IOS Reverse - Actual reverse hook mode - Logos

preface

In the article Hook/fishHook Principle and Symbol Table, we have mentioned the basic use and principle analysis of Hook. However, in the reverse process, we need a lot of Hook to debug business logic. It’s too much trouble for us to hook people one by one.

In the actual reverse development process, the most commonly used hook method for code injection/debugging is Cydia Substrate, which enables us to hook a method of a class and obtain the properties of a class very simply. Hook and then call the original function and so on, and it uses Logos syntax.

Therefore, this skill is essential for iOS reverse developers.

Cydia Substrate

Cydia Substrate is the basis on which most tweak (essentially Dylib) works, and it is divided into three main parts: Mobile Hooker, Mobile Loader, and Safe Mode

Mobile Hooker

That is the focus of this article.

Used of HOOK as the name suggests. It defines a series of macros and functions, with the objC Runtime and Fishhook called at the bottom to replace system or target application functions. There are two functions:

MSHookMessageEx works primarily with Objective-C methods

void MSHookMessageEx(Class class, SEL selector, IMP replacement, IMP result) 
Copy the code

MSHookFunction works mainly with C and C++ functions
```
void MSHookFunction(voidfunction,void* replacement,void** p_original) 
Copy the code
```
The %hook of Logos syntax encapsulates this function.

Mobile Loader

Mobile Loader is used to load third-party dylib in running applications. When starting, Mobile Loader will load the third-party dynamic library of the specified directory according to the rules, and the third-party dynamic library is the cracking program written by us.

safe mode

Jailbreakers are essentially dylib, parasitic on other people’s processes. If an error occurs in a system process, the entire process may crash and the iOS system may break down. Therefore, Cydia Substrate introduces a safe mode, in which all triadic dylib based on Cydia Substrate will be disabled, facilitating error detection and repair.

In safe mode, all third-party dylibs based on Cydia Substrate will be disabled for easy repair. If the device cannot be entered into the system due to dylib, for example, if it is stuck on the white apple after startup, or if the progress circle keeps rotating – > Home + Lock + and then disable Cydia Substrate by pressing the volume up button, the system will be restarted after troubleshooting and troubleshooting, and iOS will be restarted after repair. Cydia Substrate restarts automatically)

A lot of the preamps were given to make clear the relationship between Cydia Substrate and Logos.

Logos

An overview of the

Logos: iphonedevwiki.net/index.php/L…

Logos syntax is actually a set of macro definitions provided by the Cydia Substruct framework. Easy for developers to HOOK using macros. Simple syntax, powerful and stable.

Logos grammar falls into three main categories:

Block level
- This type of instruction opens up a block of code to%endThe end.%group,%hook,%subclass 、 %end
Top level
- thisTop LevelInstruction not placedBlock LevelIn the.%config,%hookf,%ctor,%dtor
Function level
- The instructions for this block are placed in the method.%init,%class,%c,%orig,%log .

Simple syntax explanation

HOOK method

%hook ClassName // object method - (void)instanceMethod{// Prints the details of the method call %log; // Execute the original method %orig; } // classMethod + (void)classMethod{// prints the details of the method call %log; // Execute the original method %orig; } %endCopy the code

This completes the hook of a method, which has been greatly improved in both simplicity and readability.

The new method

New - (void)newInstanceMethod{} %new + (void)newClassMethod{} %endCopy the code

This allows you to add instance methods/class methods to the class.

Note: a %new adds a method without %end.

Group, a group

Take a look at this code

// group %group group1 %hook ClassName - (void)instanceMethod{NSLog(@"Group one hook to");
}
%end

%end

%group group2

%hook ClassName
- (void)instanceMethod{
    NSLog(@"Group two hook up.");
}
%end

%end

%ctor{
    %init(group1)%init(group2);
}
Copy the code

The printed result proved that the second group of hooks had arrived.

%ctor = constructor

In the same way %dtor is the destructor.

So why is the last hook is the second group?

The constructor executes the first and second sets of hooks, and the second set of hooks overwrites the first set of hooks, so it is obvious that the second set is loaded.

Class method call

In Objective-C we call class methods the way we normally do [ClassName ClassMethod], and in Logos that gives an error, so we use % C, which is written as:

[%c(ClassName) ClassMethod] ;
Copy the code

This is simply getClassFromString.

case

(Use Logos to hook in the simulation reverse process)

Prepare a project, create a project, add a method

#import "ViewController.h"

@interface ViewController ()

@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
}

- (void)testFunc{
    [[[UIAlertView alloc] initWithTitle:@"Tip" message:@"Source method" delegate:nil cancelButtonTitle:@"Sure" otherButtonTitles:@"Cancel".nil] show];
}

- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event{
    [self testFunc];
}
@end
Copy the code

Select real machine, developer, run project, find projectMach-O
class-dump -H LBLogosOriginalDemo -o ./headers/Not familiar withclass-dumpYou can read itRecheckout application Debugging and Code Modification (Hook)This article.
Get the header file to view the classes and methods.
newmonkeyProject, select developer, select real machine. Run first emptymonkeyEngineering (installation description file).
To our engineeringappBag intarget app 中
writelogos

#import <UIKit/UIKit.h>

%hook ViewController
- (void)testFunc{
    %log;
    [[[UIAlertView alloc] initWithTitle:@"Tip" message:@"Hook method" delegate:nil cancelButtonTitle:@"Sure" otherButtonTitles:@"Cancel", nil] show];
}
%end
Copy the code

Run the Monkey project.
Click on the screen
Meanwhile, the console (%log) prints the following:

At this point, a reverse process of the actual hook writing we have completed. In actual reverse development, we often combine dynamic debugging (LLDB, CYcript), static analysis (assembly code), view-debug and other methods to analyze business logic and so on. However, the actual code injection is usually carried out by hook in the above way.

Continue to share.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

IOS Reverse – Actual reverse hook mode — Logos

preface

Cydia Substrate

Mobile Hooker

Mobile Loader

safe mode

Logos

An overview of the

Simple syntax explanation

HOOK method

The new method

Group, a group

Class method call

case

IOS Reverse – Actual reverse hook mode — Logos

preface

Cydia Substrate

Mobile Hooker

Mobile Loader

safe mode

Logos

An overview of the

Simple syntax explanation

HOOK method

The new method

Group, a group

Class method call

case

Related Posts

Tencent map SDK realizes the effect of clicking the building to display the fence and building information

Copy interview collection (2)

The most detailed asynchronous summary of Flutter