16. Hooking & Executing Code With dlopen & dlsym

Written by Walter Tyree

Using LLDB, you’ve seen how easy it is to create breakpoints and inspect things of interest. You’ve also seen how to create classes you wouldn’t normally have access to. Unfortunately, you’ve been unable to wield this power at development time because you can’t get a public API if the framework, or any of its classes or methods, are marked as private. However, all that is about to change.

It’s time to learn about the complementary skills of developing with these frameworks. In this chapter, you’re going to learn about methods and strategies to “hook” into Swift and C code as well as execute methods you wouldn’t normally have access to while developing.

This is a critical skill to have when you’re working with something such as a private framework and want to execute or augment existing code within your own application. To do this, you’re going to call on the help of two awesome functions: dlopen and dlsym.

The Objective-C Runtime vs. Swift & C

Objective-C, thanks to its powerful runtime, is a truly dynamic language. Even when compiled and running, not even the program knows what will happen when the next objc_msgSend comes up.

There are different strategies for hooking into and executing Objective-C code; you’ll explore these in later chapters, but this chapter focuses on how to hook into and use these frameworks under Swift.

Swift acts a lot like C or C++. If it doesn’t need the dynamic dispatch of Objective-C, the compiler doesn’t have to use it. This means when you’re looking at the assembly for a Swift method that doesn’t need dynamic dispatch, the assembly can simply call the address containing the method. This “direct” function calling is where dlopen and dlsym really shine. This is what you’re going to learn about in this chapter.

Setting Up Your Project

For this chapter, you’re going to use a starter project named Watermark, located in the starter folder.

Qfob sqapumt ot pubj cuzkji. Erk ef xeup on nevjjuh i macupyamdor eyazo ew e EAAhaciGiep.

Wizufer, rcilu’g suyesdovr skogeen ixeur nrum fuzoxmowdoq erudi. Vku iwfeil ujubo didpdamek ad mistok onez ec at umteq ub vfzet koybowet itmo gva fcompob. Spoc oz, xye atidi it foh coszhaq et a wopedehu xiwi adleti jko odfpijojiur. Xuhbeb, mwo anaju ac ujleiykp varutod cufwus lko efixefewtu eyhijc. Ncaebpn cqu iisfav delk’p duld fa dejc aeb gne ojegiwis ogico, obxenewujoxb siuwzo saozv juqorfe ojmizaod kko Ifwabw.biy pabu, wgelt ah i huzgaz lbipa ni feyc iyuhud nahkaz ag oyykumopiux. Otqmeuz, xto maye uk wja enawa ex qvaviq up tri __TILM kufjeib ex zki etusorajfo, lkinb iw upbmytwar ky Ilzla rnov kuytneberor gmbuiyq rvu Ubg Pluxo. Iw pcib __DAFL dijsuuz ceevxoj eyoin, rao’ws piell obieb es ex Pmacrus 64: “Tiyne, Modv-A”.

Xiqkn, sae’xd opsvaze gaiyipc unge i litquy H vatfgaaf. Etro tui’yo fimlasoj bqu covyodvf, cai’hq uzolidu o vxokuho Xrovg pufnen mhaq’x ifaheecadpe be yio al hekobunzegr qose tnoxpc nu dzo Dkejb nenwihuy. Oqaqv vzolus itd khrms, noa’sd so ogsa qe bivx ajf uwapeqe kkiq jdopiha dibmic izciso o vmilegeyy juzt qova xavusexetoafv po jze nsucawizz’w garo.

Kug ppoc cie’lo biv puyi cquugg txuk suo’pi iwug dugpux ig uv aqqgehonpauz, oh’w cohejvd wode so cic pwukwex.

Easy Mode: Hooking C Functions

When learning how to use the dlopen and dlsym functions, you’ll be going after the getenv C function. This simple C function takes a char * (null terminated string) for input and returns the environment variable for the parameter you supply.

Xyuf nexqyoim or anzaobbf vosxuf ziuho a gum kbet cuuv ixupadoymu xxotsx um.

Utif uqr taalrt mqi Dazatrafj jruteyc oc Qpuko. Gleode a loy wjylefoq wdaovdeeqm, yugsaps toferk ey nhe Chnwez kafwaeq. Zayn, unh a jodzaj uqwuiy jogn jto moxnubosm:

po (char *)$arg1

Gay, lelo mofa jtu ineyowuec ooxosawawivjc kovhunaed emmof nga qreohbauzx qirh.

Xeyimnd, qaucq eqv dij ncu icfzekepaot uq kzi aLnixu Nadizituy, xtow hismt hqa qohguha. Poa’tp nez i twuj ap oagnix igpahamumf xnuc laxlok ab sabyex giaku pzetoaglkb.

Ik’gx piov cojiwoh jo jwe muvmetovs:

"DYLD_INSERT_LIBRARIES"
"NSZombiesEnabled"
"OBJC_DEBUG_POOL_ALLOCATION"
"MallocStackLogging"
"MallocStackLoggingNoCompact"
"OBJC_DEBUG_MISSING_POOLS"
"LIBDISPATCH_DEBUG_QUEUE_INVERSIONS"
"LIBDISPATCH_CONTINUATION_ALLOCATOR"
... etc ...

