重新描述下:目的:Hook IMDaemonCore 里的IMDService,
由于这个是在/system/Library/Caches/com.apple/dyld/dyld_shared_cache_armvX中, 所以直接使用%hook不到,
问:
要实现hook此函数方法是否要在
%ctor中先用dlopen打开/system/Library/Caches/com.apple/dyld/dyld_shared_cache_armvX此文件, 然后再find symbol?
现在测试结果使用dlopen无法打开此文件,返回NULL,
求大神们解哈。
/system/Library/Caches/com.apple/dyld/dyld_shared_cache_armvX是一个大cache,不是MachO格式的,所以用dlopen是打不开的。你要hook IMDService的目的跟这个cache是没有关系的,直接写
%hook IMDService
- (void)targetMethod
{
%orig;
}
%end
就可以了。
hook不上的原因有可能是没有指定好对应的bundle identifier,或者late load,具体的分析建议先看书,理解这部分的内容再行尝试
IMDaemonCore二进制文件在dyld_shared_cache_armvX里
filter是这样的,用 %hook IMDService它全家了,也无响应, SpringBoard有响应:
{
Filter = {
Executables = (
“imagent”,
“IMDaemonCore”
);
Bundles = (
“com.apple.imagent”,
“com.apple.imdaemoncore”,
“com.apple.springboard”
);
Mode = “Any”;
};
}
你hook的是哪一个method?把hook的这一段代码贴出来吧
方式1:
%hook IMDService
- (NSDictionary *)serviceProperties { %log; NSDictionary * r = %orig; NSLog(@" = %@", r); return r; }
- (NSBundle *)bundle { %log; NSBundle * r = %orig; NSLog(@" = %@", r); return r; }
- (void)systemDidEnterMemoryPressure { %log; %orig; }
- (void)systemDidStartBackup { %log; %orig; }
- (id)description { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (void)purgeMemoryCaches { %log; %orig; }
- (BOOL )serviceRequiresSingleAccount { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (int )serviceProtocolVersion { %log; int r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceSupportsPresence { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceChatsIgnoreLoginStatus { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceRequiresHost { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceShouldBeAlwaysLoggedIn { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceNeedsPassword { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceNeedsLogin { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )shouldForceAccountsConnected { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )shouldForceAccountsActive { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )shouldCreateActiveAccounts { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceWantsNullHostReachability { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceIgnoresNetworkConnectivity { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )serviceSupportsRegistration { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )supportsDatabase { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (BOOL )disallowDeactivation { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (NSDictionary *)defaultAccountSettings { %log; NSDictionary * r = %orig; NSLog(@" = %@", r); return r; }
- (void)saveSettings { %log; %orig; }
- (void)delayedSaveSettings { %log; %orig; }
- (BOOL)clearOneTimeImportAccounts { %log; BOOL r = %orig; NSLog(@" = %d", r); return r; }
- (NSDictionary *)serviceDefaultsForSetup { %log; NSDictionary * r = %orig; NSLog(@" = %@", r); return r; }
- (NSDictionary *)serviceDefaults { %log; NSDictionary * r = %orig; NSLog(@" = %@", r); return r; }
- (id)_serviceDefaultsForDomain:(id)arg1 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (id)_defaultDefaults { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (void)synchronizeServiceDefaults { %log; %orig; }
- (Class )sessionClass { %log; Class r = %orig; NSLog(@" = 0x%x", (unsigned int)r); return r; }
- (id)_oldServiceDomain { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (NSString *)serviceDomain { %log; NSString * r = %orig; NSLog(@" = %@", r); return r; }
- (id)_serviceDomain { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (id)oldInternalName { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (NSString *)internalName { %log; NSString * r = %orig; NSLog(@" = %@", r); return r; }
- (void)unloadServiceBundle { %log; %orig; }
- (void)_reallyUnloadServiceBundle { %log; %orig; }
- (void)loadServiceBundle { %log; %orig; }
- (id)_copyServicePropertiesFromIMServiceBundle:(id)arg1 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
- (void)dealloc { %log; %orig; }
- (id)initWithBundle:(id)arg1 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
%end
方式2
%config(generator=MobileSubstrate);
static IMP oldloadServiceBundle;
void newloadServiceBundle(id self, SEL _cmd) {
NSLog(@"-----------------------------////////////////////");
oldloadServiceBundle(self, _cmd);
}
MSHookMessageEx(
[IMDService class], @selector(loadServiceBundle),
(IMP)newloadServiceBundle, &oldloadServiceBundle
);
方式3:
%config(generator=MobileSubstrate);
void (*old___IMDService_loadServiceBundle_)();
void $__IMDService_loadServiceBundle_()
{
NSLog(@"----------------------- fjdaklfjdlajfdlksajflkdsjlsd====================");
old___IMDService_loadServiceBundle_();
}
MSHookFunction(((void *)MSFindSymbol(NULL, "__IMDService_loadServiceBundle_")),
(void *)$__IMDService_loadServiceBundle_,(void**)&old___IMDService_loadServiceBundle_);
也就是说你把IMDService的所有方法都给hook了,但是不见输出是吧?
是啊。
如果这样的话,很有可能是late load的原因,你试试下面的代码:
%group LateHook
%hook IMDService
- (id)initWithBundle:(id)arg1 { %log; id r = %orig; NSLog(@" = %@", r); return r; }
%end
%end
%hook IMDaemon
- (void)_loadServices
{
%orig;
%init(LateHook);
}
%end
%ctor
{
%init;
}
忘记说了 我测试的固件是 6.1.3, 没有IMDaemon
有这个类的,在imagent里
init进入去了剩下两个HOOK没进去
出现日志:
MS
nil class argument for selector _loadServices
dylib放好后需要重启imagent,只respring一遍是不行的。命令行输入
killall -9 imagent