Help/Support Theory question. Possible to hardcode/patch in a 'hook'?

infernusdoleo · January 11, 2016

The hack I'm developing is for a wide user base, across both iOS and Android. While I don't even own an Android and that will be another hill to climb at a later date, a massive portion of the community on the iOS side do not have jailbroken devices.

Knowing full well that mobilesubstrate hooking and all the goodies it relies on require a jailbroken phone, and after countless hours of debugging and reverse engineering my target app, I had an idea this morning.

I know it's possible to sideload 3rd party apps with Xcode 7. Then there's Extensify, which I've heard of but havent actually seen (assuming it's for real). Plus there are other web-related ways to install apps like GBA4iOS.

Assuming it's possible to get a 3rd party app onto your device, wouldnt it be theoretically possible to patch a hooking tweak directly into an app binary?

From what I've seen in my face meltingly long hours in gdb and lldb, when you hook a function, the first line of the function is overwritten, redirecting the process flow to the new/replacement function. The original function is copied elsewhere (I think? I havent checked on that part) or at the very least it's callable in a non-mofidied format.

Couldn't the binary be patched so that the original function contained the redirect codes the hooking applies, and the binary code from the dylib (clearly visible on a disassembly dump inside lldb) just be correctly appended to the end of the executable?

This is all theory - thought of it in the car this morning. But if it's possible, tweaks could be rolled into app bundles and sideloaded into non-JB devices.

Or am I insane?