Jailbreak iPhone6 iOS11.1.2
Electra version: 1.0.4
Substitute version: 0.0.6-coolstar
Firstly I checked the function of _MGCopyAnswer and it is enough long in iOS11.
__text:00000001813C0AAC ; =============== S U B R O U T I N E =======================================
__text:00000001813C0AAC
__text:00000001813C0AAC
__text:00000001813C0AAC EXPORT _MGCopyAnswer
__text:00000001813C0AAC _MGCopyAnswer
__text:00000001813C0AAC
__text:00000001813C0AAC arg_18 = 0x18
__text:00000001813C0AAC arg_20 = 0x20
__text:00000001813C0AAC arg_28 = 0x28
__text:00000001813C0AAC arg_B8 = 0xB8
__text:00000001813C0AAC arg_C0 = 0xC0
__text:00000001813C0AAC arg_C8 = 0xC8
__text:00000001813C0AAC arg_D8 = 0xD8
__text:00000001813C0AAC arg_E0 = 0xE0
__text:00000001813C0AAC arg_E8 = 0xE8
__text:00000001813C0AAC arg_F8 = 0xF8
__text:00000001813C0AAC arg_108 = 0x108
__text:00000001813C0AAC arg_110 = 0x110
__text:00000001813C0AAC arg_118 = 0x118
__text:00000001813C0AAC
__text:00000001813C0AAC ADD X8, X10, X8,LSL#3
__text:00000001813C0AB0 STP X8, X15, [SP,#arg_18]
__text:00000001813C0AB4 SBFM X8, X12, #0x3D, #0x1F
__text:00000001813C0AB8 STR X8, [SP,#arg_D8]
__text:00000001813C0ABC
__text:00000001813C0ABC loc_1813C0ABC ; CODE XREF: _MGCopyAnswer+12C�j
__text:00000001813C0ABC STR W14, [SP,#arg_B8]
__text:00000001813C0AC0 MOV X20, #0
__text:00000001813C0AC4 MOV X24, #0
__text:00000001813C0AC8 LDR X8, [SP,#arg_118]
__text:00000001813C0ACC MOV X21, X8
__text:00000001813C0AD0
__text:00000001813C0AD0 loc_1813C0AD0 ; CODE XREF: _MGCopyAnswer+B4�j
__text:00000001813C0AD0 LDR X8, [SP,#arg_110]
__text:00000001813C0AD4 CBZ W8, loc_1813C0AE4
__text:00000001813C0AD8 LDRH W3, [X27]
__text:00000001813C0ADC CBNZ W3, loc_1813C0AE8
__text:00000001813C0AE0 B loc_1813C0B2C
__text:00000001813C0AE4 ; ---------------------------------------------------------------------------
__text:00000001813C0AE4
__text:00000001813C0AE4 loc_1813C0AE4 ; CODE XREF: _MGCopyAnswer+28�j
__text:00000001813C0AE4 MOV W3, #0xFFFF
__text:00000001813C0AE8
__text:00000001813C0AE8 loc_1813C0AE8 ; CODE XREF: _MGCopyAnswer+30�j
__text:00000001813C0AE8 CBZ W13, loc_1813C0B04
__text:00000001813C0AEC LDRH W1, [X28,X24]
__text:00000001813C0AF0 CBNZ W1, loc_1813C0B08
__text:00000001813C0AF4 LDR X8, [X23]
__text:00000001813C0AF8 STR X8, [X19,X20]
__text:00000001813C0AFC STRH W3, [X28,X24]
__text:00000001813C0B00 B loc_1813C0B2C
__text:00000001813C0B04 ; ---------------------------------------------------------------------------
__text:00000001813C0B04
__text:00000001813C0B04 loc_1813C0B04 ; CODE XREF: _MGCopyAnswer:loc_1813C0AE8�j
__text:00000001813C0B04 MOV W1, #0xFFFF
__text:00000001813C0B08
__text:00000001813C0B08 loc_1813C0B08 ; CODE XREF: _MGCopyAnswer+44�j
__text:00000001813C0B08 LDR X0, [X19,X20]
__text:00000001813C0B0C LDR X2, [X23]
__text:00000001813C0B10 MOV X26, X30
__text:00000001813C0B14 BL sub_1813CA6F8
__text:00000001813C0B18 MOV X30, X26
__text:00000001813C0B1C LDR X13, [SP,#arg_108]
__text:00000001813C0B20 STR X0, [X19,X20]
__text:00000001813C0B24 CBZ W13, loc_1813C0B2C
__text:00000001813C0B28 STRH W1, [X28,X24]
__text:00000001813C0B2C
__text:00000001813C0B2C loc_1813C0B2C ; CODE XREF: _MGCopyAnswer+34�j
__text:00000001813C0B2C ; _MGCopyAnswer+54�j ...
