how to compile a static framework？

can do this now？

And as a result, a deb can't be made...

Are you gonna do it similar to dlopening everything in /Library/MobileSubstrate/DynamicLibraries... or something else? You said something about bundling this in a standalone application... how exactly would that work?

Also do you have an IRC chan?

And which iOS device/version are you primarily testing this on?

I need to do this. Not a big deal, but would be slightly more robust if Apple does something crazy like change the page size for existing architectures.

not jailbroken on ios10.

hook before:
libsystem_kernel.dylib`socket:
0x1cddf708 <+0>: mov r12, #97
0x1cddf70c <+4>: svc #0x80
0x1cddf710 <+8>: blo 0x1cddf728 ; <+32>
0x1cddf714 <+12>: ldr r12, [pc, #0x4] ; <+24>
0x1cddf718 <+16>: ldr r12, [pc, r12]
0x1cddf71c <+20>: b 0x1cddf724 ; <+28>
0x1cddf720 <+24>: bne 0x1e989b48 ; CMYK64_mark_constmask + 6288
0x1cddf724 <+28>: bx r12

hook after:
libsystem_kernel.dylib`socket:
0x1cddf708 <+0>: .long 0xf000f8df ; unknown opcode
0x1cddf70c <+4>: sbceq r4, r5, r9, lsl r4
0x1cddf710 <+8>: blo 0x1cddf728 ; <+32>
0x1cddf714 <+12>: ldr r12, [pc, #0x4] ; <+24>
0x1cddf718 <+16>: ldr r12, [pc, r12]
0x1cddf71c <+20>: b 0x1cddf724 ; <+28>
0x1cddf720 <+24>: bne 0x1e989b48 ; CMYK64_mark_constmask + 6288
0x1cddf724 <+28>: bx r12

unknown opcode is wrong!

Sorry for making another issue that's a question (well I guess this is more a feature request but still)

From what I've seen for substrate the only reason why it doesn't hook root apps is because of security concerns, but I don't really buy that reason... you can just hook into SpringBoard, add a .deb to the Cydia autoinstall directory (and have Cydia install something to rc.d as root) and you'd get the same effect.

Thoughts?

(Dup of yifanlu#1)

Sample sequence (test.bin)

FF F7 54 FF 00 BF 00 BF 70 47

Disassembly

   0:	f7ff ff54 	bl	0xfffffeac
   4:	bf00      	nop
   6:	bf00      	nop
   8:	4770      	bx	lr

./test-transform-dis-thumb2 manual 8 1 < test.bin produces

#if 0
transform_dis (0x10000): branch => 0xfe80fd54
transform_dis (0x10000): >> op_size=4 newop_size=4
=> 3
#endif

may I ask why use xxpc.h instead of xpc.h ?

I installed Substitute, but I am unable to load daemon as when I run

launchctl load /Library/LaunchDaemons/com.ex.substituted.plist

I get this error

/Library/LaunchDaemons/com.ex.substituted.plist: Requestor is not a platform binary

I checked permissions, and all is root:wheel. Also, I did reboot phone after installing. Note that I don't have DPKG, and installed Substitute by manually copying its deb files, and setting permissions accordingly. I am on iPhone9,3 11.1

I clone the app
run
./configure --enable-tests && make -j8

now I want to run the compiled code
/out/test-find-syms
Segmentation fault: 11

other tests are ok.

is this a known issue?
I understand the substrate wouldn't work on OSX - is it the same case with this code?
(I had to manually copy the /usr/lib/libsubstitute.0.dylib into place)

test-find-syms.c

include <substitute.h>

include <stdio.h>

include <assert.h>

include <dlfcn.h>

int main() {
const char *foundation = "/System/Library/Frameworks/Foundation.framework/Foundation";
dlopen(foundation, RTLD_LAZY);
struct substitute_image *im = substitute_open_image(foundation);
assert(im);
const char *names[] = { "_absolute_from_gregorian" };
int (*f)(int);
assert(!substitute_find_private_syms(im, names, (void **) &f, 1));
assert(f);

assert(f(12345) < 0);

substitute_close_image(im);

}

When I dump the foundation.framework symbols - it doesn't include _absolute_from_gregorian.
Is that what this code is supposed to be doing? I had hoped to call a private symbol using this code.

