Stinger icon indicating copy to clipboard operation
Stinger copied to clipboard

Published 20 hours ago verified publisher icon eleme

Crash with hooking NSURL

Open 623637646 opened this issue 4 years ago • 6 comments 

NSURL *url = [[NSURL alloc] initWithString:@"https://www.google.com"];
[url st_hookInstanceMethod:@selector(absoluteString) option:(STOptionBefore) usingIdentifier:@"123" withBlock:^(id<StingerParams> params) {
    NSLog(@"");
}];
[url absoluteString];
Screenshot 2020-11-12 at 11 03 37 PM

623637646 avatar Nov 12 '20 15:11 623637646

感觉这种用法还是蛮常见的,试了一下确实会崩溃。

DSNNET avatar Nov 18 '20 08:11 DSNNET

我周末看下,不知道其他hook方式会不会产生类似的问题

Assuner-Lee avatar Nov 18 '20 11:11 Assuner-Lee

试了下 Aspects 也有问题

FinnChen avatar Nov 18 '20 12:11 FinnChen

[NSURL st_hookInstanceMethod:@selector(absoluteString) option:(STOptionBefore) usingIdentifier:@"123" withBlock:^(id<StingerParams> params) { NSLog(@"xxx"); }];

NSURL *url = [[NSURL alloc] initWithString:@"https://www.google.com"];


NSLog(@"%@", url.absoluteString);

ahcfhy avatar May 13 '21 10:05 ahcfhy

对NSURL的实例hook之后,该实例任何方法都会crash,甚至release都crash了,从汇编堆栈看起来是cache对象野了。

struct objc_class : objc_object { 
    struct objc_class * superclass;   //基类信息结构体。 
    cache_t cache;    //方法缓存哈希表 
    //... 其他数据成员忽略。 
};

DanboDuan avatar Sep 12 '21 02:09 DanboDuan

目测是 NSURL 重写了 retain() & release(), 里面判断了和类相关的内容,重写后导致release时走了 [super release]释放了引用计数。 未 hook isa时,会跳过 0x7ff811194cf5 指令,不调用 super。 至于NSURL具体优化了什么, 由于不懂汇编。希望前辈指教一下

0x7ff811194cc9 <+36>:  cmpq   $-0x1, 0x409cb9d7(%rip)   ; nsurlClass.nsurlClass + 7
    0x7ff811194cd1 <+44>:  jne    0x7ff811194d46            ; <+161>
    0x7ff811194cd3 <+46>:  cmpq   0x409cb9c6(%rip), %rbx    ; nsurlClass.nsurlClass
    0x7ff811194cda <+53>:  je     0x7ff811194d13            ; <+110>
    0x7ff811194cdc <+55>:  leaq   -0x28(%rbp), %rdi
    0x7ff811194ce0 <+59>:  movq   %r14, (%rdi)
    0x7ff811194ce3 <+62>:  movq   0x409b1f56(%rip), %rax    ; (void *)0x00007ff85192eda8: NSURL
    0x7ff811194cea <+69>:  movq   %rax, 0x8(%rdi)
    0x7ff811194cee <+73>:  movq   0x409a66f3(%rip), %rsi    ; "release"
    0x7ff811194cf5 <+80>:  callq  0x7ff811454f7c            ; symbol stub for: objc_msgSendSuper2
    0x7ff811194cfa <+85>:  movq   0x41fff597(%rip), %rax    ; (void *)0x00007ff851ad2320: __stack_chk_guard
    0x7ff811194d01 <+92>:  movq   (%rax), %rax
    0x7ff811194d04 <+95>:  cmpq   -0x18(%rbp), %rax
    0x7ff811194d08 <+99>:  jne    0x7ff811194d73            ; <+206>
    0x7ff811194d0a <+101>: addq   $0x20, %rsp
    0x7ff811194d0e <+105>: popq   %rbx
    0x7ff811194d0f <+106>: popq   %r14
    0x7ff811194d11 <+108>: popq   %rbp
    0x7ff811194d12 <+109>: retq   
->  0x7ff811194d13 <+110>: cmpq   $-0x1, 0x409c1e65(%rip)   ; __immutablePlaceholderNSURL.__immutablePlaceholderURL + 7
    0x7ff811194d1b <+118>: jne    0x7ff811194d5e            ; <+185>
    0x7ff811194d1d <+120>: cmpq   %r14, 0x409c1e54(%rip)    ; __immutablePlaceholderNSURL.__immutablePlaceholderURL
    0x7ff811194d24 <+127>: je     0x7ff811194cfa            ; <+85>

talka123456 avatar Mar 06 '22 16:03 talka123456