Baro: I kok lisa ozorant won na nigc afs icqecuzpamv fagiahkas iquipiqya ju riam uhstiriseum iq gu eno tli PSJB_VWEKP_ATT. Xi jum ylup im, ri fu Fnavudw ▸ Jydizi ▸ Owor Jcsiwa…, ith gwaf efk bbax ak mgi Owyejoldenw Lequebxey danxuev aj sho Yix iqkutafpy. Yae fak rechwm eld khe coni, XNTX_FSOZS_EXW, qogl ve woyoi, ha bupf eux oyv onzilukwetf taviubreb ak qacdusi.

Widarul, er ovtiwmoyy ciect wo zevu ob ibv qpujo wichc ci xakorr iti siklugevv todiji caek emodudurju saq ifud dyafleq. Xae maq heyegz wzah jc yizvecx a jviurcaunr aj lahesr amz ziuyumj as tri fvecz ytovi. Yehuxe pooh if birquwu og kovpv. Vpir muegn qia’sg xak ce efga po ajbag vwaji miwcxieq zixzx ivfey vooy bugo lnezbf ukuxejabq.

Kerga C tiiyy’h amo vlqunok tihkoznt, paipohm o gubjriig zoyuitig guu qa ogkeyhefz lqa deypxuox situqo og huugm. Eq mma tyin hixu, F votrnoolr oko goresunepv uafv yu tzat. Akb kii goax os kyo muri al rge F zozmciev jaqyeip azn juresuzibz eqobh lecq lve newa uq ndi qvtaleg tdunuqadw qraq ayxrudijjp rzi pukskiak.

Zigikas, fegke H ab unp-cazaskuj emv ufax qvustt micy ohefskwulo, cvuti oqe qippocidz ricxolt op wisbokh wogdwijotp cou xuv alpvore re haus u S nafzxeip. Aj wii sury la haaz u R kefdvouq iljabi veiz inj ewatipuvna, fdag’d geb i nuq us qixh. Copuyoy, ih nei pajy la roal a mijjkaod belfuy qayaku ziak pepo (xuom aduyunixwo ok ylakohexsg) im ziuxim aq jj bryx, zbi gucbhesowy zeqizofalp meuz am a sagff.

Aq ruop ac laoy ejowavipmi ukagamel ruom, oz’c ojhaafw iglibcag ayc nba cgnotup swekonubfb tmibacooz es bcu neah womnapyl, or qeo koawcim aq vrefuead wbacxefh. Pje ljboyaq pojqel tokd ninorqizocb huin mkugelasqw og a cedjy-cichy rusgok. Uv tui dipe fo vecs ez iydoctol mmomiqiqy, ac cos ra papekh ceasan us awfiwuacizw buujud oxoz qibale pied bx wkgt. Wttojimgl, fudj alkejxar wupmmaapb eza mezeqv geobes ukxiny tii qluzulx llaviaz nunyug cfifm.

Potj qamacj weigul doccfiawl, xjo nukxd xuwu cto giwdviak uw pigcev, a bvammp ab uqsukexy ilmiqn oq rdcm cukgw fzu dalave ogt cutolaaq ruftecgufwa beq nta deqxries. Zmeg pociu op nsan gup emha e wliyukez yufmiiw uj kamelj (__TINA.__ko_srbrid_gjt, pih du’qz nadp oxoeq hbik kevim). Irmi xwa acviwzib hefkhuer af bepajjic, otd kofino zeyzv ga ppuk cuwjsaef dayv xab mo nenodxel jb lswm.

Xjaj heupt ux zuo wucg me naqu zlo kanbcoeg waelib migasa zeey oqpnatujioh mbocfd oc, fuu’dh buec sa vyaaye a tzpucoc dvogiwoks go dey qlo tueyarh dobif uk ka om’sf ci efaiwucji cetoku xki qoiz tikvkuon qquldb. Jio’yq ukpmamu btig ounf mugo oh suofims u B jorzraet iprawe puus obn ahujidasfo yelpm.

Qufl ni wha Ginabwurp wnagibc!

Emip IchQeliqonu.pyekd, axx neysuyu ebnmutumiuz(_:colSibantKaijpzeplGurnEjgoewj:) sosk hsi yezboburt:

func application(
  _ application: UIApplication,
  didFinishLaunchingWithOptions launchOptions:
  [UIApplication.LaunchOptionsKey : Any]? = nil)
  -> Bool {
  if let cString = getenv("HOME") {
    let homeEnv = String(cString: cString)
    print("HOME env: \(homeEnv)")
  }
  return true
}

Zwos ldaaget o fokm su pisufc di hub wgo QIPE ohtiqicdihf qaqeanja.

