1. 首頁
  2. 問答
  3. mobilesubstrate可以掛鉤嗎?

mobilesubstrate可以掛鉤嗎?

2012-06-05 69 views
0

我想掛鉤在ImageIO框架中本地聲明的名爲png_handle_IHDR的函數。我使用MobileSafari作爲過濾器。但在調用原始功能時,mobilesafari崩潰。一旦NSLog的檢查,我得到這個:mobilesubstrate可以掛鉤嗎?

Jun 5 17:21:08 unknown MobileSafari[553] <Warning>: dlopen ImageIO success! 
Jun 5 17:21:08 unknown MobileSafari[553] <Warning>: Zeroing of nlist success! 
Jun 5 17:21:08 unknown MobileSafari[553] <Warning>: method name successfully assigned! 
Jun 5 17:21:08 unknown MobileSafari[553] <Warning>: nlist SUCCESS! nlsetting.. 
Jun 5 17:21:08 unknown MobileSafari[553] <Warning>: nlset success! Hooking.. 
Jun 5 17:21:09 unknown MobileSafari[553] <Warning>: Png IHDR handle hooking! 
Jun 5 17:21:09 unknown UIKitApplication:com.apple.mobilesafari[0x819][553] <Notice>: libpng error: Invalid IHDR chunk 
Jun 5 17:21:09 unknown ReportCrash[554] <Notice>: Formulating crash report for process MobileSafari[553] 
Jun 5 17:21:09 unknown com.apple.launchd[1] <Warning>: (UIKitApplication:com.apple.mobilesafari[0x819]) Job appears to have crashed: Abort trap: 6 
Jun 5 17:21:09 unknown SpringBoard[530] <Warning>: Application 'Safari' exited abnormally with signal 6: Abort trap: 6

我立即收集它極有可能是我的錯png_handle_IHDR的函數原型。以下是我的好辦法代碼:

#import <CoreFoundation/CoreFoundation.h> 
#include <substrate.h> 

#define ImageIO "/System/Library/Frameworks/ImageIO.framework/ImageIO" 

void (*png_handle_IHDR)(); 

MSHook(void, png_handle_IHDR){ 
    NSLog(@"Png IHDR handle hooking!\n"); 
    _png_handle_IHDR(); //crashed here!! 
    NSLog(@"Png IHDR handle hooking finished!\n"); 

} 

template <typename Type_> 
static void nlset(Type_ &function, struct nlist *nl, size_t index) { 
    struct nlist &name(nl[index]); 
    uintptr_t value(name.n_value); 
    if ((name.n_desc & N_ARM_THUMB_DEF) != 0) 
     value |= 0x00000001; 
    function = reinterpret_cast<Type_>(value); 
} 

MSInitialize { 

     if (dlopen(ImageIO, RTLD_LAZY | RTLD_NOLOAD)!=NULL) 
     {  
       NSLog(@"dlopen ImageIO success!\n"); 
       struct nlist nl[2]; 
       bzero(&nl, sizeof(nl)); 
       NSLog(@"Zeroing of nlist success!\n"); 
       nl[0].n_un.n_name = (char*) "_png_handle_IHDR"; 
       NSLog(@"method name successfully assigned!\n"); 
       nlist(ImageIO,nl); 
       NSLog(@"nlist SUCCESS! nlsetting..\n"); 
       nlset(png_handle_IHDR, nl, 0); 
       NSLog(@"nlset success! Hooking..\n"); 
       MSHookFunction(png_handle_IHDR,MSHake(png_handle_IHDR)); 
     }   
}

我的makefile文件是這樣的:

include theos/makefiles/common.mk 

TWEAK_NAME = privateFunctionTest 
privateFunctionTest_FILES = Tweak.xm 

include $(THEOS_MAKE_PATH)/tweak.mk 
privateFunctionTest_FRAMEWORKS = UIKit ImageIO CoreGraphics Foundation CoreFoundation

編輯:問題是,是知道需要一個成功的鉤子原函數的參數?如果是的話,從反彙編中獲得函數原型是唯一的方法嗎?在任何SDK頭文件中都沒有這個定義。謝謝。

來源

2012-06-05 gigasai

+0

爲什麼'nlist'而不是'dlsym'? – kennytm

+0

@KennyTM你的意思是'nlset(png_handle_IHDR,nl,0);'? – gigasai

+0

無論如何,主要問題歸結爲一個事實,即知道成功鉤子所需的原始函數參數? – gigasai

回答

2

好吧,我反編譯函數,並得到反編譯器猜測的函數原型。只要參數和返回類型廣泛匹配,例如bool : int,unsigned int : int,它仍然工作,沒有殺死執行。所以這個作品:

int *png_handle_IHDR(int a1, int a2, int a3); 

MSHook(int, png_handle_IHDR, int a1, int a2, int a3){ 

    NSLog(@"png_handle_IHDR(%d,%d,%d)", a1,a2,a3); 
    int val = _png_handle_IHDR(a1,a2,a3); 
    NSLog(@"Png IHDR handle hooking finished, returning %d as result!", val); 
    return val; 

}

來源

2012-06-07 03:18:00 gigasai

相關問題

 相關問題