Simplified MSHookMemory Usage [ARM64 Only]

Ted2 · March 14, 2019

While MSHookMemory is great, I hate I have to do this:

const uint8_t hack[] = {
    0x00, 0x00, 0x80, 0x52, // mov w0, #0
    0xc0, 0x03, 0x5f, 0xd6, // ret
};

So I wrote some code which won't need you to do that:

#include <substrate.h>
#include <mach-o/dyld.h>

#define ASLR_BIAS _dyld_get_image_vmaddr_slide(0)

uint64_t getRealOffset(uint64_t offset){
	return ASLR_BIAS + offset;
}

// main func
void inject(uint64_t offset, uint64_t hackedHex) {

    hackedHex = CFSwapInt32(hackedHex);        

    MSHookMemory((void *)getRealOffset(offset), (void *)&hackedHex, sizeof(hackedHex));
}

How to import this code to your project?

You have two options:

1. Copy & paste the code from above under your "imports"

2. Download this file & paste it in /var/theos/includes & write this on top of tweak.xm:

#include <inject.h>

Usage of the function:

//parameters it takes
inject(0xIDAOffset, 0xHackedHex);

//actual usage on a offset
inject(0x100299DC4, 0xC0035FD6);

Bugs to be fixed:

1. If you wanna write a hex more than 4 bytes, it won't work the way you think, example:

inject(0x100299DC0, 0x20008052C0035FD6);

/*

	This will write C0035FD620008052 instead of what you entered due the CFSwapInt32

/*

NOTE: I'm no pro at this kinda stuff (dealing with memory), so if there's anything just mention it ^^

Credits

- Saurik

- topics from https://stackoverflow.com/ which helped me understand several things

- Me for this simplified version

Updated March 14, 2019 by Joey

Rook · March 5, 2019

This topic was moved from Coding Center to Tools.

Joka · March 5, 2019

1 minute ago, DADi said:

This topic was moved from Coding Center to Tools.

How is this Tools?

Ted2 · March 5, 2019

1 minute ago, Joka said:

How is this Tools?

It's a .h file, which is a tool to patch memory ? idk
Both sections fine for me

TheArmKing · March 5, 2019

is it possible to make the hackedHex param a stirng, make it an array of strings which gets split at every 2nd character and add a 0x to each of them

Ted2 · March 5, 2019

17 minutes ago, TheArmKing said:

is it possible to make the hackedHex param a stirng, make it an array of strings which gets split at every 2nd character and add a 0x to each of them

Yeah I tried that, but couldn’t get something like it to work. I’ve tried multiple things, this is the only one that worked. Will look into an alternative another time. C/C++ isn’t the most user friendly when it comes to arrays it seems

Updated March 5, 2019 by Joey

0xKizzlil · March 5, 2019

thanks you bro!

TheArmKing · March 5, 2019

26 minutes ago, Joey said:

Yeah I tried that, but couldn’t get something like it to work. I’ve tried multiple things, this is the only one that worked. Will look into an alternative another time. C/C++ isn’t the most user friendly when it comes to arrays it seems

something like this maybe?

// Convert long long to string
// Convert string to char array
// loop through char array to make strings of 2 characters or 1 byte, like c00fe3d4 becomes c0 0f e3 d4
// c0 gets converted to int
// the int gets converted to uint8
// the uint8 gets appeneded to aa uint8 array

// copied this from stackexchange 
char str[256];
sprintf(str, "%lld", hackedHex);
printf("%s\n", str); 

for (int x=0; x<str.length; x++ ) { //dk if this is how C works
  if(x%2==0){
    char a = str[x]
  }
  if(x%2==1){
    char b = str[x]
    // do something that combines char a and b to a string
    // then convert to int
    // then to uint
    // then append to array
}

Updated March 5, 2019 by TheArmKing
added some bs

CyberCat · March 5, 2019

I don't know why people prefer integers type for this purpose which forces you to deal with endianness.

I just simplified yours too.

void inject(uint64_t offset, const void *bytes, size_t bytes_len) {
	 MSHookMemory((void *)getRealOffset(offset), bytes, bytes_len);
}

Usage:

//offset & bytes literal & bytes length
/* 
mov w0, #1
ret 
*/
inject(0x100299DC4, "\x20\x00\x80\x52\xC0\x03\x5F\xD6", 8);

You can write as many bytes as you want with this.

Ted2 · March 5, 2019

5 hours ago, CyberCat said:
I don't know why people prefer integers type for this purpose which forces you to deal with endianness.

I just simplified yours too.
void inject(uint64_t offset, const void *bytes, size_t bytes_len) {
	 MSHookMemory((void *)getRealOffset(offset), bytes, bytes_len);
}
Usage:
//offset & bytes literal & bytes length
/* 
mov w0, #1
ret 
*/
inject(0x100299DC4, "\x20\x00\x80\x52\xC0\x03\x5F\xD6", 8);
You can write as many bytes as you want with this.

The thing is, I hate to have to write it like that ^, it’s almost the same as the original now

7 hours ago, TheArmKing said:

something like this maybe?


// Convert long long to string
// Convert string to char array
// loop through char array to make strings of 2 characters or 1 byte, like c00fe3d4 becomes c0 0f e3 d4
// c0 gets converted to int
// the int gets converted to uint8
// the uint8 gets appeneded to aa uint8 array


// copied this from stackexchange 
char str[256];
sprintf(str, "%lld", hackedHex);
printf("%s\n", str); 

for (int x=0; x<str.length; x++ ) { //dk if this is how C works
  if(x%2==0){
    char a = str[x]
  }
  if(x%2==1){
    char b = str[x]
    // do something that combines char a and b to a string
    // then convert to int
    // then to uint
    // then append to array
}