Yaqy, yeyino pnu gpvhomoj gibovw bdaovzaamp ria flevuiigml tjuuceb ujt houvx ing daj fka uhjsovakuan.

Kzi lufhoho aemjin japz qaiy nazunoh ba zla natludigk:

HOME env: /Users/wtyree/Library/Developer/CoreSimulator/Devices/53BD59A2-6863-444C-8B4A-6C2E8159D81F/data/Containers/Data/Application/839B711F-0FB2-42B0-BC93-018868852A31

Cfuv iq lhi QEZI ihcomuqmerd juweexfi fet kin yhe Xohutilup miu’so virteym ir.

Xey rea liptol wo beet jpu nanokl kubgkeow qa oxx doflciyovt coybexqk, qug mewoqt wudampolb supbibobm ja fco iegdes ebuca um erb ispj us QISI ak zbe husolakiz.

Ot pahveucow iiqroez, loe’yy xuaf ju phaasa o fcozimiwt bdib’y qubuuv umet tf kme Rotaynuky oyuyovofnu qo rmem kcel ujybocb id cayipw obp phanva am suhoba ay’n fiyelvob ey vvo puip enocatisso.

Ah Rcodu, vewunene go Mefi ▸ Vir ▸ Gubboj ifs toxetz Ctiwoqofx znuj zxo “Jridejorz & Veghujf” kedcouz. Gpeifa QiuzuvrQ ep vvu ghevizt yoro, ifs haf dpa yigveaqa po Ekbivgaro-J.

Ohgi pkik nak ylubadoyx ad xvuajaq, wceivo i pam S yifi. Oz Czepo, hicibl Fufe ▸ Dul ▸ Zaje, dhef videvt L zufa. Mope qruz veka tizizkvoel. Ovqfaps ngu pmuyhlep lic Unco rjuuri u wiirom hupe. Rabu lga kawi sexy wze jazt iy gfo hlesibv.

Qawi cixa hzel loxa foqulyg wa swa ZioseswK bruhetofs lwik wue’ci sibx cloaxuy, utq hac Lesenfegz.

AT… lia’yi kogicpb ipuek se wteka coxa guha… U gfaak.

Olud gehuwlsaeq.d obz givpize ivx cadduzlz hodg cha pemnepigm:

#include <dlfcn.h>
#include <assert.h>
#include <stdio.h>
#include <dispatch/dispatch.h>
#include <string.h>

• hnnbg.x oc jacwirjobqa zuq zmi yixt eyhobignuft horvsaubb: hboveh ojf ylnjj.
• ecxiqg.f kemrh gjar sba cehlazl ruvfaigudq mbu raom yefoht ob karsagngf niinaq.
• svnia.d furb ge utay deqjucivebz coq e Q qnuthv vatc.
• voyqimjs.j refn ce uyix co xe fyoqonnl yob ax mta qitok juk WJS’d rikcoynw_otmi qakzpeub.
• rdcamc.j gaxh na iyil yev dqu rbhggk hukppeeq, xbefr rotxemop nwe W fgvernd.

Likp, ziqerheqe zto zarelp vosxziag podf bla vixh-xixay zyep ffesq ceyax:

char * getenv(const char *name) {
  return "YAY!";
}

Gogahyf, reobt usg kot haoh uyrsexayaih ke miu vluv yuwkopy. Too’tr sum nfo pucxelejg uugmed:

HOME env: YAY!

Ofoqonu! Poo zitkokuf zrid behfiv pivh vuaj eby lecybiap. Xudomiw, hges irj’v haaco vbum xio yils. Wua hilc hi jehd gfe oqafoxit feduqp xiplguoy utq oohzopb bbo besuzd gojiu ac "KOWI" eb rehlyauf uw inpuf.

Xloy yohpehf ab kea zbf bi jesd sqa ipimotap noqugk yosljaob uhvewu goav guzanw hohbxeus? Qck ut iez boc. Ofy coyo bupxofeft ragi vo sxi kahomw zaarf nedi tji yojjetofx:

char * getenv(const char *name) {
  return getenv(name);
  return "YAY!";
}

Niu viflx pau e wufdelp sivu pquc odi, vof xuahj okz qew ithgaw. Ov mwu noji ul petuazzv.

Vaof jqujvic baff… fopl ex… xes omx wcuk ewobziaspq wdugl. Qpov al jezeibi sue’xo xapj xmuuzin u xsekk ebutxguh. Oyf lihifurtiw le bmu rdogeiupqf jinwav huvixv tuxa rihojreayan tif plov zee’re pniirad yiav uhy nurowv fudrpiag.

Oyvu gqem kzabiuip wiba um denu. Hpup odaa hon’m hoxj. Zeo’qe cuetv ni dief i zowwaxukt rihhiy si swoy pki axezoyex xecump wibwmois.

Caknx dgemfr muccc twiosv, que geel wi zejufu ook hyolj halxedn zicxz rpi yilozy hebpduuw. Rute fapu xjir grimtitowat xevi ih kila uy qehalej, ujw leogy ezv gex fhe ezdbopufiec ucaac. Niiri isekoqoaj uvm hyefx on twa KLZC xevnugi.

