], #0x20
0x103ae1b80 <+80>: b 0x103b75600 ; ___lldb_unnamed_symbol95275$$Run It
0x103ae1b84 <+84>: mov w0, #-0x1
0x103ae1b88 <+88>: ldp x29, x30, [sp, #0x10]
0x103ae1b8c <+92>: ldp x20, x19, [sp], #0x20
0x103ae1b90 <+96>: ret
放开断点App直接crash, 信息如下:
根据crash地址查看崩溃汇编时, 有了一下的结果
(lldb) dis -a 0x1055ec000
librunitDylib.dylib`new_GetCreateID:
0x1055ec000 <+0>: sub sp, sp, #0x20 ; =0x20
0x1055ec004 <+4>: stp x29, x30, [sp, #0x10]
0x1055ec008 <+8>: add x29, sp, #0x10 ; =0x10
0x1055ec00c <+12>: adrp x8, 50
0x1055ec010 <+16>: ldr x8, [x8, #0xf70]
0x1055ec014 <+20>: blr x8
0x1055ec018 <+24>: stur w0, [x29, #-0x4]
0x1055ec01c <+28>: ldur w9, [x29, #-0x4]
0x1055ec020 <+32>: mov x8, x9
0x1055ec024 <+36>: adrp x0, 44
0x1055ec028 <+40>: add x0, x0, #0x8e8 ; =0x8e8
0x1055ec02c <+44>: mov x9, sp
0x1055ec030 <+48>: str x8, [x9]
0x1055ec034 <+52>: bl 0x1056102c4 ; symbol stub for: NSLog
0x1055ec038 <+56>: ldur w0, [x29, #-0x4]
0x1055ec03c <+60>: ldp x29, x30, [sp, #0x10]
0x1055ec040 <+64>: add sp, sp, #0x20 ; =0x20
0x1055ec044 <+68>: ret
函数new_GetCreateID 为我自己写的要替换的函数, 从第一段代码块就能看到, 这就很迷了
