HOOK summary

HOOK Chinese translated into “ hook ” or “ hook ”. stay iOS Reverse means Change the program running process A technique . adopt HOOK Technology allows other people's programs to execute their own code . This technique is often used in reverse engineering . So in the process of learning , We should focus on understanding its principle , This can effectively protect malicious code .

iOS in HOOK Several ways of Technology

• Method Swizzle： It is mainly used for OC Method , utilize OC Of Runtime characteristic , The dynamic change SEL（ Method number ） and IMP（ Method realization ） Correspondence of , achieve OC The purpose of the method call process change , This technology is prior to 11 - Code injection Used .
• fishhook：Facebook One of the Dynamically modify links MachO file Tools for . utilize MachO File loading principle , By modifying the Lazy loading and non lazy loading Pointers to two tables , Reach the right C Function HOOK Purpose , Official address
• Cydia Substrate： It was originally called Mobile Substrate, Its main function is to OC Method 、C Function and function address Conduct HOOK operation . Of course, it's not just about iOS And designed , Android can also be used , Official address

Method Swizzle

utilize OC Of Runtime characteristic , The dynamic change SEL（ Method number ） and IMP（ Method realization ） Correspondence of , achieve OC The purpose of the method call process change . It is mainly used for OC Method .

stay OC in ,SEL and IMP The relationship between , It is like the relationship between the title and page number in the table of contents of a book .

SEL It's the method number , It can be compared to the title in the table of contents . IMP Is the address of the method implementation , It can be compared to the page number in the table of contents .

Method Swizzle Technology is through runtime Provided function modification SEL and IMP Correspondence of

Cydia Substrate

Cydia Substrate Mainly by 3 Part of it is made up of ：

1. MobileHooker
2. MobileLoader
3. safe mode

MobileHooker

It defines a series of Macros and functions , Bottom call objc Of runtime and fishhook To replace the function of the system or target application .

It has two important functions

• MSHookMessageEx： Mainly for Objective-C Method

void MSHookMessageEx(Class class, SEL selector, IMP replacement, IMP result) 

• MSHookFunction： Mainly for C and C++ function ,Logos The grammatical %hook This is to encapsulate the following functions

void MSHookFunction(void function, void* replacement, void** p_original)

MobileLoader

MobileLoader Used to load third party dylib Into the running application . Startup time MobileLoader The third-party dynamic library of the specified directory will be loaded according to the rules , The third-party dynamic library is the cracking program we wrote .

safe mode

The essence of cracking programs is dylib, Parasitic in the process of others . Once the system process goes wrong , Could cause the whole process to crash , It will cause iOS paralysis . therefore Cydia Substrate Introduced safe mode , In safe mode, all are based on Cydia Substratede Three parties of dylib Will be banned , Easy to check and repair .

fishhook

The key function

// The function used to rebind the symbol table , Use it in exchange for 
FISHHOOK_VISIBILITY
int rebind_symbols(struct rebinding rebindings[], size_t rebindings_nel);

Parameter description ：

• rebindings： Deposit rebinding An array of structs , Multiple functions can be exchanged at the same time .rebinding The structure is as follows ：

struct rebinding {
 const char *name;  // stay HOOK Name of function 
 void *replacement; // New function address 
 void **replaced;   // Original function address 
};

• rebindings_nel：rebindings Length of array .

HOOK The flow of system functions

Principle of external function call

When App start-up when ,dyld Read The main program MachO file , Will load Shared cache System libraries in , Of the system functions used in the program Real address Replace MachO Medium Placeholder address .

about MachO Code snippet in (__TEXT) Come on , It is read-only Of . At run time , You cannot directly modify the real address of an external function . In order to solve the above situation , Apple uses PIC technology （ Location independent code ）, When calling an external function , stay Compile phase , Will be in MachO Readable and writable data segment of , Defining symbols , Occupy 8 byte , Address used to store external functions . But what is temporarily stored in the compilation phase is Placeholder address . stay Runtime ,dyld Bind symbols Real function address . For code snippets , There is no change .

therefore , External call function , Not direct address access , Instead, you find the address through symbols . This one OC in SEL And IMP The corresponding relationship of is very similar . Such mechanism , Allows developers to dynamically HOOK External call function , stay OC Dynamic change in the market SEL And IMP Correspondence of , For external calling functions , What changes dynamically is the correspondence between symbols and addresses , The above operations are called ： Symbol table rebinding .

