首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. iOS安全
    3. 发新帖
[求助]Hook MGCopyAnswer 必然闪退,求解。
发表于: 2016-4-29 17:36 17458

[求助]Hook MGCopyAnswer 必然闪退,求解。

lorndragon 活跃值
2016-4-29 17:36
17458
很简单一段代码:

#import <substrate.h>

extern "C" CFTypeRef MGCopyAnswer(CFStringRef);
MSHook(CFTypeRef, MGCopyAnswer, CFStringRef key)
{
return _MGCopyAnswer(key);
}

%ctor
{
NSString *appID = [[NSBundle mainBundle] bundleIdentifier];
if ( appID && [appID isEqualToString:@"com.test.test"]) //这里的ID是演示用的,可自己修改成目标进程ID
{
NSLog(@"[test] %@ 开始, IOS版本: %.1f...", appID, kCFCoreFoundationVersionNumber);
MSHookFunction(MGCopyAnswer, MSHake(MGCopyAnswer));
}
}

MAKEFILE:

ARCHS = armv7 armv7s arm64
TARGET = iphone:latest:8.0
test2_FRAMEWORKS = UIKit

include theos/makefiles/common.mk

TWEAK_NAME = test2
test2_FILES = Tweak.xm
test2_LIBRARIES = MobileGestalt

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
install.exec "killall -9 SpringBoard"


在arm64下必然引起闪退,注释掉 MSHookFunction(MGCopyAnswer, MSHake(MGCopyAnswer)); 就没事了,求解~

附上崩溃日志:
Version: 1.44 (1.4)
Code Type: ARM-64 (Native)
Parent Process: launchd [1]

Date/Time: 2016-04-25 01:09:31.810 +0800
Launch Time: 2016-04-25 01:09:31.564 +0800
OS Version: iOS 8.3 (12F70)
Report Version: 105

Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x000000000068fe68
Triggered by Thread: 0

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libMobileGestalt.dylib 0x0000000195af7e84 0x195af4000 + 16004
1 libMobileGestalt.dylib 0x0000000195af82bc MGGetBoolAnswer + 32
2 AppSupport 0x000000018b020594 __CPIsInternalDevice_block_invoke + 16
3 libdispatch.dylib 0x0000000196c99950 _dispatch_client_callout + 12
4 libdispatch.dylib 0x0000000196c9a828 dispatch_once_f + 92
5 AppSupport 0x000000018b02057c CPIsInternalDevice + 60
6 UIKit 0x0000000189b58750 ___UIApplicationUsesAlternateUI_block_invoke + 12
7 libdispatch.dylib 0x0000000196c99950 _dispatch_client_callout + 12
8 libdispatch.dylib 0x0000000196c9a828 dispatch_once_f + 92
9 UIKit 0x0000000189923750 UIApplicationInitialize + 1872
10 UIKit 0x0000000189922b1c UIApplicationMain + 320


MGCopyAnswer:
-> 0x193a7fe84 <+0>: .long 0x002d7c28 ; unknown opcode
0x193a7fe88 <+4>: .long 0x00000001 ; unknown opcode
0x193a7fe8c <+8>: stp x20, x19, [sp, #32]
0x193a7fe90 <+12>: stp x29, x30, [sp, #48]
0x193a7fe94 <+16>: add x29, sp, #48
0x193a7fe98 <+20>: sub sp, sp, #48
0x193a7fe9c <+24>: mov x19, x1
0x193a7fea0 <+28>: mov x22, x0
0x193a7fea4 <+32>: movz w0, #0
0x193a7fea8 <+36>: bl 0x193a7f564 ; ___lldb_unnamed_function54$$libMobileGestalt.dylib
0x193a7feac <+40>: orr w1, wzr, #0x1
0x193a7feb0 <+44>: mov x0, x22
0x193a7feb4 <+48>: bl 0x193a7f5fc ; ___lldb_unnamed_function56$$libMobileGestalt.dylib
0x193a7feb8 <+52>: mov x21, x0
0x193a7febc <+56>: movz w20, #0
0x193a7fec0 <+60>: cbz x21, 0x193a7fefc ; <+120>
0x193a7fec4 <+64>: ldr w20, [x21, #148]
0x193a7fec8 <+68>: mov x0, x21


orig_MGCopyAnswer
0x104234000: movz x1, #0
0x104234004: stp x24, x23, [sp, #-64]!
0x104234008: stp x22, x21, [sp, #16]
0x10423400c: ldr x16, #8
0x104234010: br x16
0x104234014: .long 0x93a7fe8c ; unknown opcode
0x104234018: .long 0x00000001 ; unknown opcode

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (3)
逆羊羊
雪    币: 6
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
hook其他app中的MGCopyAnswer不能直接hook MGCopyAnswer,app调用dlopen dlsym打开MobileGestalt后MGCopyAnswer才能加载到内存,先hook dlsym就行了,代码demo如下:

MSHookFunction( (void*)dlsym, (void*)newdlsym, (void**)&old_dlsym);
static void* newdlsym(void*handle,const char*symbol)
{ void *p = old_dlsym(handle,symbol);
   if(!strcmp(symbol,"MGCopyAnswer")){
   MSHookFunction( p, (void*)new__MGCopyAnswer, (void**)&orig__MGCopyAnswer);
        }
2016-5-12 15:19
0
srh
雪    币: 207
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
srh
3
请问这个方法现在还可以使用?在ios 不同的平台都可以?
2016-6-11 13:42
0
thilong
雪    币: 1
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
不能hook的原因是Substrate使用的是inline hook的方式,这个函数的长度并不支持做inline hook. 不过可以看出它是直接跳转到了它的下一个函数,而且只是有一个参数置0,所以直接hook它的下一个函数就可以了。
2016-7-22 08:14
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//