babbu
2019 年7 月 29 日 15:38
1
Hi guys!
My issue:
I’ve an iOS app with dumped headers and I need to hook all methods from a specific class.
I’m able to hook all the methods I want on this interface, except for 3, which are not written “normally”, here are the prototypes :
Strange prototype example :
- (id)00a30fa0be6c5788f:(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ;
When I try to hook this strange prototype the compiler returns following error:
Tweak.x:290:49451: error: expected identifier
1 error generated.
make[3]: *** [/Users/kevinpiacentini/Documents/projects/snapchat-re/tweak-auth-server/.theos/obj/debug/armv7/Tweak.x.d1dc2df3.o] Error 1
make[2]: *** [/Users/kevinpiacentini/Documents/projects/snapchat-re/tweak-auth-server/.theos/obj/debug/armv7/snapchatauthserver.dylib] Error 2
make[1]: *** [internal-library-all_] Error 2
make: *** [snapchatauthserver.all.tweak.variables] Error 2
I’ve tried the following things, unsuccessfully:
- (id)(00a30fa0be6c5788f:(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ; // adding ( )
- (id)@00a30fa0be6c5788f:(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ; // adding @
- (id)@"00a30fa0be6c5788f":(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ; // adding @""
- (id)"00a30fa0be6c5788f":(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ; // adding ""
- (id)[00a30fa0be6c5788f]:(id)arg1 5d24:(id)arg2 364e250b43:(id)arg3 ; // adding [ ]
Does anybody know how I can deal with this method name? (modifié)
1 个赞
Zhang
2019 年7 月 30 日 00:55
3
By not using Theos. Something like this would do
static int foo(id obj){
return INT_MAX;
}
static BOOL foo2(id obj){
return NO;
}
__attribute__((constructor))
static void fool() {
Method m1 = class_getInstanceMethod(NSClassFromString(@"CXApplication"),NSSelectorFromString(@"daysLeft"));
Method m2 = class_getInstanceMethod(NSClassFromString(@"CXApplication"),NSSelectorFromString(@"isDemo"));
method_setImplementation(m1, (IMP)foo);
method_setImplementation(m2, (IMP)foo2);
if(m1!=NULL && m2!=NULL){
NSLog(@"AAA");
}
}
2 个赞
babbu
2019 年7 月 30 日 09:50
4
Thanks for your answer @Zhang !
I was able to find out a solution by using basic method swizzling as you said, without using theos.
The following code was working and allowed me to hook any method of the class by replacing NSSelectorFromString’s argument value.
Unfortunately, I’ve not seen any call for the function I was interested into.
static id foo(id obj){
NSLog(@"------------------SWIZZLEEEED--------------%@", obj);
return obj;
}
[...]
- (id)initWithBaseURL:(id)arg1 {
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
Class class = [self class];
Method originalMethod = class_getInstanceMethod(class, NSSelectorFromString(@"00a30fa0be6c5788f"));
method_setImplementation(originalMethod, (IMP)foo);
});
return ret;
}
Do you have any idea why these methods / class names are composed by numbers?
Is it an error during decryption process OR is it possible that the app generate class names on the fly?
Zhang
2019 年7 月 31 日 13:08
5
Either they hacked Clang for Obfuscation or Apple changed ObjC language reference.
Havn’t wrote Swift/ObjC in ages so I could be very wrong here