@chensh wrote:
大家好,我的书籍版本是第二版。
在4.1.1这一小节里面,构建了一个 iOSREHookTweak 来Hook iOSRETargetApp 这个应用的三个函数。
书中第83页,说Tweak安装后,再次运行应用的时候,输入预期为:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found CPPFunction!
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found CFunction!
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: Found Short C Function!Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CPPFunction: This is a hijacked C++ function!
Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CFunction: This is a hijacked C function!
Jul 1 11:15:14 ChenSH targetApp[914]: Junk:
Jul 1 11:15:14 ChenSH targetApp[914]: iOSRE: CPPFunction: This is a hijacked short C function from new__ZN8CPPClass11CPPFunctionEPKc!书中说,最后一个输入是因为对ShortCFunction的直接Hook失效了。
但是我根据上面的Tweak编写后,得到的结果却是:
Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found CPPFunction!
Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found CFunction!
Jul 1 11:54:29 ChenSH targetApp[976]: iOSRE: Found Short C Function!Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CPPFunction: This is a hijacked C++ function!
Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CFunction: This is a hijacked C function!
Jul 1 11:54:30 ChenSH targetApp[976]: Junk:
Jul 1 11:54:30 ChenSH targetApp[976]: iOSRE: CFunction: This is a hijacked short C function from new_ShortCFunction!这应该说明我对 ShortCFunction的Hook是有效的。以下是Tweak.xm的代码,跟书上一模一样。
#import <substrate.h> void (*old__ZN8CPPClass11CPPFunctionEPKc)(void *, const char *); void new__ZN8CPPClass11CPPFunctionEPKc(void * hiddenThis, const char * arg0) { if (strcmp(arg0, "This is a short C function!") == 0) { old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked short C function from new__ZN8CPPClass11CPPFunctionEPKc"); } else { old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked C++ function!"); } } void (*old_CFunction) (const char *); void new_CFunction(const char * arg0) { old_CFunction("This is a hijacked C function!"); } void (*old_ShortCFunction)(const char *); void new_ShortCFunction(const char *arg0) { old_CFunction("This is a hijacked short C function from new_ShortCFunction!"); } %ctor { @autoreleasepool { MSImageRef image = MSGetImageByName("/Applications/targetApp.app/targetApp"); void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image, "__ZN8CPPClass11CPPFunctionEPKc"); if(__ZN8CPPClass11CPPFunctionEPKc) { NSLog(@"iOSRE: Found CPPFunction!"); } MSHookFunction((void *)__ZN8CPPClass11CPPFunctionEPKc, (void *)&new__ZN8CPPClass11CPPFunctionEPKc, (void **)&old__ZN8CPPClass11CPPFunctionEPKc); void *_CFunction = MSFindSymbol(image, "_CFunction"); if (_CFunction) { NSLog(@"iOSRE: Found CFunction!"); } MSHookFunction((void *)_CFunction, (void*)&new_CFunction, (void**)&old_CFunction); void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction"); if (_ShortCFunction) { NSLog(@"iOSRE: Found Short C Function!"); } MSHookFunction((void *)_ShortCFunction, (void *)&new_ShortCFunction, (void **)&old_ShortCFunction); } }我的系统是 9.0.2,机型是5s,theos的版本是??,怎么看版本来着,跟github的库同步。
那上面的例子是否说明, MSHookFunction 已经能够对短函数起作用了,还是说因为其它什么原因导致的?
Posts: 2
Participants: 1