MSHookFunction Crash #66
Description
I wrote a tweak that I've ran on palera1n rootfull jailbreak (ellekit 1.1.3) in iOS 15.5.
All the functionality works except for MSHookFunction.
It works fine on iOS14 unc0ver jailbreak.
According to the readme, the Substrate API header should be supported.
Both three method can not work
__int64 (*CCrypt0)(__int64 result, void *input, int inlen, void *output, uint32_t *outlen);
__int64 CCrypt1(__int64 result, void *input, int inlen, void *output, uint32_t *outlen)
{
...
}
struct LHFunctionHook hooks[] = {
{(void*)function_address, (void*)replacement_function, (void*)original_function}
};
LHHookFunctions(hooks, 1);
MSHookFunction((void*)(base_slide + 0x1052CB080), (void*)&func1, (void**)&func0);
gum_interceptor_replace(interceptor, (gpointer)(base_slide + 0x105253BAA), (void*)&CCrypt1, nil, (void**)&CCrypt0);
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x224e43080)
* frame #0: 0x00000001db7aaa44 libsystem_platform.dylib`_platform_memmove + 548
frame #1: 0x0000000121221138 libellekit.dylib`ellekit.findFunctionSize(_: Swift.UnsafeMutableRawPointer, max: Swift.Int) -> Swift.Optional<Swift.Int> + 64
frame #2: 0x00000001212155bc libellekit.dylib`ellekit.hook(Swift.UnsafeMutableRawPointer, Swift.UnsafeMutableRawPointer, Swift.Bool) -> Swift.Optional<Swift.UnsafeMutableRawPointer> + 428
frame #3: 0x000000012121c06c libellekit.dylib`ellekit.LHHookFunctions(Swift.UnsafePointer<__C.LHFunctionHook>, Swift.Int) -> Swift.Int + 388
frame #4: 0x00000001248c7db4 qqhook.dylib`myHook(function_address=0x0000000224e43080, replacement_function=0x00000001248c4790, original_function=0x0000000125215ae8) at HookEntry.mm:2269:5
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x222dafbef)
* frame #0: 0x0000000122936568 qqhook.dylib`AArch64_getInstruction [inlined] _getInstruction(ud=<unavailable>, MI=<unavailable>, code=<unavailable>, code_len=<unavailable>, Size=<unavailable>, Address=<unavailable>, MRI=<unavailable>) at AArch64Disassembler.c:0 [opt]
frame #1: 0x000000012293650c qqhook.dylib`AArch64_getInstruction(ud=4797236160, code="", code_len=<unavailable>, instr=0x000000016cf646a8, size=0x000000016cf6449e, address=<unavailable>, info=<unavailable>) at AArch64Disassembler.c:364:24 [opt]
frame #2: 0x000000012291dcf4 qqhook.dylib`cs_disasm_iter(ud=4797236160, code=0x000000016cf64ad0, size=0x000000016cf64ac8, address=0x000000016cf64ac0, insn=0x000000011df004e0) at cs.c:1347:6 [opt]
frame #3: 0x000000012291b238 qqhook.dylib`gum_arm64_reader_try_get_relative_jump_target(address=0x0000000222dafbec) at gumarm64reader.c:61:6 [opt]
frame #4: 0x0000000122908460 qqhook.dylib`gum_interceptor_resolve(self=0x000000011df10830, address=0x0000000222dafbec) at guminterceptor.c:2032:14 [opt]
frame #5: 0x0000000122908cb0 qqhook.dylib`gum_interceptor_replace_with_type(self=0x000000011df10830, type='\0', function_address=<unavailable>, replacement_function=0x00000001228c4cfc, replacement_data=0x0000000000000000, original_function=0x0000000123215b20) at guminterceptor.c:506:22 [opt]
frame #6: 0x00000001228c7e5c qqhook.dylib`hook_entry_9_1_50() at HookEntry.mm:2282:5
frame #7: 0x00000001228c86c8 qqhook.dylib`hook_entry at HookEntry.mm:2504:13
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2227b7080)
* frame #0: 0x00000001db7aaa44 libsystem_platform.dylib`_platform_memmove + 548
frame #1: 0x000000011d661138 libellekit.dylib`ellekit.findFunctionSize(_: Swift.UnsafeMutableRawPointer, max: Swift.Int) -> Swift.Optional<Swift.Int> + 64
frame #2: 0x000000011d6555bc libellekit.dylib`ellekit.hook(Swift.UnsafeMutableRawPointer, Swift.UnsafeMutableRawPointer, Swift.Bool) -> Swift.Optional<Swift.UnsafeMutableRawPointer> + 428
frame #3: 0x000000011d65252c libellekit.dylib`MSHookFunction + 24
frame #4: 0x00000001220c7e54 qqhook.dylib`hook_entry_9_1_50() at HookEntry.mm:2287:5
frame #5: 0x00000001220c86c0 qqhook.dylib`hook_entry at HookEntry.mm:2504:13