noham/knowledge-kit
1
0
Fork 0
mirror of https://github.com/NohamR/knowledge-kit.git synced 2026-05-24 20:00:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 1.88.md

Browse Source
This commit is contained in:
√(noham)²
2026-02-22 22:15:50 +01:00
parent c5590f16ab
commit b334988376
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
Chapter1 - iOS/1.88.md
View File

@@ -22,7 +22,7 @@ Why put "C functions" in quotes? Keep reading.
Take NSLog as an example. Take NSLog as an example.
[image: FishHookWithCFunction.png] ![](../assets/FishHookWithCFunction.png)
You can see the hook succeeded. You can see the hook succeeded.
@@ -40,7 +40,7 @@ struct rebinding {
Create a user C function `handleTouchAction`, but the hook fails. Create a user C function `handleTouchAction`, but the hook fails.
[image: FishHookWithUserCFunction.png] ![](../assets/FishHookWithUserCFunction.png)
This raises curiosity: why can system C functions be hooked but not user-defined C functions? Continue exploring. This raises curiosity: why can system C functions be hooked but not user-defined C functions? Continue exploring.
@@ -117,27 +117,27 @@ With PIC, workflow:
Experiment to verify the full process. Experiment to verify the full process.
[image: MachOLazySymbolLatestVersionLocation.png] ![](../assets/MachOLazySymbolLatestVersionLocation.png)
Step 1: You can see NSLog in the Lazy Symbol Pointers as the first entry. "lazy" means it's bound only when used. Set breakpoints to verify. Step 1: You can see NSLog in the Lazy Symbol Pointers as the first entry. "lazy" means it's bound only when used. Set breakpoints to verify.
[image: FishHookMachO.png] ![](../assets/FishHookMachO.png)
Step 2: At the NSLog breakpoint, in LLDB run `image list` to view images. The first image is the app's main executable; its image base is 0x0000000100da5000. Step 2: At the NSLog breakpoint, in LLDB run `image list` to view images. The first image is the app's main executable; its image base is 0x0000000100da5000.
[image: FishHookDemoImageList.png] ![](../assets/FishHookDemoImageList.png)
Step 3: Use image base + offset to compute the NSLog address: `memory read 0x0000000102eec000+0xC000` to inspect memory. Step 3: Use image base + offset to compute the NSLog address: `memory read 0x0000000102eec000+0xC000` to inspect memory.
[image: NSLogFakeAddress.png] ![](../assets/NSLogFakeAddress.png)
Step 4: Set the breakpoint to proceed so NSLog runs once; then disassemble the address (`dis -s addr`) to view assembly. Step 4: Set the breakpoint to proceed so NSLog runs once; then disassemble the address (`dis -s addr`) to view assembly.
[image: LLDBNSLogAddressSymbol.png] ![](../assets/LLDBNSLogAddressSymbol.png)
Step 5: Continue execution past the breakpoint, call `rebind_symbols`, then inspect memory again. After rebind, the address changed; disassembly now shows your custom function. Step 5: Continue execution past the breakpoint, call `rebind_symbols`, then inspect memory again. After rebind, the address changed; disassembly now shows your custom function.
[image: FishhookResult.png] ![](../assets/FishhookResult.png)
@@ -145,19 +145,19 @@ Detailed mapping steps:
Step 1: In Lazy Symbol Pointers you see the first symbol `NSLog` at index 1. Step 1: In Lazy Symbol Pointers you see the first symbol `NSLog` at index 1.
[image: FishHookMachO1.png] ![](../assets/FishHookMachO1.png)
Step 2: In the Dynamic Symbol Table, the first entry relates to NSLog. Its Data value `00000084` (hex) equals 132 (decimal). Step 2: In the Dynamic Symbol Table, the first entry relates to NSLog. Its Data value `00000084` (hex) equals 132 (decimal).
[image: FishHookMachO2.png] ![](../assets/FishHookMachO2.png)
Step 3: Use that index to find the 132nd entry in the Symbol Table. Its Data value `000000AA` is an offset. Step 3: Use that index to find the 132nd entry in the Symbol Table. Its Data value `000000AA` is an offset.
[image: FishHookMachO3.png] ![](../assets/FishHookMachO3.png)
Step 4: In the String Table, the first position `0000CFE4` plus offset `0xAA` equals `0xD08E`, which is the symbol name location corresponding to `NSLog`. Step 4: In the String Table, the first position `0000CFE4` plus offset `0xAA` equals `0xD08E`, which is the symbol name location corresponding to `NSLog`.
[image: FishHookMachO4.png] ![](../assets/FishHookMachO4.png)