else old__ZN8CPPClass11CPPFunctionEPKc(hiddenThis, "This is a hijacked C++
function!");
}
void (*old_CFunction)(const char *);
void new_CFunction(const char *arg0)
{
old_CFunction("This is a hijacked C function!"); // Call the original CFunction
}
void (*old_ShortCFunction)(const char *);
void new_ShortCFunction(const char *arg0)
{
old_CFunction("This is a hijacked short C function from new_ShortCFunction!"); //
Call the original ShortCFunction
}
%ctor
{
@autoreleasepool
{
MSImageRef image =
MSGetImageByName("/Applications/iOSRETargetApp.app/iOSRETargetApp");
void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image,
"__ZN8CPPClass11CPPFunctionEPKc");
if (__ZN8CPPClass11CPPFunctionEPKc) NSLog(@"iOSRE: Found CPPFunction!");
MSHookFunction((void *)__ZN8CPPClass11CPPFunctionEPKc, (void
*)&new__ZN8CPPClass11CPPFunctionEPKc, (void **)&old__ZN8CPPClass11CPPFunctionEPKc);
void *_CFunction = MSFindSymbol(image, "_CFunction");
if (_CFunction) NSLog(@"iOSRE: Found CFunction!");
MSHookFunction((void *)_CFunction, (void *)&new_CFunction, (void
**)&old_CFunction);
void *_ShortCFunction = MSFindSymbol(image, "_ShortCFunction");
if (_ShortCFunction) NSLog(@"iOSRE: Found ShortCFunction!");
MSHookFunction((void *)_ShortCFunction, (void *)&new_ShortCFunction, (void
**)&old_ShortCFunction); // This MSHookFuntion will fail because ShortCFunction is too
short to be hooked
}
}
In the above code, we should pay extra attention to some points:
- The use of MSFindSymbol
Simply put, the role of MSFindSymbol is to search the symbol to be hooked. Well, what’s a
symbol?
In computer, the instructions of a function are stored in memory. When the process is going
to call the function, it needs to know where to locate the function in memory, and then executes
its instructions at there. That is to say, the process needs to know the memory address of a
function according to its name. The mapping of function names and addresses is stored in the