@hongzhong wrote:
Jailbreak iPhone6 iOS11.1.2
Electra version: 1.0.4
Substitute version: 0.0.6-coolstarFirstly I checked the function of _MGCopyAnswer and it is enough long in iOS11.
__text:00000001813C0AAC ; =============== S U B R O U T I N E ======================================= __text:00000001813C0AAC __text:00000001813C0AAC __text:00000001813C0AAC EXPORT _MGCopyAnswer __text:00000001813C0AAC _MGCopyAnswer __text:00000001813C0AAC __text:00000001813C0AAC arg_18 = 0x18 __text:00000001813C0AAC arg_20 = 0x20 __text:00000001813C0AAC arg_28 = 0x28 __text:00000001813C0AAC arg_B8 = 0xB8 __text:00000001813C0AAC arg_C0 = 0xC0 __text:00000001813C0AAC arg_C8 = 0xC8 __text:00000001813C0AAC arg_D8 = 0xD8 __text:00000001813C0AAC arg_E0 = 0xE0 __text:00000001813C0AAC arg_E8 = 0xE8 __text:00000001813C0AAC arg_F8 = 0xF8 __text:00000001813C0AAC arg_108 = 0x108 __text:00000001813C0AAC arg_110 = 0x110 __text:00000001813C0AAC arg_118 = 0x118 __text:00000001813C0AAC __text:00000001813C0AAC ADD X8, X10, X8,LSL#3 __text:00000001813C0AB0 STP X8, X15, [SP,#arg_18] __text:00000001813C0AB4 SBFM X8, X12, #0x3D, #0x1F __text:00000001813C0AB8 STR X8, [SP,#arg_D8] __text:00000001813C0ABC __text:00000001813C0ABC loc_1813C0ABC ; CODE XREF: _MGCopyAnswer+12C�j __text:00000001813C0ABC STR W14, [SP,#arg_B8] __text:00000001813C0AC0 MOV X20, #0 __text:00000001813C0AC4 MOV X24, #0 __text:00000001813C0AC8 LDR X8, [SP,#arg_118] __text:00000001813C0ACC MOV X21, X8 __text:00000001813C0AD0 __text:00000001813C0AD0 loc_1813C0AD0 ; CODE XREF: _MGCopyAnswer+B4�j __text:00000001813C0AD0 LDR X8, [SP,#arg_110] __text:00000001813C0AD4 CBZ W8, loc_1813C0AE4 __text:00000001813C0AD8 LDRH W3, [X27] __text:00000001813C0ADC CBNZ W3, loc_1813C0AE8 __text:00000001813C0AE0 B loc_1813C0B2C __text:00000001813C0AE4 ; --------------------------------------------------------------------------- __text:00000001813C0AE4 __text:00000001813C0AE4 loc_1813C0AE4 ; CODE XREF: _MGCopyAnswer+28�j __text:00000001813C0AE4 MOV W3, #0xFFFF __text:00000001813C0AE8 __text:00000001813C0AE8 loc_1813C0AE8 ; CODE XREF: _MGCopyAnswer+30�j __text:00000001813C0AE8 CBZ W13, loc_1813C0B04 __text:00000001813C0AEC LDRH W1, [X28,X24] __text:00000001813C0AF0 CBNZ W1, loc_1813C0B08 __text:00000001813C0AF4 LDR X8, [X23] __text:00000001813C0AF8 STR X8, [X19,X20] __text:00000001813C0AFC STRH W3, [X28,X24] __text:00000001813C0B00 B loc_1813C0B2C __text:00000001813C0B04 ; --------------------------------------------------------------------------- __text:00000001813C0B04 __text:00000001813C0B04 loc_1813C0B04 ; CODE XREF: _MGCopyAnswer:loc_1813C0AE8�j __text:00000001813C0B04 MOV W1, #0xFFFF __text:00000001813C0B08 __text:00000001813C0B08 loc_1813C0B08 ; CODE XREF: _MGCopyAnswer+44�j __text:00000001813C0B08 LDR X0, [X19,X20] __text:00000001813C0B0C LDR X2, [X23] __text:00000001813C0B10 MOV X26, X30 __text:00000001813C0B14 BL sub_1813CA6F8 __text:00000001813C0B18 MOV X30, X26 __text:00000001813C0B1C LDR X13, [SP,#arg_108] __text:00000001813C0B20 STR X0, [X19,X20] __text:00000001813C0B24 CBZ W13, loc_1813C0B2C __text:00000001813C0B28 STRH W1, [X28,X24] __text:00000001813C0B2C __text:00000001813C0B2C loc_1813C0B2C ; CODE XREF: _MGCopyAnswer+34�j __text:00000001813C0B2C ; _MGCopyAnswer+54�j ... __text:00000001813C0B2C LDP