MSHookFunction example doesn't work

Hello, I was trying to use MobileHooker according the example in the book:

MSImageRef image = MSGetImageByName("/Applications/iOSRETargetApp.app/iOSRETargetApp");
NSLog(@"iOSRE Image addr: %@", image);
...
void *__ZN8CPPClass11CPPFunctionEPKc = MSFindSymbol(image, "__ZN8CPPClass11CPPFunctionEPKc");

My problem is that the call from MSGetImageByName always returns NULL. The permissions should be correct and I can see the symbols in IDA or with nm.

root# ls -l /Applications/iOSRETargetApp.app/iOSRETargetApp
-rwxr-xr-x 1 mobile staff 134368 Dec 20 10:33 /Applications/iOSRETargetApp.app/iOSRETargetApp

$ nm iOSRETargetApp  | grep __ZN8CPPClass11CPPFunctionEPKc
0000a678 T __ZN8CPPClass11CPPFunctionEPKc
000000010000652c T __ZN8CPPClass11CPPFunctionEPKc

After I kill the SpringBoard, it writes to syslog:

SpringBoard[3280]: iOSRE Image addr: (null)

Anyone with the same problem or possible solution? I use iOS 8.2.

You should hook iOSRETargetApp rather than SpringBoard

1 个赞

I see, thank you for a quick response.