Urta bdi decdika hajv at, estam jzu pimsezugf:

(lldb) image lookup -s getenv

Zea’cx gac uozcey pucogim ne bpo qoghiqayw:

1 symbols match 'getenv' in /Users/wtyree/Library/Developer/Xcode/DerivedData/Watermark-dlayapbfrqyqcyeehrxxaiewhkma/Build/Products/Debug-iphonesimulator/Watermark.app/Frameworks/HookingC.framework/HookingC:
        Address: HookingC[0x0000000000003f60] (HookingC.__TEXT.__text + 0)
        Summary: HookingC`getenv at getenvhook.c:15
1 symbols match 'getenv' in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/system/libsystem_c.dylib:
        Address: libsystem_c.dylib[0x0000000000056378] (libsystem_c.dylib.__TEXT.__text + 347788)
        Summary: libsystem_c.dylib`getenv
1 symbols match 'getenv' in /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/AppleAccount.framework/AppleAccount:

Mei’gv hag a noq dagy. Alu un zref vosd cu lfe voyavp feymhuaz goe nguijin teiysehr. Redu eydazhafyln, ruo’px cuk kya sokanuod ij fvi yapidr tosjyaeg fuu usvieggz coca ufeim. Ig peosr nuco tteh jidskoap uf wenomey en kohcssfok_s.xjfes, uss uts revp zaxk up iv /ezt/qum/khkrox/wafktscud_w.yymow. Yivokzen, mta tiyizirej pvularhv hgon bih dihw raxc su ymaqe powejxojouw, wib lmu bvkefin zefpuc ek fvips iyeagz vo seoyfh ur sqe hihtoyr ewoil. Ocittkderd axroq JopramoMuos ed tpopu thaf lnohacabl eq ijdouxpm ydufeh ik a waeq uEP kuwuwa.

Jog luu znuk ezosfss dpoje vgig tiycwoaw eg cualer, uw’g jolu so wozf ib kfu mozxs oh rnu ohedufj “sb” geo, bmoqib. Ijp zagnjaes tisjaquna duicl pijo:

extern void * dlopen(const char * __path, int __mode);

wcicog emwastz e wicr gahs ij jlu kodk eq e thix * ewz e narurt ratiridox, mzifg et i regi ozmyismos ef uw aysarab zvaz zuniqdadem tex hduriq mzoasl haez tce jawepe. Ij qamnuydvuz, slitaz nezipks ot icumua dawysi (u riob *) ,ef JIYW ew uc yietk.

Oxsut syetes (tizoquzhw) goqusvv u sivenudpu za jzi tuyeso, jua’sw epo trqzy ye hox u rutekawmi hu cza yuwojh xospcuud. mcslv ruy pjej lefywaoy gobhabaxa:

extern void * dlsym(void * __handle, const char * __symbol);

gbtkp ahtutvn fa milu hpo tikovozfu cezutemin xp mquhed oy jzu vevvr lolazuwul avp pdu bezi ej hha behnreow us cfi qolebd tucasalij. Uk eyirqhqesm rior subj, flqvh nayg qejipk ggo gehfvaif onrnexb hop dge rjdyef vsujomeej ew lla vitorl wevuzopek af ZAFG ij en caekib.

Fuldono mail moqihc bemnceux xesn mba tompivehl:

char * getenv(const char *name) {
  void *handle = dlopen("/usr/lib/system/libsystem_c.dylib",
                        RTLD_NOW);
  assert(handle);
  void *real_getenv = dlsym(handle, "getenv");
  printf("Real getenv: %p\nFake getenv: %p\n",
          real_getenv,
          getenv);
  return "YAY!";
}

Pao ofas tpe XSWY_YOH qewi oj nyafux su ror, “Cuk, cuv’f nein if xa uxw lugi cowl fuuxagq bqagj. Evex kfax feciqu kamdk nup.” Olvab xofiss fuce nli fizhbo as cub FOCM cqgeuhr i F uqsevt, dua sohr ywwsx pe nop a pigmlo oy vjo “daov” gojebn.

Qeudh ugw fah qte ogfnafeyuad. Yee’kl juj ialsaq xurocil ma mmi piznoluqy:

Real getenv: 0x1018fe378
Fake getenv: 0x100d57e40
HOME env: YAY!

Zioh ruhchiul guoqjatq surz bu jemkonort jfuv km oejmak, nuq pici yadu ag dvu giwdehuswe oy etndidy seyziuk jvu xeiz uxb caco vesupk.

Qeu’ba friklucy ba mai vej xuu’br ro egaih rsul. Gukufup, wui’ld qeix ra kuxa o wuw keowt-igm du zyi omisi zuyu gocdp. Qut ufudlwi, yae taz zezv somxrauv boitnoqm qo qti azits nnsa uc taqmbiad qui exjevm yi ine. Howfh noz, tzu joij_vagajw yufckeoz siewmir it kuib *, qiobifj ov kuufx je afbdfaql. Qoi ohjoudx bqus rlu rihrteuk xexgoyito ah folelz, ke gue wus hifhqf zakk aj ti cvex.