X9, X8, [SP,#arg_E8] __text:00000001813C0B30 ADD X8, X23, X8,LSL#3 __text:00000001813C0B34 ADD X9, X27, X9,LSL#1 __text:00000001813C0B38 ADD X10, X8, X25,LSL#3 __text:00000001813C0B3C ADD X11, X9, X25,LSL#1 __text:00000001813C0B40 CMP X8, X30 __text:00000001813C0B44 CSEL X27, X9, X11, CC __text:00000001813C0B48 CSEL X23, X8, X10, CC __text:00000001813C0B4C LDR X8, [SP,#arg_E0] __text:00000001813C0B50 ADD X24, X24, X8 __text:00000001813C0B54 LDR X8, [SP,#arg_D8] __text:00000001813C0B58 ADD X20, X20, X8 __text:00000001813C0B5C SUB W21, W21, #1 __text:00000001813C0B60 CBNZ W21, loc_1813C0AD0 __text:00000001813C0B64 LDP X15, X14, [SP,#arg_C8] __text:00000001813C0B68 LDP X17, X0, [SP,#arg_F8] __text:00000001813C0B6C ADD X8, X17, X15,LSL#3 __text:00000001813C0B70 ADD X9, X0, X14,LSL#1 __text:00000001813C0B74 LDP X12, X11, [SP,#arg_28] __text:00000001813C0B78 ADD X10, X8, X11,LSL#3 __text:00000001813C0B7C ADD X11, X30, X11,LSL#3 __text:00000001813C0B80 ADD X12, X9, X12,LSL#1 __text:00000001813C0B84 LDR X16, [SP,#arg_C0] __text:00000001813C0B88 CMP X8, X16 __text:00000001813C0B8C CSEL X11, X30, X11, CC __text:00000001813C0B90 ADD X11, X11, X15,LSL#3 __text:00000001813C0B94 CSEL X9, X9, X12, CC __text:00000001813C0B98 CSEL X8, X8, X10, CC __text:00000001813C0B9C ADD X10, X27, X14,LSL#1 __text:00000001813C0BA0 CMP X16, #0 __text:00000001813C0BA4 CSEL X0, X9, X0, NE __text:00000001813C0BA8 CSEL X27, X9, X10, NE __text:00000001813C0BAC CSEL X30, X11, X30, NE __text:00000001813C0BB0 CSEL X17, X8, X17, NE __text:00000001813C0BB4 STP X17, X0, [SP,#arg_F8] __text:00000001813C0BB8 ADD X9, X23, X15,LSL#3 __text:00000001813C0BBC CSEL X23, X8, X9, NE __text:00000001813C0BC0 LDR X8, [SP,#arg_20] __text:00000001813C0BC4 ADD X28, X28, X8 __text:00000001813C0BC8 LDR X8, [SP,#arg_18] __text:00000001813C0BCC ADD X19, X19, X8 __text:00000001813C0BD0 LDR W14, [SP,#arg_B8] __text:00000001813C0BD4 SUB W14, W14, #1 __text:00000001813C0BD8 CBNZ W14, loc_1813C0ABC __text:00000001813C0BDC B loc_1813C14B0 __text:00000001813C0BDC ; End of function _MGCopyAnswerBut I got another problem from substitute_hook_functions return:
/* substitute_hook_functions: can't patch a function because one of the * instructions within the patch region is one of a few special problematic * cases - if you get this on real code, the library should probably be * updated to handle that case properly */ SUBSTITUTE_ERR_FUNC_BAD_INSN_AT_START = 2,Here is my hook code in Tweak.xm:
%ctor { substitute_image *im = substitute_open_image("/usr/lib/libMobileGestalt.dylib"); assert(im); const char *names[] = { "_MGCopyAnswer" }; void* symbol = NULL; assert(!substitute_find_private_syms(im, names, (void **)&symbol, 1)); assert(symbol); substitute_function_hook hooks[] = { {symbol, (void*)new_MGCopyAnswer, (void*)&orig_MGCopyAnswer}, }; int ret = substitute_hook_functions(hooks, sizeof(hooks)/sizeof(*hooks), NULL, 0); LOG(@"%d", ret); %init(HZGroup); } static CFPropertyListRef (*orig_MGCopyAnswer)(CFStringRef prop); CFPropertyListRef new_MGCopyAnswer(CFStringRef prop) { CFPropertyListRef tval = orig_MGCopyAnswer(prop); LOG(@"MGCopyAnswer - %@ : %@\n", (__bridge NSString*)prop, (__bridge id)tval); return tval; }Actually I also got crashed when i used MSHookFunction or %hookf.
Any ideas?
Thanks
Posts: 3
Participants: 2