jmpews / hookzzmodules Goto Github PK

View Code? Open in Web Editor NEW

519.0 27.0 167.0 779 KB

modules deps on HookZz framework.

C 8.58% Objective-C 41.87% Makefile 14.09% Objective-C++ 32.82% JavaScript 2.65%

antidebugbypass

hookzzmodules's Introduction

HookZzModules

modules depends on HookZz, a hook framework.

1. AntiDebugByPass

bypass anti-debug, such as ptrace, syscall, sysctl and svc #0x80.

move to readme.md

2. AntiDebug

anti-debug tricks.

move to readme.md

3. hook_objc_msgSend

hook objc_msgSend in a simple way.

move to readme.md

4. hook_MGCopyAnswer

hook MGCopyAnswer in a simple way.

move to readme.md

hookzzmodules's People

Contributors

Stargazers

Watchers

Forkers

uvbs elvis-ios ta01st zysyyz fly8888 h0medev creantan sjlucn asuralove xtxwy zikex startion2007 nightoftwelve obaby shuixi2013 amoystyle coderxl iguchunhui louwangzhiyuy feikang kozoro whb224117 wangdu1005 sherlozk steven0610 cloudvisionx xjump chago parker1014 bjzz heartbee yuknight sploitamos bigfoxses hl46000 angrykub yuzhouheike oranwu jevey raynstep wynney crackercat holyswordman luckycoder-git ldzspace xautzbl yangshengchaoios keepgoing2016 byczd extremdrone yuzehome lifeqiuzhi520 madordie hyl946 ytnbfirewings jacktsenq luluuyu zengqingf pzwwei snsogbl superchaom woozoo86 lgq2015 jiaxw32 st-rnd ytx0574 freemanzyq piowind mail2chensh haidragon fengjixuchui fkios zekn gph1991 carppond etund vicxia h0ne thewayma q251995379 hohjgdhsj yeyiqun devshen ecore2018 njxxdx lemon4ex sorke goodcyg alderon86 suzuke no-karma zljkevin ceekay1991 witchan binge1993 ioxuy sunqingquan huanghaiyi httpsgithu dlnn

hookzzmodules's Issues

syscall crash in armv7

Exception Type:  EXC_CRASH (SIGSYS)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Triggered by Thread:  0

Filtered syslog:
None found

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   libsystem_kernel.dylib        	0x1c08a3f8 __syscall + 20
1   microvision                   	0x008bc2ee 0x4000 + 9143022
2   libdispatch.dylib             	0x1bf89782 _dispatch_client_callout + 22
3   libdispatch.dylib             	0x1bf95154 _dispatch_continuation_pop + 384
4   libdispatch.dylib             	0x1bfa014c _dispatch_source_latch_and_call + 166
5   libdispatch.dylib             	0x1bf8b284 _dispatch_source_invoke + 794
6   libdispatch.dylib             	0x1bf8dbd2 _dispatch_main_queue_callback_4CF + 596
7   CoreFoundation                	0x1c877d68 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 8
8   CoreFoundation                	0x1c875e18 __CFRunLoopRun + 848
9   CoreFoundation                	0x1c7c91ae CFRunLoopRunSpecific + 470
10  CoreFoundation                	0x1c7c8fd0 CFRunLoopRunInMode + 104
11  GraphicsServices              	0x1df73b40 GSEventRunModal + 80
12  UIKit                         	0x21b51a52 UIApplicationMain + 150
13  microvision                   	0x008ba9ee 0x4000 + 9136622
14  libdyld.dylib                 	0x1bfb64ea start + 2

longjmp可以换成asm_exit？

ARMv7 is not supported

It seems that this module is ARM64 only?

一运行就 image not found

hook_MGCopyAnswer.dylib cause APP "Preferences" crash

Platform: 6plus
ios: 10.2
Jailbreak: yalu102

steps:

build hook_MGCopyAnswer.dylib with ios9 sdk
ldid -S hook_MGCopyAnswer.dylib
copy to 6P's directory:/Library/MobileSubstrate/DynamicLibraries
Launch Preferences app, Click 'General' -> "About", then Preferences crashed

