Cannot hook certain library calls using MSHookFunction
Question
I'm having trouble using MobileSubstrate's MSHookFunction() to hook certain library function calls. For example, hooking memcpy and memset causes a crash on app launch however hooking memcmp works fine.
I assume that this is because the hooking code itself uses those function calls?
Is there any way to hook memcpy and memset on iOS?
Solution
I never got to the bottom of this. I was thinking that maybe MobileSubstrate calls functions in the same memory page that I'm trying to hook and therefore the mem protections get all messed up.
I got around this by writing my own hooking function.
OTHER TIPS
I got the same situation for memcpy and opendir. iPhone 5, iOS6.1.2
MSHookFunction sometimes returns odd (xxxx3) address as original routine's address. It's nonsense for ARM.
I've encountered this one as well and I think the reason for the failure is that the function that the loader returns as dlsym for memcpy is actually not a real function, but a stub for it. I've dumped the address and the bytes, decached the libsystem_c and verified that this following function is returned to me by dlsym(RTLD_DEFAULT, "memcpy")
; void *memcpy_0(void *, const void *, size_t) __picsymbolstub4:3947B37C EXPORT _memcpy_0 __picsymbolstub4:3947B37C _memcpy_0 ; CODE XREF: _strlcpy+22p __picsymbolstub4:3947B37C ; _strlcpy+32p ... __picsymbolstub4:3947B37C LDR R12, =(_memcpy_ptr - 0x3947B388) ; j__memcpy __picsymbolstub4:3947B380 ADD R12, PC, R12 ; _memcpy_ptr __picsymbolstub4:3947B384 LDR PC, [R12] ; _memcpy __picsymbolstub4:3947B384 ; End of function _memcpy_0 __picsymbolstub4:3947B388 off_3947B388 DCD _memcpy_ptr - 0x3947B388
As you can see this code is PC relative and this is probably why the MSHook fails. If you try to hook the real function instead, the one that this stub calls - it works.