IOS Compilation Principle


Hook changes the execution flow of the function.

1. Redirection: ASLR (random value) + offset value = memory value
0x5FCC + 0x0000000102edc000 = 0x102ee1fcc
An executable file in memory is called a mirror


Executable file


Redirection: find the internal function address by calculation
Assembly instruction and binary are in one-to-one correspondence. For example, 1F 20 03 D5 represents NOP
The pointer occupies 8 bytes in arm64 architecture

2. What is symbol binding?
The essence is to modify the symbol table, and the symbol is bound to external functions.
The internal function determines the call address by redirection.

3. The process of calling external symbols every time?
Symbol Stubs -> Lazy Symbol Pointers -> Non-Lazy
Symbol Pointers
1. Symbol stubs is called according to the values in the lazy loading symbol table
2. Values in the lazy symbol pointers symbol table (the default value is dyld_stub_binder)
3. First call: dyld_ stub_ Binder, change the value in the symbol table and point to the real address

The second time you call it again, you will directly call the value in the symbol table, which is the real address of nslog
Symbol Stubs -> Lazy Symbol Pointers

Dictation is useless. Assembly + lldb debugging is the king

Symbols is a summary table:
Internal symbols
External symbols: lazy symbol pointers (address determined at runtime), non lazy symbol
Symbol points (for example, dyld_stub_binder, the address is determined during compilation).
Each external function corresponds to a pile

4. How can fishhook modify symbols? Principle?
Fishhook is dedicated to hook external functions

Text is read-only and cannot be changed, so lazy symbol pointers is changed

5. How can fishhook find symbols through strings? That is, the principle of changing fishhook to symbol
String table index – > symbols index – > indirect symbols index – > lazy symbol points – > modify the value of lazy symbol points

1. Go to macho to find a string table, which can be used completely To split! Get the offset value (string table index)
2. Find symbols through string table index! Get the offset value of the symbol table (symbols index)
3. Find indirect symbols through symbols index! Get the offset value of the symbol (indirect symbols index)
4. Because the index of lazy symbol pointers corresponds to the index of indirect symbols one by one! So it’s easy to find the corresponding symbol!!

Finally, modify the value in lazy symbol!!
(because the calling of external symbols is to find the pile! The pile is to find the address in the lazy symbol for execution!)

6. How to remove symbols?
Build setting strip style removes all symbols in the symbol table by default

strip style
App, select all symbols to remove the local symbols, leaving only indirect symbols
For dynamic library, select non global symbols to remove local symbols, leaving global symbols and indirect symbols
Debugging symbols remove debugging symbols and leave local, global and indirect symbols

Deployment postprocessing: set yes to remove the symbol in the debug phase. No is to remove the symbol during packaging, that is, the default value

Local symbols, if not used, will not be generated

7. How to restore symbols?
Execute the following statement on the terminal and use the restore symbol tool
./restore-symbol restore-symbol -o SymbolDemo1

  1. How to calculate the function name through the function call stack?
    Call the stack address of the function – the mirror address of the program, and then search for the changed address in hopper

9. Will the class calls with the same name in the two dynamic libraries conflict?
No, for the call of dynamic library method, find the dynamic library first, and then find the symbols in it, so there is no symbol conflict in the dynamic library.
Find who’s up there first

Static library:
1. When the static library does not use symbols (the minimum unit of symbols is class), the static library will not be linked.
2. When the linker finds the symbol, it will not link the same symbol again
Connect to whoever is on top first

What happens when you use the classification method in the static library? The method cannot be found because it is dynamically added during classification, and the classification method in the static library will not be linked by default. How to solve it? Adding – objc in other link flags is to link all OC codes

How can static library conflicts occur? One static library is – objc, and the other also has a class method with the same name. At this time, the compilation will report an error.
How to solve it? Add 2 lines in other link flags, – force_ Load, absolute path (environment variable can also be used)
Set main link

If two static libraries are used and each has a category method with the same name, which leads to symbol conflict, how to solve it?
At this time, you can only use the tool llvm objcopy to add prefixes and modify symbols.

Recommended Today

Java spring boot uses custom annotations to verify JSON schema

1、 First, there are two open source tools and Difference: in terms of performance, everit is completely rolled FGE, which is at least twice what the official said. In the actual test process, there is almost a gap of 20 times. Although FGE uses Jackson JSON, which may have a relatively low learning […]