nm -gj /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

UPDATE

fyi - code to compile single test

mkdir -p out
/usr/bin/xcrun --sdk macosx cc -g -I./lib -I./substrate -I./vendor -std=c89 -fvisibility=hidden -O3 -c -o out/test-find-syms.o -MMD -MF /substitute/out/test-find-syms.d ./test/test-find-syms.c
/usr/bin/xcrun --sdk macosx cc -g -I./lib -I./substrate -I./vendor -x c++ -std=c++98 -fvisibility=hidden -O3 -c -o out/test-find-syms-cpp.o -MMD -MF /substitute/out/test-find-syms-cpp.d ./test/test-find-syms.c
/usr/bin/xcrun --sdk macosx cc -o /substitute/out/test-find-syms-cpp /substitute/out/libsubstitute.dylib out/test-find-syms-cpp.o -dead_strip -O3
/usr/bin/xcrun --sdk macosx dsymutil /substitute/out/test-find-syms-cpp
/usr/bin/xcrun --sdk macosx cc -o /substitute/out/test-find-syms /substitute/out/libsubstitute.dylib out/test-find-syms.o -dead_strip -O3
/usr/bin/xcrun --sdk macosx dsymutil /substitute/out/test-find-syms

Is it possible to call mangled c++ symbol names?

Hi, hope someone can answer this one.

I made a tweak that injects into bulletindistributord

My filter file contains:

{
	Filter = {
		Executables = (
			bulletindistributord,
		);
	};
}

The tweak will not inject into the deamon no matter what i did. i restarted it, ran ldrestart and rebooted the phone.

the tweak injects as expected on substrate based jailbreaks on the same iOS firmware.

Hey there. I'm playing around with this and I'm unable to get it to finish. The error it leaves me with is:

In file included from ./lib/hook-functions.c:7:
./lib/arm/jump-patch.h:17:40: error: incompatible integer to pointer conversion
initializing 'void *' with an expression of type 'uint_tptr'
(aka 'unsigned int') [-Werror,-Wint-conversion]
struct assemble_ctx actx = {codep, pc, arch.pc_low_bit, 0xe};
_________________________________________^~
1 error generated.

Thanks for the cool stuff!
edit: disregard the underscores, needed them for the symbols to stay in place

More of a question instead of a issue though. Didn't find anything related to this so maybe I should just ask.

Requires kernel patch? or KEXT or something?

This isn't a bug/issue, more of a question.

Without jailbreaking is it feasible for an iOS process to use these techniques on itself to interpose functions?

Since iOS 9 standard methods of interposition don't work on iOS due to a performance optimization in which they actually patch the JMPs in code to refer to their targets instead of doing indirection through DYLD tables. I'm looking into alternatives and have been researching the use of vm_remap() for this purpose. Technically it seems possible, and we were considering doing a test implementation, but then we happened upon this and it seems to do something similar.

End goal would be to end up with something like facebook/fishhook that works on iOS 9. We don't want it to require rooting and don't need it to operate on anything except the current running app itself within its own sandbox.

Hi, I'm trying to compile substitute but I'm running into errors. I'm building for iOS with LLVM 3.6 and the iOS 8.1 SDK.

Here's the output from make:

