Tutorial Hooking functions on iOS jailbreak

[nngot44 5 iPhone 5s 11.0]

Hello, in this tutorial I will show one of the ways to hook a function. I will be hooking a function from a Unity game.

First you need to find the address at which the beginning of the function is located in real time, this is difficult due to ASLR (address randomization).

First, let's write a method that will return the following address:

// RVA: 0x11FE288 Offset: 0x11FE288 VA: 0x11FE288
    private void Update() { }  (This is the address and information about the function that is in the compiled game engine)

uint64_t getExecAddr(uint64_t addr, int index)
{
    const struct mach_header* header = _dyld_get_image_header(index);
    if (header == NULL){return 0;}

    uint64_t libLoadAddr = (uint64_t)header;
    uint64_t exec_addr = libLoadAddr + addr;

    return exec_addr;
}

In this example, we are making a method that returns a number of type uint64_t and takes two parameters: the address of the function (for example, the one I gave above) and the library index.

Using the _dyld_get_image_header() method, we get the address from which the library was loaded by its index.

 

How to find the library index? This can be done in two ways: Using the LLDB debugger (image list command) or using another method that we will now write (this method is better than the first one)

uint64_t getLibIndex(const char* que_image)
{
	int i = 0;
	int image_count = _dyld_image_count();

	for(; i < image_count; i++)
	{
		const char* req_image = _dyld_get_image_name(i);

		if(req_image && strcmp(req_image, que_image) == 0)
			{return i;}
	}
	return -1;
}

This method takes a path parameter to the library, we use the _dyld_image_count() method to find out how many libraries are loaded into the game process, then using a loop we compare our path to the library with others, and if the paths match, we return the index.

Okay, there's not much left. Now let's create a pointer to the old function and create a replacement function that will be called instead of the original one:

void (*old_Update)(void *self);

void Update(void *self)
{
 	// "your code here"
  
	old_Update(self);
}

Now let's just make a hook according to a template that can be easily found on the Internet:

%ctor 
{		
	MSHookFunction( (void *)address_to_your_func_with_aslr, (void *)Update, (void **)&old_Update);	
}	

To make it clearer, I will show the full code of my hook:

#include <unistd.h>
#include <dispatch/dispatch.h>
#include <mach-o/dyld.h>
#include <substrate.h>
#include <string.h>

uint64_t getExecAddr(uint64_t addr, int index)
{
    const struct mach_header* header = _dyld_get_image_header(index);
    if (header == NULL){return 0;}

    uint64_t libLoadAddr = (uint64_t)header;
    uint64_t exec_addr = libLoadAddr + addr;

    return exec_addr;
}


uint64_t getLibIndex(const char* que_image)
{
	int i = 0;
	int image_count = _dyld_image_count();

	for(; i < image_count; i++)
	{
		const char* req_image = _dyld_get_image_name(i);

		if(req_image && strcmp(req_image, que_image) == 0)
			{return i;}
	}
	return -1;
}


void (*old_Update)(void *self);

void Update(void *self)
{
	sleep(5);
	old_Update(self);
}


%ctor 
{	
	dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{

		sleep(150);

		int index = getLibIndex("/private/var/containers/Bundle/Application/BAE27894-6809-4743-AFFA-C1F6B93195CB/hidenseek.app/Frameworks/UnityFramework.framework/UnityFramework");
		
		uint64_t address = getExecAddr(0x11fe288, index);

		MSHookFunction( (void *)address, (void *)Update, (void **)&old_Update);

	});	

}	

 

This is my test version of the hook, it works great. (dispatch_async I used to wait until all libraries are loaded) In my example, the hook changes the behavior of the program so that when Update() is called, the game slows down for 5 seconds, this is only a beta version and you can add other logic there

If you liked the tutorial, please rate it. I will try to answer questions 

 

 

Updated June 13, 2023 by nngot44

[Laxus 740.5k iPhone 5s 10.3.3]

Very good tutorial for beginner, easy to read and detailed

Thank you for posting

[Flugel 90 iPhone 6s 15.8.2]

grape

[Rook 521.6k iPad Pro (2nd gen) 17.4 Donor]

3 hours ago, nngot44 said:

/private/var/containers/Bundle/Application/BAE27894-6809-4743-AFFA-C1F6B93195CB/

Have to be careful here if you plan on releasing this tweak. This location is dynamic and changes per device & iOS version.

[34306 2.6k iPhone 13 Pro 15.0]

Really nice. Have you try this on Dopamine jailbreak? I got some issue while hooking on Dopamine.

 

[Rook 521.6k iPad Pro (2nd gen) 17.4 Donor]

1 minute ago, 34306 said:

Really nice. Have you try this on Dopamine jailbreak? I got some issue while hooking on Dopamine.

 

What kind of issues? I've seen similar reports after converting rootful to rootless with iGameGod.

[34306 2.6k iPhone 13 Pro 15.0]

Just now, Rook said:

What kind of issues? I've seen similar reports after converting rootful to rootless with iGameGod.

I have no idea, maybe it's Dopamine issue. Opa said on 1.1 he fixed PPLRW but when i tried to hooking (Unity game). It still crash. I have no idea what's going on..

[Rook 521.6k iPad Pro (2nd gen) 17.4 Donor]

Just now, 34306 said:

I have no idea, maybe it's Dopamine issue. Opa said on 1.1 he fixed PPLRW but when i tried to hooking (Unity game). It still crash. I have no idea what's going on..

Shouldn't this be an ElleKit related issue rather than Dopamine?

I tried hooks on palera1n rootless and they seem to work fine.

[34306 2.6k iPhone 13 Pro 15.0]

Just now, Rook said:

Shouldn't this be an ElleKit related issue rather than Dopamine?

I tried hooks on palera1n rootless and they seem to work fine.

Let me update Ellekit. They already have Substitute, Substrate, Libhooker. And Ellekit such a weird thing...

Report back to you later!

[papas 3.6k iPhone 7 15.7.8 Donor]

awesome tutorial!