function. We could tell if the caller was ShortCFuncation by judging the callee’s argument, thus
indirectly hooked short function and met our needs. The introduction of MSHookFunction
above covers almost every situation a beginner may encounter. Since Theos only provides
encapsulation for MSHookMessageEx, thorough understanding of the use of MSHookFunction
is particularly important. If MSHookFunction still confuses you, get to us on
4.1.2 MobileLoader
The role of MobileLoader is to load third-party dylibs. When iOS launches, launchd will
load MobileLoader into memory, then MobileLoader will call dlopen according to tweaks’ plist
filters to load dylibs under /Library/MobileSubstrate/DynamicLibraries/ into different
processes. The format of the plist filter here has been explained in details in the previous Theos
section, which saves my words here. For most rookie iOS reverse engineers, MobileLoader
works transparently, knowing the existence of it is enough.
4.1.3 Safe mode
iOS crashes when tweak sucks. A tweak is essentially a dylib residing in another process,
once something goes wrong in it, the entire process crashes. If it unfortunately happens to be
SpringBoard or other system processes, tweak crash leads to a system paralysis. So
CydiaSubstrate introduces Safe Mode: It captures SIGTRAP, SIGABRT, SIGILL, SIGBUS,
SIGSEGV and SIGSYS signals, then enter safe mode, as shown in figure 4-8.