NSLog Calling process

1、 When app starts , determine ASLR, adopt lldb Medium image list You can view the current ASLR

among 0x0000000100d54000 Contains the program __PAGEZERO（0x100000000）, therefore ,ASLR by ：0x100d54000 - 0x100000000 = 0xd54000

2、 stay NSLog Stop before passing the breakpoint , Through assembly, you can see , The address at the current breakpoint is ：0x100d5a2a8 NSLog The sign is in Mach-O The offset in is ：0x100d5a2a8 - 0x100d54000 = 0x62A8

3、 View and execute 0x100d5a2a8 What's in the address

• Print content directly by address
• Mach-O View content
• Use dis -s Print

0x62A8 The content of is located in __TEXT paragraph Of __stubs in ,__stubs be called Symbolic pile , Its essence is a piece of code , Used to jump to the lazy loaded symbol table , Find the value of the corresponding symbol . here 0x62A8 Namely NSLog Pile of , The code content is as follows ：

(lldb) dis -s 0x100d5a2a8
testDyld`NSLog:
    0x100d5a2a8 <+0>: nop    
    0x100d5a2ac <+4>: ldr    x16, #0x5d54              ; (void *)0x0000000100d5a3d4
    0x100d5a2b0 <+8>: br     x16

How to jump to the lazy loading symbol table through the pile ？ Let's start with the address . 【1】 The address where the current program is running is ：0x100d5a2ac 【2】 take 0x100d5a2ac+0x5d54 Offset , obtain 0x0000000100d60000 【3】 For the sake of clarity 0x0000000100d60000 This value corresponds to Mach-O Which offset value , Need to put 0x0000000100d60000 - ASLR - Memory virtual address , namely 0x0000000100d60000 - 0x0000000000d54000 - 0x0000000100000000 = 0xC000 【4】 see Mach-O in 0xC000 The contents of the offset , That is, lazy loading in the symbol table NSLog Symbol pointer

【5】 Take out the lazy load symbol table ,NSLog The pointer corresponding to the symbol ：0x00000001000063D4, In memory ,0x00000001000063D4 + ASLR = 0x00000001000063D4 + 0x0000000000d54000 = 0x0000000100d5a3d4

【6】 Jump to 0x0000000100d5a3d4 Execute at address .0x0000000100d5a3d4 - ASLR - Virtual address = 0x0000000100d5a3d4 - 0x0000000000d54000 - 0x0000000100000000 = 0x63D4, stay MachO in , find offset 0x63D4, Point to __TEXT,__stubs_helper The code in , see Mach-O in 0x63D4 The contents of the offset

【7】 from Mach-O Can be seen in , Use b Instructions Jump to offset 0x63BC It's about . Reuse br Instructions Jump to offset 0x8008 It's about .

【8】 see Mach-O in 0x8008 The contents of the offset .

This is pointing to dyld_stub_binder function , This function is used for Symbol binding Of .

【9】dyld_stub_binder It is also an external function , How to find its address ？ from Mach-O in , You can see dyld_stub_binder The offset address of the function is 0x8008, But its value is all 0, Description in Mach-O No value in , and dyld_stub_binder The real address of the function is dyld When loading the main program , Will bind Non lazy load symbols and weak reference symbols , therefore dyld_stub_binder The value of a function , When the program starts, it is dyld Direct binding .

【10】 thus , When an external symbol is called for the first time , Already completed NSLog The symbol binding of , From the shared cache NSLog Take out the actual address of , And fill in 0x100d5a2a8 Compilation Division . After filling, see the following figure ：

【11】 When called the second time NSLog when , here , The symbol table stores NSLog The real address of , So you can jump directly to NSLog At the function of .

summary

• HOOK Definition ： A technique for changing the flow of program execution .
• HOOK Three common ways
  • Method Swizzle, utilize OC Runtime features , modify SEL and IMP Correspondence of .
  • fishHook,HOOK Common ways of external symbols , Modification change Symbols and addresses Correspondence of .
  • Cydia Substrate, The main function is to target OC Method 、C Function and function address Conduct HOOK operation
• External symbols call the process , With NSLog For example
  • 【 First step 】 adopt Code segment __TEXT in __stubs（ pile ） in addr Determine the location of the pile .
  • 【 The second step 】 take Memory address of the pile +ASLR obtain Contents of piles , Pile content is essentially a piece of code , Used to jump to the lazy load symbol table , Find the function implementation address of the corresponding symbol .
  • 【 The third step 】 When For the first time When calling an external symbol , The function address corresponding to the symbol is a placeholder address , Point to __stubs_helper The code in , By calling dyld_stub_binder function , perform Symbol binding .
  • 【 Step four 】 When Again load NSLog when , Since the symbol binding has been completed , therefore , The function address corresponding to the symbol is no longer a placeholder address , It is NSLog The real address of the function .