Hooking variadic functions causes an EXC_BAD_ACCESS

[KiranPanesar]

I created a demo iOS app. Pretty much the only thing it does is call [NSString stringWithFormat:@"asd"];. When I set up a custom tracer to hook into this method, the app crashes when called.

I've run it through Xcode, put down Exception Breakpoints and grabbed the backtrace using LLDB. Here's the trace of the crashing thread. As you can see, it results in an EXC_BAD_ACCESS.

Upon further testing it appears that this is only occurring for methods with variadic parameters. If I hook +stringWithString: and create a sample app which uses that method, the tracer works fine and all the data I ask is logged.

Has anyone else run into this?

[radj]

My guess is incorrect handling of the variadic parameters. You can try isolating by creating an app with code that only receives variadic parameters and passes it to the variadic +stringWithString: method and experiment around it. If you get that right, then follow that pattern when you pass the variadic hook parameters to %orig(). If I'm wrong, then at least you've learned how to manage variadic parameters :)

[KiranPanesar]

Tried taking this approach: https://gist.github.com/KiranPanesar/e9e2c33dc083df0ad779. Fairly sure that will work.

Now the unfortunate thing is that it won't compile because it simply does not recognise variadic parameter syntax.

[KiranPanesar]

Judging by my continued research, this appears to be a bug in Introspy.

Is there someone who is specifically maintaining this project?

[nabla-c0d3]

I don't think you can use Logos (%hook etc) to hook variadic functions. You need to directly use the Cydia Substrate API. I wrote a quick poc here: https://gist.github.com/nabla-c0d3/f952c6fcc1e9d359dbfe

[kirilldobr]

Your example shows a C variadic function. But what if I need an Objective-C one?
NSString’s

+(instancetype)stringWithFormat:(NSString *)format, ...

can't be hooked that way...right?

[nabla-c0d3]

It can but you would have to use MSHookMessageEx()