bt:
Process 5074 stopped

thread #9, queue = 'com.apple.root.default-qos', stop reason = signal SIGABRT
frame #0: 0x0000000189479d74 libsystem_kernel.dylib__abort_with_payload + 8 libsystem_kernel.dylib__abort_with_payload:
-> 0x189479d74 <+8>: b.lo 0x189479d8c ; <+32>
0x189479d78 <+12>: stp x29, x30, [sp, #-0x10]!
0x189479d7c <+16>: mov x29, sp
0x189479d80 <+20>: bl 0x18945e7d0 ; cerror_nocancel
(lldb) bt
thread #9, queue = 'com.apple.root.default-qos', stop reason = signal SIGABRT
- frame #0: 0x0000000189479d74 libsystem_kernel.dylib__abort_with_payload + 8 frame #1: 0x00000001894764c8 libsystem_kernel.dylibabort_with_payload + 12
  frame #2: 0x000000018c6ea328 TCC<redacted> + 260 frame #3: 0x000000018c6ea224 TCC + 704
  frame #4: 0x000000018c6ed330 TCC<redacted> + 348 frame #5: 0x000000018957efcc libxpc.dylib + 80
  frame #6: 0x000000018957ef3c libxpc.dylib<redacted> + 40 frame #7: 0x00000001893361bc libdispatch.dylib + 16
  frame #8: 0x0000000189344a4c libdispatch.dylib<redacted> + 732 frame #9: 0x000000018934634c libdispatch.dylib + 572
  frame #10: 0x00000001893460ac libdispatch.dylib<redacted> + 124 frame #11: 0x000000018953f2a0 libsystem_pthread.dylib_pthread_wqthread + 1288
  (lldb) q

Register status is not restored

ZzBuildHookAddress does not restore all register status
X17

How can I using

Hi, thank you for your source.
But how I can use your source code on my Tweak, please?

指令传参的顺序影响寄存器使用？求解答

__asm__ volatile(
                    "mov x0, %[name_ptr]\n"
                    "mov x1, #4\n"
                    "mov x2, %[info_ptr]\n"
                    "mov x3, %[size_ptr]\n"
                    "mov x4, #0\n"
                    "mov x5, #0\n"
                    "mov w16, #202\n"
                    "svc #0x80\n"

                    :
                    :[name_ptr] "r" (&name), [info_ptr] "r" (&info), [size_ptr] "r" (&size)
                    :"%x1", "%x2", "%x3"
                    );

这样写，在编译成汇编的时候会出错，偶尔会变成以下指令

mov x0 , ...
mov x1, #4 
mov x2, x1
mov x3, x2
...

然后，换成这样写

__asm__ volatile(
                    "mov x0, %[name_ptr]\n"
                    "mov x3, %[size_ptr]\n"
                    "mov x2, %[info_ptr]\n"
                    "mov x1, #4\n"
                    "mov x4, #0\n"
                    "mov x5, #0\n"
                    "mov w16, #202\n"
                    "svc #0x80\n"

                    :
                    :[name_ptr] "r" (&name), [info_ptr] "r" (&info), [size_ptr] "r" (&size)
                    :"%x1", "%x2", "%x3"
                    );

则能够对x0, x2, x3正确赋值。

第一种偶尔不能达到目的，第二种可以。

找到原因了，自问自答一波：
下面是armv7下生成的汇编代码

    0x6321c <+88>:  str    r0, [sp, #0x30]
    0x6321e <+90>:  add    r0, sp, #0x24
    0x63220 <+92>:  add    r1, sp, #0x34
    0x63222 <+94>:  add    r2, sp, #0x20
    0x63224 <+96>:  mov    r0, r0
    0x63226 <+98>:  mov    r3, r2
    0x63228 <+100>: mov    r2, r1
    0x6322a <+102>: mov.w  r1, #0x4
    0x6322e <+106>: mov.w  r4, #0x0
    0x63232 <+110>: mov.w  r5, #0x0
    0x63236 <+114>: mov.w  r12, #0xca
    0x6323a <+118>: svc    #0x80

在内联汇编代码，在我们的指令前会先用r0, r1, r2，存对应的地址，然后如果我们按照r0,r1,r2,r3这样操作寄存器，那么原来的值就会被覆盖了。

jmpews / hookzzmodules Goto Github PK

hookzzmodules's Introduction

HookZzModules

1. AntiDebugByPass

2. AntiDebug

3. hook_objc_msgSend

4. hook_MGCopyAnswer

hookzzmodules's People

Contributors

Stargazers

Watchers

Forkers

hookzzmodules's Issues

Recommend Projects

Recommend Topics

Recommend Org