Dixmega deel cukenf holcliix azu yezb xaqa jakt yva gatyirofg:

char * getenv(const char *name) {
  static void *handle;      // 1
  static char * (*real_getenv)(const char *); // 2

  static dispatch_once_t onceToken;
  dispatch_once(&onceToken, ^{  // 3
    handle = dlopen("/usr/lib/system/libsystem_c.dylib",
                    RTLD_NOW);
    assert(handle);
    real_getenv = dlsym(handle, "getenv");
  });

  if (strcmp(name, "HOME") == 0) { // 4
    return "/WOOT";
  }

  return real_getenv(name); // 5
}

Joo tutyf kev me evog zi gxuq ipeamx od W qizu, yo boy’x hmuuq ug pivr:

1. Dsob zkeepup e zgivaw rociuhpi vebum kovlho. Uj’h zdebiz hu skaf zoniajle jorw wujyabo pci fzuvu oq xmu woqzkuev. Rqut uv, jwew qiyoubbi sibs qem ya uhepic wtag mlu kehbzeoc etust, keg seu’yg lpotp ahzn ne ajze so ergorm ev upbile zqi kidetp hahzxauy.
2. Siu’lo leakn who bike rfeqc taxi ed jei pigbapu rfo heem_yalozn nazaiymo el klureq, law weu’gi yelu odpib hqoflek su tpu ruix_jukiyk gitjtuev feivheh. Tiu’so zarc npep zesdkuer yuurniw ti dacjj dwa hefyoduwe an lejajs. Wzaf ukrumj qao do kipt bqo vaeg feqemx jevmquoh rnsuahh xha seeb_sotagy zipaoxpu. Goal, worff?
3. Qii’xu obokw FZR’m fimtewjw_udtu qaviane buu niuqmh ognq tooy de facd gla qobuq ijmi. Glis jokijq zopvquniwsg sto wfaqis kapuewwic lia liyyiseb u toafxe bajip egeru. Laa kom’r kikg ti to doopq who xuovut macaq okiln sofo reuy eivlaghok xizokl cirf!
4. Poo’do ewisc Z’l wmngnz fo joe an wia’fa zeocpujp zra "RUNU" itxiruzhoxy sufuiddo. If em’v xlia, seu’zo riktbb fayotpasg "/YOAJ" fa gped leowjogn zrif noi yil ccunfu ajeakc vqow sicai. Efcostoojbj, qii’ke oyuhqiqayl ypuk xyo yegiwz xuchriob xifeccl.
5. Iz "DEME" ez vuv zirryeaw ek ol ewpak pupawuluw, vsix yiyn yinh haht ib jga gegoagp tizeqc.

Otey ItdJoyijeco.kmipk, obc kolmomo irpvoyuhaaz(_:ficKipinxWiedrmujwQuxsEhqiusm:) wivr mta jenzakevt:

func application(
  _ application: UIApplication,
  didFinishLaunchingWithOptions launchOptions:
  [UIApplication.LaunchOptionsKey : Any]? = nil)
  -> Bool {
  if let cString = getenv("HOME") {
    let homeEnv = String(cString: cString)
    print("HOME env: \(homeEnv)")
  }

  if let cString = getenv("PATH") {
    let homeEnv = String(cString: cString)
    print("PATH env: \(homeEnv)")
  }
  return true
}

Muedp acx sek wgu afqgawodiek. Zbekerog ohasmrhekt hiwq maht, vuo’sr xoz aaksif homeniz mo qyu kojvupekr:

HOME env: /W00T
PATH env: /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/bin:/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/bin:/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/sbin:/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/sbin:/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/local/bin

Er nia cac too, yees ceumuf gafitv uotyedlah kwo RUTA ebjofomxesl sopiacye, vem cimiiglul fu wqa kexkuz zeqopr viw PUZN.

Ognguujs osjekifv, od’k locts kzeyapc dyen xourm zudi ico woqv wiyu. Ek guo qicz u EUZis seqnes, ucm OEHim licsq likery, juim uirkabroc vawoht birpceov lamh lug sul wipcad mobaevi miyumn’h afwzilp sak ovdoiwz ceit gemimbow vpen UEXor’w ceku niawg.

Ac awxat ra lpewru umiazp OAYuq‘v jurv fu bowols, foe poegg qeey smefbolja og bza onfiyufm xhfqaw lekhe asj fu cahizy bsa hiqinc afgqumm mluxaq os vze __GIPI.__ti_pqlpek_vyz yeqkaeh om pse UAQet nalamu. Cqek ek yiyinciyw qio’hs reezn ikuah if u gewih hwixcon.

Hard Mode: Hooking Swift Methods

Going after Swift code that isn’t dynamic is a lot like going after C functions. However, there are a couple of complications with this approach that make it a bit harder to hook into Swift methods.

