From b3349883760cae6fd39d4e63140b19497f805fa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=88=9A=28noham=29=C2=B2?= <100566912+NohamR@users.noreply.github.com> Date: Sun, 22 Feb 2026 22:15:50 +0100 Subject: [PATCH] Update 1.88.md --- Chapter1 - iOS/1.88.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Chapter1 - iOS/1.88.md b/Chapter1 - iOS/1.88.md index 469647c..b934b8a 100644 --- a/Chapter1 - iOS/1.88.md +++ b/Chapter1 - iOS/1.88.md @@ -22,7 +22,7 @@ Why put "C functions" in quotes? Keep reading. Take NSLog as an example. -[image: FishHookWithCFunction.png] +![](../assets/FishHookWithCFunction.png) You can see the hook succeeded. @@ -40,7 +40,7 @@ struct rebinding { Create a user C function `handleTouchAction`, but the hook fails. -[image: FishHookWithUserCFunction.png] +![](../assets/FishHookWithUserCFunction.png) This raises curiosity: why can system C functions be hooked but not user-defined C functions? Continue exploring. @@ -117,27 +117,27 @@ With PIC, workflow: Experiment to verify the full process. -[image: MachOLazySymbolLatestVersionLocation.png] +![](../assets/MachOLazySymbolLatestVersionLocation.png) Step 1: You can see NSLog in the Lazy Symbol Pointers as the first entry. "lazy" means it's bound only when used. Set breakpoints to verify. -[image: FishHookMachO.png] +![](../assets/FishHookMachO.png) Step 2: At the NSLog breakpoint, in LLDB run `image list` to view images. The first image is the app's main executable; its image base is 0x0000000100da5000. -[image: FishHookDemoImageList.png] +![](../assets/FishHookDemoImageList.png) Step 3: Use image base + offset to compute the NSLog address: `memory read 0x0000000102eec000+0xC000` to inspect memory. -[image: NSLogFakeAddress.png] +![](../assets/NSLogFakeAddress.png) Step 4: Set the breakpoint to proceed so NSLog runs once; then disassemble the address (`dis -s addr`) to view assembly. -[image: LLDBNSLogAddressSymbol.png] +![](../assets/LLDBNSLogAddressSymbol.png) Step 5: Continue execution past the breakpoint, call `rebind_symbols`, then inspect memory again. After rebind, the address changed; disassembly now shows your custom function. -[image: FishhookResult.png] +![](../assets/FishhookResult.png) @@ -145,19 +145,19 @@ Detailed mapping steps: Step 1: In Lazy Symbol Pointers you see the first symbol `NSLog` at index 1. -[image: FishHookMachO1.png] +![](../assets/FishHookMachO1.png) Step 2: In the Dynamic Symbol Table, the first entry relates to NSLog. Its Data value `00000084` (hex) equals 132 (decimal). -[image: FishHookMachO2.png] +![](../assets/FishHookMachO2.png) Step 3: Use that index to find the 132nd entry in the Symbol Table. Its Data value `000000AA` is an offset. -[image: FishHookMachO3.png] +![](../assets/FishHookMachO3.png) Step 4: In the String Table, the first position `0000CFE4` plus offset `0xAA` equals `0xD08E`, which is the symbol name location corresponding to `NSLog`. -[image: FishHookMachO4.png] +![](../assets/FishHookMachO4.png)