搞了几天了,中间因为HOOK写错了,还把手机搞白苹果了,始终没有hook成功过,
也参考论坛Young前辈的 0x155584 | 0x00000001 也不行,实在搞不定了,要hook的具体函数已经搞清楚了。。
struct AutoBuffer {
char *_field1;
long _field2;
unsigned int _field3;
unsigned int _field4;
unsigned int _field5;
};
sub_XXXXXX(
(AutoBuffer)OutBuf,// 好像是传的指针, (AutoBuffer)OutBuf = (int)a4 (bytes)rsaReqData::bytes,
(unsigned int)rsaReqData::length,
(bytes)aesReqData::bytes,
(unsigned int)aesReqData::length,
(char*)RsaCertInfo::CertN,
(char*)RsaCertInfo::CertE,
(bytes)ResponseDecryptKey,
(unsigned int)ResponseDecryptKey::length,
(unsigned long)RsaCertInfo::CertVersion,
(int) v45,
(int) v45 - v47,
(unsigned int)uin ,
(char*)&byte_XXXX,
(unsigned int)Cgi,
(unsigned long)CUtility::GetVersion);
我的HOOK代码如下:
#include <mach/mach.h>
#include <mach-o/dyld.h>
#import <substrate.h>
struct AutoBuffer {
char *_field1;
long _field2;
unsigned int _field3;
unsigned int _field4;
unsigned int _field5;
};
/////////////////////////////////////////////////////////////////////////
long _module_base = 0;
CFDataRef replace_func(AutoBuffer* outData,
unsigned char* rsaReqData ,
unsigned int rsaReqDataLength,
unsigned char* aesReqData,
unsigned int aesReqDataLength,
char* CertN,
char* CertE,
unsigned char* ResponseDecryptKey,
unsigned int ResponseDecryptKeyLength,
unsigned long CertVersion,
int v45,
int sub,
unsigned int uin,
char* byte_XXXXX,
unsigned int Cgi,
unsigned long Version
);
CFDataRef (*old_func)(AutoBuffer* outData,
unsigned char* rsaReqData ,
unsigned int rsaReqDataLength,
unsigned char* aesReqData,
unsigned int aesReqDataLength,
char* CertN,
char* CertE,
unsigned char* ResponseDecryptKey,
unsigned int ResponseDecryptKeyLength,
unsigned long CertVersion,
int v45,
int sub,
unsigned int uin,
char* byte_309D4CC,
unsigned int Cgi,
unsigned long Version
);
/////////////////////////////////////////////////////////////////////////
CFDataRef replace_func(AutoBuffer* outData,
unsigned char* rsaReqData ,
unsigned int rsaReqDataLength,
unsigned char* aesReqData,
unsigned int aesReqDataLength,
char* CertN,
char* CertE,
unsigned char* ResponseDecryptKey,
unsigned int ResponseDecryptKeyLength,
unsigned long CertVersion,
int v45,
int sub,
unsigned int uin,
char* byte_309D4CC,
unsigned int Cgi,
unsigned long Version
){
NSLog(@"HOOK SUB_XXXXXX SUCCESS!!!!!!!!!");
return old_func(outData,rsaReqData,rsaReqDataLength,aesReqData,aesReqDataLength,CertN,CertE,ResponseDecryptKey,ResponseDecryptKeyLength,CertVersion,v45,sub,uin,byte_309D4CC,Cgi,Version);
}
/////////////////////////////////////////////////////////////////////////
void hook(long image_base) {
unsigned long sub_func = (image_base+0xXXXXXXX) | 0x00000001;
MSHookFunction((void*)sub_func , (void*)&replace_func,(void**)&old_func);
}
__attribute__((constructor)) void dylibMain()
{ _module_base =(long) _dyld_get_image_header(0);
if (_module_base == 0) {
NSLog(@"scholar: get image header failed.");
} else {
NSLog(@"scholar: get image hander success %ld", _module_base);
hook(_module_base);
}
}
然后会运行会提示
scholar: get image hander success 921600