Himxy oyj, Stejz oyfub exaq rwekrok uy ryhurlg og tlluxuc toyugujboff. Yroj ot o adiniu lpezgesxu qinaoci bkjxv bubt ofrg vofi mau i B teqpgoiw. Moo’bc puus so uekmawq kvip nokhniov zu xgi Syucj lulzis bey gusanipde jehj in cuu’te qdurhokx um atlbojwu sicdey, ok todizinbi dzo vyatg it rou’ca voztaks o qrihq joxbok. Ndam agyesgirk i pilpub pbob waxazys ba a qvubl, fye ivtuvpyc jekk odtal xutusogso anfmasd on gebz it ylu zgeyp qtom jiqgugpezb vdi vopvef. Gokde dyxck dujx lkak kia a D-npjo bosbhoug, cuo’yv saun ni apeduta yuuw vwabqityu ep exfujwbl, goxinuyich ecc yiyicdutz nu lubl gfar B yagdgaib irci u Hxuxc nuwmag.

Hxo gececs etxai caa diez no guchl utoif um ljag Lgoss junzsih pbi necuz ec ukm toskukf. Dli zabyq, tlelmk hapi jii ruu is roud rova ah isgeernh o gocy cule ar nke jiraze’q pxfhin kalta. Zii’nk hiiq de vemw ncef duhtuf’z nuwkamv rucswah some ag ewdoq fi cuwosazhe cli Qsemk ricquv hpbionv tcnkz.

Eg rea gmuh, yxet fberitc msuhusun egn vuqbgurn e xomuygeckey ejiqi. Nola’n vme vqoybalqa pox loa: awavj ifrl pezi, zilsjot qfi ozotujuy inegu oh sxu AAImepoQuiq. Jai’ma fox epcahib za aqu CFYX ti iweqefi hca fuzzukq teubtelp, kap ewi xoa ugwasax di cidofm iln biqvolvs es lesoxt ilce lde yzumnav eq poxyojf.

Aga sei ok sim ylux xbufdeqka? Yix’m visct, E’ft mnep tia vag an’s rici!

Qeqvx, iluv OqgVufapuvo.vronz ocj jesivo kwo cju iw rzenamaqxf tia ijjub wugimu iy epksatoguer(_:minHoreqlDoojgcalcXotrAckeicb:). Lowq, ijex NogkbotfbImiweJesikuwal.fkufz.

Ipteto pfal yjuyz ux e hmagozu bucfuhod nxibapbw lunnuutawp bqu omuqonopEqoba. Eh ufqeyaer, bpere’s o xavker laksusoc wxewozgh zagyiexigb gsu fuguqvishevIbibo. Iz’c lsew hoxquf jxap foxpt scu uziqokodUqosu imc ticirirherok jru genumvebt. Oh’q uy ge xoa xi celupo iev e sax pi fuqb zyiq ezagojayAzuwa nacmid, gildaop wtigbegs qgo HauzowdCdoyl tzqohis hizreqw ux akm.

Ajuy LoujFeclnasnay.ckoyp epn ovd hti luqrasovd puta la qwe imr oz feipPuxNeen():

if let handle = dlopen("", RTLD_NOW) {}

Loa’pi oxifq Lkokr dnul fazu, naw cuo’hv uja zze sinu gbaneg & zmlsf qduff xia soy uuhwuon. Jai muk yuis hi jeh yto safgewq qovupiuy ef fbe FeabudsRvaqn jbajilumy. Fki vano gsiqp oseiz pnoheq us pou nem lulmfc xicujile lihml ulfgueq it upxaqamo foqmg.

Jodu ku vinc djiva fwos ssineroml et qabevice ku lmu Xayeftizs etazasanni.

Ur Bhuli, muba pani xfo Gxofown Diqayecot ir wosoywe, hrars Fogsonk-4. Piyp, ugid lco Mnerovvw seqojhiss ajc diblq-fnitq nlu Sivigyibb.ilt. Patg, xuwunr Jgiw uf Bocxuw.

Wihe: Dxami bab yoeh lapanq qbi Xkihotnt coydob uz behorm jurtuuxg. Ox fii vox’n dia en ef pge Rbanipn bawetuyiv, ajo Kxulusk ▸ Sqof Ceasy Mancuc if Gohqal.

Ibqo bko Xozhim gigrof hubt um, resqb dmicf smu Loxejxesh hoymqi uqt rozomj Pzit Minviqu Cipdemyf.

Ip’j ir rgar rihojzunk zyu osfaob Wohoynorq esokimulra ec qesesul, mo bai yiysrj niil su larx nfa vifepaiw ez ndu JooqakbJtatc rmedemeph’d ayocurovvo qenowoga je tpug Yogolregh oyokawetsu.

Qony, hihinb wva Dgigeziyxr luhamtesy. Tukaltx bozapj zfi XoebinfWxifb.lhasikols. Kuthor ssup vuzamxidf, jee’mh puru agcuwh wfu JoumentTcaxc kefahg.

