Simplified MSHookMemory Usage [ARM64 Only]

[Ted2 38.5k iPhone 13 Pro 16.0 Donor]

While MSHookMemory is great, I hate I have to do this:

const uint8_t hack[] = {
    0x00, 0x00, 0x80, 0x52, // mov w0, #0
    0xc0, 0x03, 0x5f, 0xd6, // ret
};

 

 

So I wrote some code which won't need you to do that:

#include <substrate.h>
#include <mach-o/dyld.h>

#define ASLR_BIAS _dyld_get_image_vmaddr_slide(0)

uint64_t getRealOffset(uint64_t offset){
	return ASLR_BIAS + offset;
}

// main func
void inject(uint64_t offset, uint64_t hackedHex) {

    hackedHex = CFSwapInt32(hackedHex);        

    MSHookMemory((void *)getRealOffset(offset), (void *)&hackedHex, sizeof(hackedHex));
}

 

How to import this code to your project?

You have two options:

1. Copy & paste the code from above under your "imports"

2. Download this file & paste it in /var/theos/includes & write this on top of tweak.xm:

#include <inject.h>

 

Usage of the function:

//parameters it takes
inject(0xIDAOffset, 0xHackedHex);

//actual usage on a offset
inject(0x100299DC4, 0xC0035FD6);

 

 

Bugs to be fixed:

1. If you wanna write a hex more than 4 bytes, it won't work the way you think, example:

inject(0x100299DC0, 0x20008052C0035FD6);

/*

	This will write C0035FD620008052 instead of what you entered due the CFSwapInt32

/*

NOTE:  I'm no pro at this kinda stuff (dealing with memory), so if there's anything just mention it ^^

 

Credits

- Saurik

- topics from https://stackoverflow.com/   which helped me understand several things

- Me for this simplified version

Updated March 14, 2019 by Joey

[Rook 523.4k iPad Pro (2nd gen) 17.4 Donor]

This topic was moved from Coding Center to Tools.

[Joka 334k iPhone X 12.4]

1 minute ago, DADi said:

This topic was moved from Coding Center to Tools.

How is this Tools?

[Ted2 38.5k iPhone 13 Pro 16.0 Donor]

1 minute ago, Joka said:

How is this Tools?

It's a .h file, which is a tool to patch memory ? idk
Both sections fine for me

[TheArmKing 59.3k iPad Mini 9.3.5]

is it possible to make the hackedHex param a stirng, make it an array of strings which gets split at every 2nd character and add a 0x to each of them

[Ted2 38.5k iPhone 13 Pro 16.0 Donor]

17 minutes ago, TheArmKing said:

is it possible to make the hackedHex param a stirng, make it an array of strings which gets split at every 2nd character and add a 0x to each of them

Yeah I tried that, but couldn’t get something like it to work. I’ve tried multiple things, this is the only one that worked. Will look into an alternative another time. C/C++ isn’t the most user friendly when it comes to arrays it seems 

Updated March 5, 2019 by Joey

[0xKizzlil 1.1k]

thanks you bro!

[TheArmKing 59.3k iPad Mini 9.3.5]

26 minutes ago, Joey said:

Yeah I tried that, but couldn’t get something like it to work. I’ve tried multiple things, this is the only one that worked. Will look into an alternative another time. C/C++ isn’t the most user friendly when it comes to arrays it seems 

something like this maybe?
 

// Convert long long to string
// Convert string to char array
// loop through char array to make strings of 2 characters or 1 byte, like c00fe3d4 becomes c0 0f e3 d4
// c0 gets converted to int
// the int gets converted to uint8
// the uint8 gets appeneded to aa uint8 array

// copied this from stackexchange 
char str[256];
sprintf(str, "%lld", hackedHex);
printf("%s\n", str); 

for (int x=0; x<str.length; x++ ) { //dk if this is how C works
  if(x%2==0){
    char a = str[x]
  }
  if(x%2==1){
    char b = str[x]
    // do something that combines char a and b to a string
    // then convert to int
    // then to uint
    // then append to array
}

 

Updated March 5, 2019 by TheArmKing
added some bs

[CyberCat 618 iPad 9.7" (2018) 12.0.1]

I don't know why people prefer integers type for this purpose which forces you to deal with endianness.

I just simplified yours too.

void inject(uint64_t offset, const void *bytes, size_t bytes_len) {
	 MSHookMemory((void *)getRealOffset(offset), bytes, bytes_len);
}

Usage:

//offset & bytes literal & bytes length
/* 
mov w0, #1
ret 
*/
inject(0x100299DC4, "\x20\x00\x80\x52\xC0\x03\x5F\xD6", 8);

You can write as many bytes as you want with this.

[Ted2 38.5k iPhone 13 Pro 16.0 Donor]

5 hours ago, CyberCat said:

I don't know why people prefer integers type for this purpose which forces you to deal with endianness.

I just simplified yours too.

void inject(uint64_t offset, const void *bytes, size_t bytes_len) {
	 MSHookMemory((void *)getRealOffset(offset), bytes, bytes_len);
}

Usage:

//offset & bytes literal & bytes length
/* 
mov w0, #1
ret 
*/
inject(0x100299DC4, "\x20\x00\x80\x52\xC0\x03\x5F\xD6", 8);

You can write as many bytes as you want with this.

The thing is, I hate to have to write it like that ^, it’s almost the same as the original now  

7 hours ago, TheArmKing said:

something like this maybe?
 

// Convert long long to string
// Convert string to char array
// loop through char array to make strings of 2 characters or 1 byte, like c00fe3d4 becomes c0 0f e3 d4
// c0 gets converted to int
// the int gets converted to uint8
// the uint8 gets appeneded to aa uint8 array

// copied this from stackexchange 
char str[256];
sprintf(str, "%lld", hackedHex);
printf("%s\n", str); 

for (int x=0; x<str.length; x++ ) { //dk if this is how C works
  if(x%2==0){
    char a = str[x]
  }
  if(x%2==1){
    char b = str[x]
    // do something that combines char a and b to a string
    // then convert to int
    // then to uint
    // then append to array
}

 

possibly, but I think there must be a simpler solution