Feature difference to Cydia Substrate and Frida?

[stevepoland85]

Hey Steven,

Great project, thank you for the contribution to iOS development. I'm wondering what are the biggest reasons to use HookCase over other hooking solutions such as Cydia Substrate and Frida. Any insight into this?

Cheers,
Steve

[steven-michaud]

Thanks!

HookCase doesn't work on iOS -- only on macOS/OS X. I suppose you could use it to target programs running in an iOS emulator on macOS, though I haven't tried to do this and don't know how you'd go about it. It's true that iOS and macOS are quite similar, so you could presumably learn a lot about a given kind of functionality on iOS by learning how it works on macOS. But HookCase, as it now stands, is only very indirectly a tool for reverse engineering on iOS.

iOS is much more locked down than macOS -- so much so that it's probably not feasible to port HookCase to iOS. For example, you'd need to be able to load non-Apple kernel modules, and presumably also non-signed ones. This works fine on macOS if you turn off "system integrity protection" (using csrutil). But I doubt Apple would ever allow this on iOS. I don't want to mess around with jailbreaking.

I only know about Frida in a very general way, and haven't tried to use it. I know nothing at all about Cydia Substrate. I suppose the best way to distinguish HookCase from apps like Frida is to say that HookCase is much simpler, and probably both a lot faster and more powerful. That doesn't make it easy to use. HookCase is intended for getting deep into the undocumented bowels of macOS and the apps that run on it. Here you'll need to know Intel assembly language and be comfortable using disassemblers to locate possible targets for your hooks. I don't think there's any way to make this easy, and HookCase doesn't try. But I doubt that there exists any other tool for debugging and reverse-engineering macOS that's more powerful than HookCase.

[stevepoland85]

Thank you for the succinct explanation!

Interesting work, and when I need to do some macOS debugging, I'll be sure to use the project.

[liuxuan30]

@steven-michaud as of WWDC20 reveals the Apple Silicon, which is the arm era for mac, I wanted to bring this topc up again.

I have some hands on experience on Frida and Cydia substrate - both can do code injection in a not-hard way, but I don't know HookCase very deeply.

The question I have is, does HookCase has dependency on Intel CPU? If that is the case, is it possible to port HookCase to Apple Silicon / Support new arm based macOS?

[steven-michaud]

HookCase is pretty tightly bound to Apple's Intel ABI, and to several features of Intel's processors. For example it uses Intel software interrupts. So it will be a lot of work to port HookCase to Apple Silicon. I'm not entirely sure it will even be possible. A lot depends on the specific features of Apple Silicon, and how Apple implements macOS on top of it. I intend to start work on this in the not too distant future. Before that I'll need to get hold of some Apple Silicon hardware. I might buy their Transition Kit. But it might be better for me to wait until they release some "real" (commercial) hardware.

I still don't know much about Frida or Cydia Substrate. But as best I can tell neither of them uses a kernel extension, which I think is the only way to get around all the obstacles that macOS puts in the way of hooking functions (and similar debugging techniques). Apple restricts DYLD_INSERT_LIBRARIES, especially with regard to its "own" applications like Safari. Google outright prevents its use with Chrome. And macOS tries to make it difficult to alter a code-signed application on the fly (once again especially for Apple's "own" apps). As far as I know, HookCase is the only comprehensive way around these obstacles.

But kernel extensions, especially those which (like HookCase) work on a very low level, are tightly bound to the OS and hardware they run on. So major changes to either will require a lot of new work.

[liuxuan30]

Hi @steven-michaud thanks for the reply. Frida can work on both stock iPhone and jailberak iPhone, but with jailbreak, it gains the most power.

Cydia substrate has long been the code injection framework developed and privately owned by Saurik, who is the founder of Cydia. It still works on iOS 13 but with CPU A11 and below (iPhone X and below). the new arm64e CPU is not supported.

However there is also a open source framework called substitute, which stopped a lont time ago. But new jailbreak developers has forked it and add support and fix bugs, and it supports iOS 13.5 and arm64e CPU as well. Cydia substrate also supports Android.

Substrate and substitute will require Jailbreak iOS to work, so I guess the jailbreak already patched the kernel?

Both these frameworks have supported hooking Objc and C functions on armv7, arm64 for a long time, but I'm not sure if they gonna work on Apple Silicon as well. But if macOS can give us root or kernel privillege, I think it's possible to port code injection frameworks to Apple Silicon?

I have ordered DTK . Anyway, I'm glad you have plans to work on it, and I hope I can help (though I doubt I have the knowledge to port HC to DTK)