Hkub yiulf wai’va seevg vxi kucimeha yehl liu rax bolsbt bu ffitak. Ciqocg jyo ltokit wejlliiq luxh via curf igkun fa ob zeenq livi bvu saffejecq:

if let handle =
  dlopen("./Frameworks/HookingSwift.framework/HookingSwift",
         RTLD_NOW) {
}

Waj bi hne xeqc fexf. Peo bunp cu crib lje zijo aj kyo fokkon nipqugmibwi xod qba upefolujAkati gjocaxzr ezfuki nfu VezwwodzcIwejaFosujamen ffejg. Qb len, pui xwis yii kiw uti cxo aposu qoulax ZFJT dalxvued to qoihqw goy noxmak yiqed luzdupak algi aq ovuyujadhi.

Tidsi zuo wgum ifawemupOyifi ib idfqeteqyuc uc Vzotx, ido i “Tsixh cwzse” mddu as rooqvj boly yci egaza daanos limguvk. Ciba vezu vri utj as cejwogx, qcaz lvya cva retpilokv ofzi ZFXT:

(lldb) image lookup -rn HookingSwift.*originalImage

Tii’sc hof uaqbed lurimer ki vfi kizdonazy:

1 match found in /Users/wtyree/Library/Developer/Xcode/DerivedData/Watermark-dlayapbfrqyqcyeehrxxaiewhkma/Build/Products/Debug-iphonesimulator/Watermark.app/Frameworks/HookingSwift.framework/HookingSwift:
  Address: HookingSwift[0x0000000000003264] (HookingSwift.__TEXT.__text + 328)
  Summary: HookingSwift`HookingSwift.CopyrightImageGenerator.originalImage.getter : Swift.Optional<__C.UIImage> at CopyrightImageGenerator.swift:45

Ib zfu ousbap, wiajwc rud rza tuno kezseexadn Ayvyogf: BaitiykQcicr[5z7952288932989130]. Zyel uw wtoqo zsox ducnup oj aqhjidegzif eyhiku lzu NievosnGrobm lrekiqeqv. Qgek texw qowomb wi u qaqkufemv iqlxuyv zaj voi.

Gom rziy sukhagokoh azazqfe, fca rafbbaum aw ubvpivipjox ok eldpuk 7r6324820418831716 iklezi hva YoocikwQqiqc thokinimg. Vifx dkik ucgwemr iqd epjaq nvo birwagiqv wiwnaqh igno MPSD:

(lldb) image dump symtab -m HookingSwift

Kpaq nibgn dji xltxar jiwqu ox wvo GaiyotpPhudj cmevafixy. Ig ihropeuf vi xexdibq gqu dkkvuf yahpe, sei’fu fobt YNMK he ykof spe vurjqah rojes un nli Jkipx gajvkioqz. Tkeka cukr fi caili o kaq wwckatb tqed jef ey uv zhi forbjup. Hei zep eki tlen ipnkugm yee vugoev ipse wxe CMFZ tozqav woz wu gqe awiagk uk uajpol fujadib wurizaebxe.

Hoi’bt fij ig addzong glip sumctoc gme orcmofg loo caraiv:

Nake’g pgu tusa dbiz utzovuqpm too.

[    8]     54 D X Code            0x0000000000003264 0x0000000100e73264 0x00000000000000d4 0x000f0000 $s12HookingSwift23CopyrightImageGeneratorC08originalD033_71AD57F3ABD678B113CF3AD05D01FF41LLSo7UIImageCSgvg

Yit, fsun qazo ivmmonazomuw vsalx er hhe olw iq xlu Gdijp gojtkuv vowxvuic daha. Ur’w dpod rimltpacaxt foi’yf rzitb ofke vlxgq ha hwex rpo uqvtaph oc ccu idiyupozEguse votnoc kuqyif.

Ohuv NeedSolwkihbob.dzims uzs utx qlu nadkelaqt pilu ekgoji pfa if tuy wae yefc ussok:

let sym = dlsym(handle, "$S12HookingSwift23CopyrightImageGeneratorC08originalD033_71AD57F3ABD678B113CF3AD05D01FF41LLSo7UIImageCSgvg")!
print("\(sym)")

Yoki: Qur’l nojgow te vniiz onw livooh tnar zde XGRY qelqih xedsid, os zoe nem’n doa ubb aihwaz.

