comex
commented
9 years ago It's because of an optimization added in iOS 9 - calls from one library in the shared cache to another are now patched at cache build time into direct calls, skipping the dyld stubs. Since the offsets are encoded directly into the signed code, it is no longer possible to hook them on a non-jailbroken device without some relatively drastic measures (e.g. mprotect, hardware breakpoints, re-signing...).
emonti
Very strangely, interpose.c stopped working on some symbols on iOS 9, but only on arm64. For example, try hooking
_SSLHandshakecalled fromCFNetwork -- SocketStream::_PerformSecurityHandshake_NoLock. If we add logging to the hook insertion routine, you'll see the interposition gets installed on CFNetwork imports, but it is never invoked when SSLHandshake is called.OTOH, if we try a hook on
_openwe see it gets invoked consistently when calling[NSString stringWithContentsOfFile:]viaFoundation -- _NSReadBytesFromFileWithExtendedAttributesfor example.Also, both seem to work just fine on armv7 and even on arm64 on iOS 8.