Hook socket的send方法,调用原方法导致app会崩溃？

kenny · 2015 年8 月 26 日 10:05

编译可以通过,hook socket的send 或者recv后，调用原方法就会导致app崩溃，不调用不会崩溃。hook socket的connect方法调用原方法却不会崩溃，请问崩溃原因怎么造成的该怎么解决呢？
请指教下，非常感谢！

以下是tweak代码

include <substrate.h>
import  <sys/socket.h>

ssize_t (*original_send)(int, void *, size_t, int);
ssize_t replaced_send(int arg1, void *arg2, size_t arg3, int arg4){
    NSData *data = [NSData dataWithBytes:arg2 length:arg3];
    NSString *str = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
    NSLog(@"##################################################################################################str is %@ length is %lu data is %@", str, arg3, data);
    return original_send(arg1, arg2, arg3, arg4);
}

%ctor {
    MSHookFunction((void *)send, (void *)replaced_send, (void **)&original_send);
}

kenny · 2015 年8 月 27 日 03:48

请问有人可以指导下吗，非常感激

snakeninny · 2015 年8 月 27 日 13:21

崩溃信息贴出来看看？

kenny · 2015 年8 月 31 日 03:01

不好意思哈，这是崩溃时设备的日志。

Aug 31 11:00:26 tande-iPad kernel[0] : xpcproxy[9799] Container: /private/var/mobile/Containers/Data/Application/95C8BA54-18FC-48F5-9D24-6C09B73E7A3F (sandbox)
Aug 31 11:00:26 tande-iPad locationd[105] : Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0
Aug 31 11:00:26 tande-iPad IF[9799] : MS:Notice: Injecting: com.elex-tech.ClashOfKings [IF] (1142.16)
Aug 31 11:00:26 tande-iPad IF[9799] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/FirstTweak.dylib
Aug 31 11:00:26 tande-iPad IF[9799] : objc[9799]: Class MBProgressHUD is implemented in both /private/var/mobile/Containers/Bundle/Application/E815FB79-EDAD-4C21-864D-33ABA2BCC70F/IF.app/IF and /Library/MobileSubstrate/DynamicLibraries/FirstTweak.dylib. One of the two will be used. Which one is undefined.
Aug 31 11:00:26 tande-iPad IF[9799] : objc[9799]: Class MBRoundProgressView is implemented in both /private/var/mobile/Containers/Bundle/Application/E815FB79-EDAD-4C21-864D-33ABA2BCC70F/IF.app/IF and /Library/MobileSubstrate/DynamicLibraries/FirstTweak.dylib. One of the two will be used. Which one is undefined.
Aug 31 11:00:26 tande-iPad IF[9799] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib
Aug 31 11:00:26 tande-iPad IF[9799] : assertion failed: 12D508: libxpc.dylib + 71792 [3C982BC2-5B46-305A-9A09-3C3D15332820]: 0x7d
Aug 31 11:00:26 tande-iPad Unknown[9799] :
Aug 31 11:00:26 tande-iPad IF[9799] : $IAP$ Request : {(
“gold_1”,
“gold_2”,
“gold_3”,
“gold_4”,
“gold_5”,
“gold_6”,
“gold_8”
)}
Aug 31 11:00:26 tande-iPad mstreamd[9774] : (Note ) mstreamd: Not monitoring for external power.
Aug 31 11:00:26 tande-iPad mstreamd[9774] : (Note ) PS: Media stream daemon stopping.
Aug 31 11:00:26 tande-iPad mstreamd[9774] : (Note ) AS: <MSIOSAlbumSharingDaemon: 0x155e47a20>: Shared Streams daemon has shut down.
Aug 31 11:00:26 tande-iPad mstreamd[9774] : (Warn ) mstreamd: mstreamd shutting down.
Aug 31 11:00:26 tande-iPad mstreamd[9803] : MS:Notice: Injecting: com.apple.mediastream.mstreamd [mstreamd] (1142.16)
Aug 31 11:00:26 tande-iPad mstreamd[9803] : (Note ) mstreamd: mstreamd starting up.
Aug 31 11:00:26 tande-iPad mstreamd[9803] : (Note ) PS: Media stream daemon starting…
Aug 31 11:00:27 tande-iPad mstreamd[9803] : [Warning] Services all disappeared, removing all dependent devices
Aug 31 11:00:27 tande-iPad CFNetworkAgent[9801] : MS:Notice: Injecting: com.apple.cfnetwork.CFNetworkAgent [CFNetworkAgent] (1142.16)
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : MS:Notice: Injecting: (null) [ReportCrash] (1142.16)
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : task_set_exception_ports(B07, 400, F03, 0, 0) failed with error (4: (os/kern) invalid argument)
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : ReportCrash acting against PID 9799
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : Formulating crash report for process IF[9799]
Aug 31 11:00:27 tande-iPad SpringBoard[91] : BSXPCMessage received error for message: Connection interrupted
Aug 31 11:00:27 tande-iPad SpringBoard[91] : BSXPCMessage received error for message: Connection interrupted
Aug 31 11:00:27 tande-iPad com.apple.xpc.launchd[1] (UIKitApplication:com.elex-tech.ClashOfKings[0x85a8][9799]) : Service exited due to signal: Illegal instruction: 4
Aug 31 11:00:27 tande-iPad ReportCrash[9807] : Saved report to /var/mobile/Library/Logs/CrashReporter/IF_2015-08-31-110027_tande-iPad.ips
Aug 31 11:00:27 tande-iPad SpringBoard[91] : Application ‘UIKitApplication:com.elex-tech.ClashOfKings[0x85a8]’ crashed.
Aug 31 11:00:27 tande-iPad assertiond[111] : pid_suspend failed for <BKNewProcess: 0x13de17190; com.elex-tech.ClashOfKings; pid: 9799; hostpid: -1>: Unknown error: -1, Unknown error: -1
Aug 31 11:00:27 tande-iPad assertiond[111] : Could not set priority of <BKNewProcess: 0x13de17190; com.elex-tech.ClashOfKings; pid: 9799; hostpid: -1> to 2, priority: No such process
Aug 31 11:00:27 tande-iPad assertiond[111] : Could not set priority of <BKNewProcess: 0x13de17190; com.elex-tech.ClashOfKings; pid: 9799; hostpid: -1> to 4096, priority: No such process
Aug 31 11:00:27 tande-iPad SpringBoard[91] : Unable to deliver -[UIRemoteApplication showTopMostMiniAlertWithSynchronizationPort:] message to port 0: (ipc/send) invalid destination port
Aug 31 11:00:27 tande-iPad locationd[105] : Gesture EnabledForTopCLient: 0, EnabledInDaemonSettings: 0

