本帖最后由 doorxp 于 2023-7-24 16:47 编辑
Mac上注入程序修改原程序符号变量的初始值
直接上代码:
[C] 纯文本查看 复制代码
void *findSymbol(const char *symname, const struct mach_header_64 *mhp) {
uint8_t *root = (uint8_t*)mhp;
bool is64 = (mhp->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64;
uint8_t *ptr = root + (is64 ? sizeof(struct mach_header_64) : sizeof(struct mach_header));
void *ret = NULL;
struct load_command *cmd = (struct load_command*)(ptr);
struct load_command *end = (struct load_command*)((const uint8_t*)cmd + mhp->sizeofcmds);
for (; cmd < end; cmd = (void *)((const uint8_t*)cmd + cmd->cmdsize)) {
if (cmd->cmd == LC_SYMTAB) {
struct symtab_command *stab = (struct symtab_command*)(cmd);
struct nlist_64 *syms = (struct nlist_64*)((uintptr_t)root + stab->symoff);
char *strs = (char*)((uintptr_t)root + stab->stroff);
size_t n;
for (n = 0; n < stab->nsyms; n++) {
const char *name = &strs[syms[n].n_un.n_strx + 1];
if(strcmp(symname, name) == 0) {
const uint64_t value = syms[n].n_value;
ret = (uint64_t *)(root + value);
}
}
}
}
return ret;
}
举个例子:
[C] 纯文本查看 复制代码
//通过MbuInAutomatedQTestMode找到要修改的 lib
void *sym = dlsym(RTLD_DEFAULT,"MbuInAutomatedQTestMode");
if(sym == NULL) {return;}
Dl_info info; NSLog(@"hook");
dladdr(sym, &info);
//找到的 lib 的起始地址:info.dli_fbase
//lib 中有个 _fRunningQtest 变量; 修改初始变量为 0x0;
int32_t *q = findSymbol("_fRunningQtest", info.dli_fbase);
if(q != NULL) { *q = 0x0; }
//lib 中有个 _fRunningAutomation 变量; 修改初始变量为 0x1;
int32_t *a = findSymbol("_fRunningAutomation", info.dli_fbase);
if(a != NULL) { *a = 0x1; }
| 
发表于 2023-7-24 16:36
