IOS reverse —- Hook method and principle OC
Introduction to Hook
“Hook” means to change the original running process of the program like the Hook. For example, the execution process of A program is A –> B –> C. Now we insert A piece of code between A and B or directly change B, so that the original execution process of the program has changed. As shown in the figure below:
Two, method exchange principle
In iOS reverse, if we want to Hook an OC method, we mainly apply the runtime feature of OC to dynamically change the implementation of the method when the program is running. In OC, the Runtime features are implemented using a set of C/C++ and assembler apis, commonly known as Runtime. The following methods are mainly used in the Hook process:
OBJC_EXPORT void method_exchangeImplementations(Method _Nonnull M1, Method _Nonnull m2) OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0); OBJC_EXPORT IMP _Nullable class_replaceMethod(Class _Nullable CLS, SEL _Nonnull NAME, IMP _Nonnull IMP, Const char * _Nullable types) OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0); 4, setIMP & getIMP OBJC_EXPORT IMP _Nonnull method_setImplementation(Method _Nonnull m, IMP _Nonnull IMP) OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0); OBJC_EXPORT IMP _Nullable class_getMethodImplementation(Class _Nullable CLS, SEL _Nonnull NAME) OBJC_AVAILABLE(10.5, 2.0, 9.0, 1.0, 2.0);Copy the code
In normal development, we also use these methods, but how do they implement method exchange/substitution? Observing the parameters of these methods, we find that there are mainly Class, SEL, IMP, and Method types. Let’s take a look at them respectively
1. Class A pointer to an objc_class structure that specifies which Class the object is.
A pointer to an objc_method structure used to define a Method, as defined in the objc source code:
SEL can also be found in the definition of Method. Let’s see how this type is defined in the Official Apple documentation
IMP is also defined in the Method definition. In apple’s official documentation, IMP is defined as follows:
We found that both appeal methods contain SEL and IMP types of information. According to the apple documentation above, we can see that
SEL: Method selectors are used to represent the name of a method at runtime. A method selector is a C string that has been registered (or “mapped“) with the Objective-C runtime.
IMP: This data type is a pointer to the start of the function that implements the method. This function uses standard C calling conventions as implemented for the current CPU architecture. The first argument is a pointer to self (that is, the memory for the particular instance of this class, or, for a class method, a pointer to the metaclass). The second argument is the method selector. The method arguments follow.
SEL is a C String that represents the name of a method, and IMP is the first address of a method implementation, with two default arguments self and _cmd. In fact, the relationship between SEL and IMP can be likened to the table of contents in a book, where SEL is the title of the contents of the table of contents and IMP is the following page number. When a method is called, the CORRESPONDING IMP is found through SEL, and then the implementation of the method is found. The diagram below:
Third, summary
In reverse, Hook an OC method to change the IMP that its SEL points to to find another implementation address and execute another method implementation. However, the limitation of this method is that it can Hook only for OC method, but not for C function. In the next article, we’ll explore how to Hook a C function and how the Fishhook library works.