__text:00000001813C0B2C LDP X9, X8, [SP,#arg_E8]
__text:00000001813C0B30 ADD X8, X23, X8,LSL#3
__text:00000001813C0B34 ADD X9, X27, X9,LSL#1
__text:00000001813C0B38 ADD X10, X8, X25,LSL#3
__text:00000001813C0B3C ADD X11, X9, X25,LSL#1
__text:00000001813C0B40 CMP X8, X30
__text:00000001813C0B44 CSEL X27, X9, X11, CC
__text:00000001813C0B48 CSEL X23, X8, X10, CC
__text:00000001813C0B4C LDR X8, [SP,#arg_E0]
__text:00000001813C0B50 ADD X24, X24, X8
__text:00000001813C0B54 LDR X8, [SP,#arg_D8]
__text:00000001813C0B58 ADD X20, X20, X8
__text:00000001813C0B5C SUB W21, W21, #1
__text:00000001813C0B60 CBNZ W21, loc_1813C0AD0
__text:00000001813C0B64 LDP X15, X14, [SP,#arg_C8]
__text:00000001813C0B68 LDP X17, X0, [SP,#arg_F8]
__text:00000001813C0B6C ADD X8, X17, X15,LSL#3
__text:00000001813C0B70 ADD X9, X0, X14,LSL#1
__text:00000001813C0B74 LDP X12, X11, [SP,#arg_28]
__text:00000001813C0B78 ADD X10, X8, X11,LSL#3
__text:00000001813C0B7C ADD X11, X30, X11,LSL#3
__text:00000001813C0B80 ADD X12, X9, X12,LSL#1
__text:00000001813C0B84 LDR X16, [SP,#arg_C0]
__text:00000001813C0B88 CMP X8, X16
__text:00000001813C0B8C CSEL X11, X30, X11, CC
__text:00000001813C0B90 ADD X11, X11, X15,LSL#3
__text:00000001813C0B94 CSEL X9, X9, X12, CC
__text:00000001813C0B98 CSEL X8, X8, X10, CC
__text:00000001813C0B9C ADD X10, X27, X14,LSL#1
__text:00000001813C0BA0 CMP X16, #0
__text:00000001813C0BA4 CSEL X0, X9, X0, NE
__text:00000001813C0BA8 CSEL X27, X9, X10, NE
__text:00000001813C0BAC CSEL X30, X11, X30, NE
__text:00000001813C0BB0 CSEL X17, X8, X17, NE
__text:00000001813C0BB4 STP X17, X0, [SP,#arg_F8]
__text:00000001813C0BB8 ADD X9, X23, X15,LSL#3
__text:00000001813C0BBC CSEL X23, X8, X9, NE
__text:00000001813C0BC0 LDR X8, [SP,#arg_20]
__text:00000001813C0BC4 ADD X28, X28, X8
__text:00000001813C0BC8 LDR X8, [SP,#arg_18]
__text:00000001813C0BCC ADD X19, X19, X8
__text:00000001813C0BD0 LDR W14, [SP,#arg_B8]
__text:00000001813C0BD4 SUB W14, W14, #1
__text:00000001813C0BD8 CBNZ W14, loc_1813C0ABC
__text:00000001813C0BDC B loc_1813C14B0
__text:00000001813C0BDC ; End of function _MGCopyAnswer
But I got another problem from substitute_hook_functions return:
/* substitute_hook_functions: can't patch a function because one of the
* instructions within the patch region is one of a few special problematic
* cases - if you get this on real code, the library should probably be
* updated to handle that case properly */
SUBSTITUTE_ERR_FUNC_BAD_INSN_AT_START = 2,
Here is my hook code in Tweak.xm:
%ctor {
substitute_image *im = substitute_open_image("/usr/lib/libMobileGestalt.dylib");
assert(im);
const char *names[] = { "_MGCopyAnswer" };
void* symbol = NULL;
assert(!substitute_find_private_syms(im, names, (void **)&symbol, 1));
assert(symbol);
substitute_function_hook hooks[] = {
{symbol, (void*)new_MGCopyAnswer, (void*)&orig_MGCopyAnswer},
};
int ret = substitute_hook_functions(hooks, sizeof(hooks)/sizeof(*hooks), NULL, 0);
LOG(@"%d", ret);
%init(HZGroup);
}
static CFPropertyListRef (*orig_MGCopyAnswer)(CFStringRef prop);
CFPropertyListRef new_MGCopyAnswer(CFStringRef prop) {
CFPropertyListRef tval = orig_MGCopyAnswer(prop);
LOG(@"MGCopyAnswer - %@ : %@\n", (__bridge NSString*)prop, (__bridge id)tval);
return tval;
}
Actually I also got crashed when i used MSHookFunction or %hookf.
Any ideas?
Thanks