Chapter 4 iOS toolkit
In chapter 3, we’ve introduced the OSX toolkit for iOS reverse engineering. To get our
work done, we still need to install and configure several tools on iOS to combine both
platforms. All operations in this chapter are finished on iPhone 5, iOS 8.1, if you encounter any
problems, please talk to us on http://bbs.iosre.com.
4.1 CydiaSubstrate
Figure 4- 1 Logo of CydiaSubstrate
CydiaSubstrate (as shown in figure 4-1) is the infrastructure of most tweaks. It consists of
MobileHooker, MobileLoader and Safe mode.
4.1.1 MobileHooker
MobileHooker is used to replace system calls, or namely, hook. There are two major
functions:
void MSHookMessageEx(Class class, SEL selector, IMP replacement, IMP *result);
void MSHookFunction(void* function, void* replacement, void** p_original);MSHookMessageEx works on Objective-C methods. It calls method_setImplementation to
replace the original implementation of [class selector] with “replacement”. What exactly does
this mean? For example, if we send the message hasSuffix: to an NSString object (i.e, call
[NSString hasSuffix:]), in normal situation, this method’s implementation is to indicate whether
an NSString object has a certain suffix. But if we change this implementation with the
implementation of hasPrefix:, then after an NSString object receives hasSuffix: message, it
4