CoolStar@PC ~/substitute
$ make
Makefile:103: warning: overriding recipe for target 'out/darwin-inject-asm.S'
Makefile:100: warning: ignoring old recipe for target 'out/darwin-inject-asm.S'
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -c -o out/darwin-inject-asm.o generated/darwin-inject-asm.S
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/find-syms.o lib/darwin/find-syms.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/inject.o lib/darwin/inject.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/interpose.o lib/darwin/interpose.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -c -o out/darwin/objc-asm.o lib/darwin/objc-asm.S
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/objc.o lib/darwin/objc.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/read.o lib/darwin/read.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/substrate-compat.o lib/darwin/substrate-compat.c
~/theos/toolchain/windows/iphone/bin/armv7-apple-darwin11-clang.exe -isysroot ~/theos/sdks/iPhoneOS8.1.sdk -g -O3 -Wall -Wextra -Werror -Ilib -arch armv7 -arch arm64 -miphoneos-version-min=7.0  -fvisibility=hidden -std=c11 -c -o out/darwin/execmem.o lib/darwin/execmem.c
lib/darwin/execmem.c:136:24: error: implicit declaration of function 'manual_thread_get_state' is
      invalid in C99 [-Werror,-Wimplicit-function-declaration]
    kern_return_t kr = manual_thread_get_state(thread, NATIVE_THREAD_STATE_FLAVOR,
                       ^
lib/darwin/execmem.c:136:24: note: did you mean 'thread_get_state'?
/home/CoolStar/theos/sdks/iPhoneOS8.1.sdk/usr/include/mach/thread_act.h:90:15: note:
      'thread_get_state' declared here
kern_return_t thread_get_state
              ^
lib/darwin/execmem.c:145:14: error: implicit declaration of function 'manual_thread_set_state' is
      invalid in C99 [-Werror,-Wimplicit-function-declaration]
        kr = manual_thread_set_state(thread, NATIVE_THREAD_STATE_FLAVOR,
             ^
lib/darwin/execmem.c:145:14: note: did you mean 'manual_thread_get_state'?
lib/darwin/execmem.c:136:24: note: 'manual_thread_get_state' declared here
    kern_return_t kr = manual_thread_get_state(thread, NATIVE_THREAD_STATE_FLAVOR,
                       ^
lib/darwin/execmem.c:439:14: error: implicit declaration of function 'manual_mach_vm_remap' is
      invalid in C99 [-Werror,-Wimplicit-function-declaration]
        kr = manual_mach_vm_remap(mach_task_self(), &target, len, 0,
             ^
3 errors generated.
Makefile:44: recipe for target 'out/darwin/execmem.o' failed
make: *** [out/darwin/execmem.o] Error 1

CoolStar@PC ~/substitute
$

When I have two different tweaks that both hook MGGetBoolAnswer using the following code (just different keys) it crashes SpringBoard:

extern "C" BOOL MGGetBoolAnswer(CFStringRef);
%hookf(BOOL, MGGetBoolAnswer, CFStringRef key)
{
    #define k(key_) CFEqual(key, CFSTR(key_))
    if (k("eQd5mlz0BN0amTp/2ccMoA")
        || k("n/aVhqpGjESEbIjvJbEHKg") 
        || k("+fgL2ovGydvB5CWd1JI1qg"))
        return isEnabled;
    return %orig;
}

Correction: Any two tweaks that hook the same function in the same process will cause that process to crash.

Other Example

static BOOL (*old__IS_D2x)();
static BOOL isActualIPhoneX = NO;
BOOL _IS_D2x(){
    if (!isActualIPhoneX) {
        isActualIPhoneX = old__IS_D2x();
        isActualIPhoneX = NO;
    }
    return YES;
}

%ctor {
    // _IS_D2x is a iOS 11.1+ Specific Function to determine if the phone is an X and it is in the UIKit framework
    MSHookFunction(((void*)MSFindSymbol(NULL, "_IS_D2x")),(void*)_IS_D2x, (void**)&old__IS_D2x);
}

Note: I am not that experienced with lldb and gdb but you could pick any function on iOS 11 and cause this crash by hooking the function two times and for each hook give a different implementation, the implementations each having a case where they would return the original value of the original function before it was hooked, or in the case of the second hook the implementation from the first.

• iOS version: 11.1.2
• iDevice model: iPhone 6
• electra version: RC1

app crash when i hook DNSServiceGetAddrInfo, SSLSetConnection

cpu architecture: arm 32bit
os version: ios8 ios9

I believe there is some issue with the trampoline that's generated for AudioUnitRender or something. MobileSubstrate had an issue like this a while back, except it was for AudioUnitUninitialize. I messaged saurik about it and he provided me with a debugging tool that outputted a bunch of hex (presumably the calling convention for AudioUnitUninitialize and the trampoline substrate generated?), was wondering if there was something similar for substitute.

More about the issue itself: this only happens for a few of my users, but hooking the C function AudioUnitRender in mediaserverd causes some kind of undefined behavior. Most of the users who have reported this are getting some sort of infinite loop. Unfortunately this only happens for a select few people. I can't reproduce this on my test device but I'm working closely with a few people who can.

One user provided me with this crash log: https://pastebin.com/raw/rK0ZXEHv If you notice, it set the pointer for AudioUnitRender to NULL (the function MESubmixGraph::render is calling).