Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash with hooking NSURL #14

Open
623637646 opened this issue Nov 12, 2020 · 6 comments
Open

Crash with hooking NSURL #14

623637646 opened this issue Nov 12, 2020 · 6 comments

Comments

@623637646
Copy link 

NSURL *url = [[NSURL alloc] initWithString:@"https://www.google.com"];
[url st_hookInstanceMethod:@selector(absoluteString) option:(STOptionBefore) usingIdentifier:@"123" withBlock:^(id<StingerParams> params) {
    NSLog(@"");
}];
[url absoluteString];

Screenshot 2020-11-12 at 11 03 37 PM
@DSNNET
Copy link

DSNNET commented Nov 18, 2020

感觉这种用法还是蛮常见的,试了一下确实会崩溃。

@Assuner-Lee
Copy link
Collaborator

我周末看下,不知道其他hook方式会不会产生类似的问题

@FinnChen
Copy link

试了下 Aspects 也有问题

@ahcfhy
Copy link

ahcfhy commented May 13, 2021

[NSURL st_hookInstanceMethod:@selector(absoluteString) option:(STOptionBefore) usingIdentifier:@"123" withBlock:^(id params) {
NSLog(@"xxx");
}];

NSURL *url = [[NSURL alloc] initWithString:@"https://www.google.com"];


NSLog(@"%@", url.absoluteString);

@DanboDuan
Copy link
Contributor

对NSURL的实例hook之后,该实例任何方法都会crash,甚至release都crash了,从汇编堆栈看起来是cache对象野了。

struct objc_class : objc_object { 
    struct objc_class * superclass;   //基类信息结构体。 
    cache_t cache;    //方法缓存哈希表 
    //... 其他数据成员忽略。 
};

@talka123456
Copy link

目测是 NSURL 重写了 retain() & release(), 里面判断了和类相关的内容,重写后导致release时走了 [super release]释放了引用计数。
未 hook isa时,会跳过 0x7ff811194cf5 指令,不调用 super。
至于NSURL具体优化了什么, 由于不懂汇编。希望前辈指教一下

0x7ff811194cc9 <+36>:  cmpq   $-0x1, 0x409cb9d7(%rip)   ; nsurlClass.nsurlClass + 7
    0x7ff811194cd1 <+44>:  jne    0x7ff811194d46            ; <+161>
    0x7ff811194cd3 <+46>:  cmpq   0x409cb9c6(%rip), %rbx    ; nsurlClass.nsurlClass
    0x7ff811194cda <+53>:  je     0x7ff811194d13            ; <+110>
    0x7ff811194cdc <+55>:  leaq   -0x28(%rbp), %rdi
    0x7ff811194ce0 <+59>:  movq   %r14, (%rdi)
    0x7ff811194ce3 <+62>:  movq   0x409b1f56(%rip), %rax    ; (void *)0x00007ff85192eda8: NSURL
    0x7ff811194cea <+69>:  movq   %rax, 0x8(%rdi)
    0x7ff811194cee <+73>:  movq   0x409a66f3(%rip), %rsi    ; "release"
    0x7ff811194cf5 <+80>:  callq  0x7ff811454f7c            ; symbol stub for: objc_msgSendSuper2
    0x7ff811194cfa <+85>:  movq   0x41fff597(%rip), %rax    ; (void *)0x00007ff851ad2320: __stack_chk_guard
    0x7ff811194d01 <+92>:  movq   (%rax), %rax
    0x7ff811194d04 <+95>:  cmpq   -0x18(%rbp), %rax
    0x7ff811194d08 <+99>:  jne    0x7ff811194d73            ; <+206>
    0x7ff811194d0a <+101>: addq   $0x20, %rsp
    0x7ff811194d0e <+105>: popq   %rbx
    0x7ff811194d0f <+106>: popq   %r14
    0x7ff811194d11 <+108>: popq   %rbp
    0x7ff811194d12 <+109>: retq   
->  0x7ff811194d13 <+110>: cmpq   $-0x1, 0x409c1e65(%rip)   ; __immutablePlaceholderNSURL.__immutablePlaceholderURL + 7
    0x7ff811194d1b <+118>: jne    0x7ff811194d5e            ; <+185>
    0x7ff811194d1d <+120>: cmpq   %r14, 0x409c1e54(%rip)    ; __immutablePlaceholderNSURL.__immutablePlaceholderURL
    0x7ff811194d24 <+127>: je     0x7ff811194cfa            ; <+85>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@FinnChen @623637646 @ahcfhy @Assuner-Lee @talka123456 @DanboDuan @DSNNET