kenny · 2015 年8 月 31 日 03:16

还有个问题比较疑惑，在lldb中使用 image -o -f,会出现没有起始地址的情况,如下：

[  0] 0x00000000000a0000 /private/var/mobile/Containers/Bundle/Application/E815FB79-EDAD-4C21-864D-33ABA2BCC70F/IF.app/IF(0x00000001000a0000)
[  1] 0x000000010144c000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x000000010144c000)
[  2] 0x0000000002c80000 /Users/xxx/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)/Symbols/usr/lib/libxml2.2.dylib
[  3] 0x0000000002c80000 /Users/xxx/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)/Symbols/usr/lib/libz.1.dylib
[  4] 0x0000000002c80000 /Users/xxx/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)/Symbols/usr/lib/libsqlite3.dylib

那这样不是找不到起始地址了吗？
我的环境是xcode6.4，ipad air2，iOS8.2 越狱

Barry · 2016 年7 月 19 日 14:53

确实会崩溃哦，奇怪，我也是iPad mini2。但是在iPhone5上hook send，不崩溃哦。。。做了很多尝试，还是不知道原因

Zhang · 2016 年7 月 20 日 03:40

又挖一年前的坟贴

Barry · 2016 年7 月 20 日 04:12

为了解决问题，都翻遍了 T_T

jsjcw · 2016 年8 月 3 日 01:21

不要用NSLog。。貌似NSLog底层也会调用到send函数，就死循环了，自己写日志文件出来就没事

jokerding · 2017 年9 月 14 日 01:31

@snakeninny
我按照你教的方法，详见http://bbs.iosre.com/t/hook-bundleid/4000
这个处理后，只要打开App就闪退，日志和上面贴出来的差不多，请问一下，是什么原因呢，如何解决，谢谢！