search

evelyneee / ellekit

yet another tweak injector / tweak hooking library for darwin systems
BSD 3-Clause "New" or "Revised" License
463 stars 62 forks source link

MSHookFunction Crash #53

Closed alidork1 closed 4 months ago

alidork1 commented 6 months ago

I wrote a tweak that I've ran on checkra1n in iOS 13/14. After porting it to run in rootless theos, all the functionality works except for MSHookFunction

According to the readme, the Substrate API header should be supported.

Example usage:

MSHookFunction((t_voidOne)getAddress(0x032912), n_New, (void **)&o_Old);

evelyneee commented 6 months ago

What happens? Send the crash log if there is one

bingchilling3618 commented 5 months ago

hi @evelyneee i got the same issue, here is the stacktrace: (the function i am trying to hook is mach_msg)

Exception: EXC_BAD_ACCESS
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000

Registers:
      x0 = 0x000000016f0310d0       x1 = 0x0000000000000003       x2 = 0x0000000000000018       x3 = 0x0000000000000040 
      x4 = 0x0000000000000507       x5 = 0x0000000000000000       x6 = 0x0000000000000000       x7 = 0x0000000000000000 
      x8 = 0x0000000000000000       x9 = 0x0000000000000076      x10 = 0x0000000000000800      x11 = 0x0000000000000000 
     x12 = 0x0000000000000000      x13 = 0x0000000000000800      x14 = 0x0000000000000739      x15 = 0x0000000000000739 
     x16 = 0x0000000100f98e6c      x17 = 0x0000000000000800      x18 = 0x0000000000000000      x19 = 0x000000010130b410 
     x20 = 0x000000016f031144      x21 = 0x000000010130b410      x22 = 0x0000000000000001      x23 = 0x00000001f6971424 
     x24 = 0x000000016f0313d0      x25 = 0xffffffff450aee3b      x26 = 0x00000001fc0d67f0      x27 = 0x000000016f031330 
     x28 = 0x00000001fc0ccc78       x0 = 0x000000016f0310d0       x1 = 0x0000000000000003       x2 = 0x0000000000000018 
      x3 = 0x0000000000000040       x4 = 0x0000000000000507       x5 = 0x0000000000000000       x6 = 0x0000000000000000 
      x7 = 0x0000000000000000       x8 = 0x0000000000000000       x9 = 0x0000000000000076      x10 = 0x0000000000000800 
     x11 = 0x0000000000000000      x12 = 0x0000000000000000      x13 = 0x0000000000000800      x14 = 0x0000000000000739 
     x15 = 0x0000000000000739      x16 = 0x0000000100f98e6c      x17 = 0x0000000000000800      x18 = 0x0000000000000000 
     x19 = 0x000000010130b410      x20 = 0x000000016f031144      x21 = 0x000000010130b410      x22 = 0x0000000000000001 
     x23 = 0x00000001f6971424      x24 = 0x000000016f0313d0      x25 = 0xffffffff450aee3b      x26 = 0x00000001fc0d67f0 
     x27 = 0x000000016f031330      x28 = 0x00000001fc0ccc78       lr = 0x0000000100f98ebc     cpsr = 0x0000000060000000 
      fp = 0x000000016f0310c0       sp = 0x000000016f0310a0      esr = 0x0000000082000006       pc = 0x0000000000000000 
     far = 0x0000000000000000 

Frames:
    [None] 0x0
    [/usr/lib/system/libsystem_kernel.dylib] 0x1bbee9000 + 0x2b60 (task_threads + 0x6c)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0xf378 (getAllThreads() + 0x50)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0xf42c (stopAllThreads() + 0x24)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0x11454 (rawHook(address:code:size:) + 0xd8)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0x11948 (closure #1 in hook(_:_:_:) + 0x38)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0x112cc (hook(_:_:_:) + 0x6c4)
    [/usr/lib/libellekit.dylib] 0x101198000 + 0xe404 (MSHookFunction + 0x18)
    [/usr/lib/TweakInject/MyTweak.dylib] 0x100f90000 + 0x7720 (hookF(char const*, char const*, void*, void**) + 0x268)
    [/usr/lib/TweakInject/MyTweak.dylib] 0x100f90000 + 0x7ac0 (init(int, char const**) + 0x114)
    [/cores/dyld] 0x100ff4000 + 0x8124 (invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 0x98)
    [/cores/dyld] 0x100ff4000 + 0x37df8 (invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 0xa0)
    [/cores/dyld] 0x100ff4000 + 0x5eec (invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 0x208)
    [/cores/dyld] 0x100ff4000 + 0x5210 (dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 0xa0)
    [/cores/dyld] 0x100ff4000 + 0x4570 (dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 0xa4)
    [/cores/dyld] 0x100ff4000 + 0x379b4 (dyld3::MachOAnalyzer::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, unsigned char const*, bool&) block_pointer) const + 0x78)
    [/cores/dyld] 0x100ff4000 + 0x110b0 (dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 0x144)
    [/cores/dyld] 0x100ff4000 + 0xde10 (dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 0x90)
    [/cores/dyld] 0x100ff4000 + 0x9b60 (dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 0xd4)
    [/cores/dyld] 0x100ff4000 + 0xf840 (dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 0x78)
    [/cores/dyld] 0x100ff4000 + 0x936c (dyld4::APIs::dlopen_from(char const*, int, void*) + 0x1f0)
    [/usr/lib/ellekit/libinjector.dylib] 0x100f64000 + 0x48e4 (injection_init + 0x81c)
    [/cores/dyld] 0x100ff4000 + 0x8124 (invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 0x98)
    [/cores/dyld] 0x100ff4000 + 0x37df8 (invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 0xa0)
    [/cores/dyld] 0x100ff4000 + 0x5eec (invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 0x208)
    [/cores/dyld] 0x100ff4000 + 0x5210 (dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 0xa0)
    [/cores/dyld] 0x100ff4000 + 0x4570 (dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 0xa4)
    [/cores/dyld] 0x100ff4000 + 0x379b4 (dyld3::MachOAnalyzer::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, unsigned char const*, bool&) block_pointer) const + 0x78)
    [/cores/dyld] 0x100ff4000 + 0x110b0 (dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 0x144)
    [/cores/dyld] 0x100ff4000 + 0xde10 (dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 0x90)
    [/cores/dyld] 0x100ff4000 + 0x9b60 (dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 0xd4)
    [/cores/dyld] 0x100ff4000 + 0xf840 (dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 0x78)
    [/cores/dyld] 0x100ff4000 + 0x2c94c (dyld4::APIs::runAllInitializersForMain() + 0xf4)
    [/cores/dyld] 0x100ff4000 + 0x19c5c (dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 0xa3c)
    [/cores/dyld] 0x100ff4000 + 0x184b0 (start + 0x19c)
opa334 commented 5 months ago

@evelyneee you seem to not check the return value of task_threads in getAllThreads, so if it fails it will crash the process

evelyneee commented 4 months ago

Fixed in the latest commit