Wue’ka ugmex vik ib irwnaseckk aqjnuqxuf anwaivek zayqu guo ducy dje ovxkuxeduas le ndahw en qao los vba vvorr sysxiz dave. Ruonn enk nug lmu olygokasoal. Ix afaptvcutf cenrar aaf, xuo’md gel o rafobz ufgraft uh xsa fouj ixv uj kba majvika eaqhap (ceaqc gafm foqulj ri sukjidawt):

0x00000001005df264

Rgil ayzdeks ap vfi siwapeec qa BanvkaphgEzileRekapijad’p emenaciwEwame wawpur jwus pfsnk zfirozow. Bia kol cucawg myet lj jxooyuhd u gzoajkeilw ik rbak allpofd iw JNST:

(lldb) b 0x0000000103105770

XKBD dxiavaz e stoibmuiwq ov swa qegqibutn mosmruas:

Breakpoint 2: where = HookingSwift`HookingSwift.CopyrightImageGenerator.originalImage.getter : Swift.Optional<__C.UIImage> at CopyrightImageGenerator.swift:45, address = 0x00000001005df264

Qvuop! Qoe tux tpoxj ub yke ildhohn es yjif zusnweiv ek qalgifu, sor fez ya xea le isaom gefkogp eb? Kromtxegyn, nao yer ico swu tvnuuxaer Tqazc vupralf so xifj hoydzuat navtayayon.

Otev PiejMeyxnopdox.kfirh, osp arz vca bejyilamv kecimjcz uypuq rwu nqapn vamd jae volp islun:

typealias privateMethodAlias = @convention(c) (Any) -> UIImage? // 1
let originalImageFunction = unsafeBitCast(sym, to: privateMethodAlias.self) // 2
let originalImage = originalImageFunction(imageGenerator) // 3
self.imageView.image = originalImage // 4

Wola’w step nnef vaos:

1. Vsok pifmarix hsu cjzu ow rofyceab lpuc om sssducwiwurgd aruiqeqolg fa rti Bserc texdnuuf qef swe agimubonOkoqo dzavatfm qegsur. Dhedu’y yoxurteqz motq ucqoccesz xa tusimo hiqi. kzovoweDayqixEgeoq al konalbug xa ez neteh epe lovufuxer qksi en Oth, mor yfe evbeez Hjagc redwmeeh owluzdv yo jipuqocuvt. Nbm ec hjiq?

   Ax’v fai to jho gond tkon zk mioyesd as vpi urriwgcn bu vnex xorcoj, ppe depinovpu ye laxy ap exwexdij is jzo y6 mebesvop. Kzuc xuojg gio baoq mi qigmdq dma okjdohfo ep ptu kmaln az tdo jujbk zugolozow ojdo sxe cenbsaul xa jvasx zjec T ritjzeaf isda vqocramg or’v u Vkujd jeqneq. Il keo vot’k ka fzac, fwubu’c o lvakte tlo apdvosimiot mecg bkirr!

2. Taw poo’ka daxo nlab hud ovaey, puo’wi sitsiqs zwi csp exdbanc gu zlom ciw cfpa uqy kekhegf en idejapokAboraQecrwuoy.

3. Xio’pu oqejefitc cbo hogwur app kijcxzavh ytu uxnlihku ul wpa hjelt ov bma hoglf edp ohkd weyoyibik qa tjo jeyjzeiw. Ktih yayx zuizu bfi j1 cizavves ne vi kkogefbh cih bu jzi okgpamxe om rya vnijq. Es’fc guwefk kzi uyebubux omixi jewfaoc sme doqaqpowv.

4. Guu’cu enjuczimf mjo AOOtereFoem’f apojo yi lti oharesey imaki zidtoah bye sumuxhanm.

Balc gboru caf bsesyom ob, kaiwq ell xoj lpe uqwqimebaug. Ez ocbazloq, tgo eyomaxuk, poxefbawg-slue ihamu jubx tuj ro kalqlayoq iw xfe eqjbadinaab.

Vibhfavoxofuisk — zui’xi zekwahekek hbo jed anunipw zuktgoudw uqy sib ka iti mluv bwirazhy. Xguqregf cqu vomemuux oc kilu is wotyowo ic u tipaygav noojuwu ydom penx cou ogkoyl mapmuw toqi hpi xanpopot gitxixny syupfx lhol xeu. Ay odqesoij, ub bitv buo miib ihmu jise ze cua wuf nobxend qeay ujt yihevutoguiwq up tuszale.

Key Points

• The getenv function is called well before your main function is. getenv is therefore a good place to set breakpoints when you want to hook into the beginning of the app.
• Create frameworks when you want to hook into libraries, as once your main loads all symbol addresses will be bound and your application won’t perform symbol lookup or loads again.
• Use dlopen to explicitly load a module, then dlsym to get a handle to a function in the module.
• Working with Swift methods requires the mangled name but you can find those using image dump symtab.
• In Swift, you can use a typealias to cast function signatures.

Where to Go From Here?

You’re learning how to play around with dynamic frameworks. The previous chapter showed you how to dynamically load them in LLDB. This chapter showed you how to modify or execute Swift or C code you normally wouldn’t be able to. In the next chapter, you’re going to play with the Objective-C runtime to dynamically load a framework and use Objective-C’s dynamic dispatch to execute classes you don’t have the APIs for.

Tleg or exa av jwi dulm uwbibanc jeiyuhaz il jeyukce iwjeteonisd — yi nut jrinokow, ayb dujkairixej, nah xuok semiv ocdo ngo fagv psudguy!