MGCopy

capstoneHook64_capstoneHook32

disassemble MGCopyAnswer and locate the subroutine for hooking

Posted by kunnan on July 16, 2018

前言

  • libMobileGestalt.xm
  • ChangeCode.m
  • 当然有些app是直接使用sysctlbyname进行获取的设备信息此时就要直接 MSHookFunction(&sysctlbyname, &new_sysctlbyname, &old_sysctlbyname);// 可以考虑注释 具体的可以看这里

capstoneHook64

            if (insn[j].id == ARM64_INS_BL){

code

#import <substrate.h>
#import "capstone.h"
static CFStringRef (*old_MGCA)(CFStringRef Key);
CFStringRef new_MGCA(CFStringRef Key){
        CFStringRef Ret=old_MGCA(Key);
        NSLog(@"MGHooker:%@\nReturn Value:%@",Key,Ret);
        return Ret;
}
%ctor {
        void * Symbol=MSFindSymbol(MSGetImageByName("/usr/lib/libMobileGestalt.dylib"), "_MGCopyAnswer");
        NSLog(@"MG: %p",Symbol);
        csh handle;
        cs_insn *insn;
        cs_insn BLInstruction;
        size_t count;
        unsigned long realMGAddress=0;
        //MSHookFunction(Symbol,(void*)new_MGCA, (void**)&old_MGCA);
        if (cs_open(CS_ARCH_ARM64, CS_MODE_ARM, &handle) == CS_ERR_OK) {
          /*cs_disasm(csh handle,
          		const uint8_t *code, size_t code_size,
          		uint64_t address,
          		size_t count,
          		cs_insn **insn);*/
                count=cs_disasm(handle,(const uint8_t *)Symbol,0x1000,(uint64_t)Symbol,0,&insn);
                if (count > 0) {
                        NSLog(@"Found %lu instructions",count);
                        for (size_t j = 0; j < count; j++) {
                              NSLog(@"0x%" PRIx64 ":\t%s\t\t%s\n", insn[j].address, insn[j].mnemonic,insn[j].op_str);
                                if(insn[j].id==ARM64_INS_B){
                                  BLInstruction=insn[j];
                                  sscanf(BLInstruction.op_str, "#%lx", &realMGAddress);
                                  break;
                                }
                        }

                        cs_free(insn, count);
                } else{
                  NSLog(@"ERROR: Failed to disassemble given code!%i \n",cs_errno(handle));
                }


                cs_close(&handle);

                //Now perform actual hook
                MSHookFunction((void*)realMGAddress,(void*)new_MGCA, (void**)&old_MGCA);
}
else{
        NSLog(@"MGHooker: CSE Failed");
}
}

plist

  • plist

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Filter</key>
	<dict>
		<key>Bundles</key>
		<array>
			<string>com.apple.UIKit</string>
		</array>
        <key>Executables</key>
        <array>
            <string>MobileGestaltHelper</string>
        </array>
        <key>Mode</key>
        <string>Any</string>
	</dict>
</dict>
</plist>

capstoneHook32

            if (insn[j].id == ARM_INS_BL){

code

See Also

/Users/devzkn/bin//knpost capstoneHook64_capstoneHook32 disassemble MGCopyAnswer and locate the subroutine for hooking -t MGCopy
#原来""的参数,需要自己加上""

转载请注明: > capstoneHook64_capstoneHook32

Search
    CATALOG
      FEATURED TAGS
      iOS Debug Open_Source_Framework RunLoop Swift Xcode ReactiveCocoa Runtime Mac Efficiency Terminal Git objc CocoaPods ruby shell iosre Cycript OutlineOfChineseHistory Workplace GoogleMethodology Search CocoaTouchStaticLibrary ReadaBookEveryDay miniprogram es6 internet py Xiang_Shuai_Beida_Finance_Course frida WebScoket note MobileSubstrate security dyld MGCopy Logical_thinking Knowledge_is_power jb How_to_be_a_master_of_network_management hook DeviceInfo Video
      FRIENDS