In the dystopia that is 2018, many devices now have a mechanism called "code signature" that is designed to prevent "unauthorized" modification to software. While presented in the name of "security", these techniques are more often used to implement DRM and other user-hostile functionality.
While it is often possible to directly alter memory on jailbroken systems, doing so can leave the process in an "invalid" state, where the operating system has detected the modification and marked the process to not be trusted by other processes. This can cause bugs, both obvious and subtle.
Substrate provides an API, MSHookFunction, that is able to directly hook functions and redirect them to replacement logic, which is designed to carefully leave the process in a state where it is still considered "valid" by generating executable pages at runtime that have a valid code signature.
However, sometimes the developer of an extension needs to be able to go one level lower, such as to edit a constant, a file header, or an arbitrary individual instruction. For these cases, Substrate now provides an API that allows for arbitrary modifications and patches to be written to memory.
This API is atomic on almost all versions of iOS and macOS (this is not yet true on other platforms), which allows it to be used on code that might be concurrently running with the code calling this API. Note that this API is somewhat slow: it potentially involves IPC, writing files to disk, or exploits.
void MSHookMemory(void *target, const void *data, size_t size);
| Parameter | Description |
|---|---|
target |
The address of memory to be modified; this should be located inside of an executable page. |
data |
The address of a block of replacement data to be written to the address referenced by target. |
size |
The size of the replacement data referenced by target. |
bool code() {
return true;
}
const uint8_t hack[] = {
0x00, 0x00, 0x80, 0x52, // mov w0, #0
0xc0, 0x03, 0x5f, 0xd6, // ret
};
MSHookMemory(&code, hack, sizeof(hack));