#include "substrate.h"
#include <dlfcn.h>

void resolveSymbol(const void *addr) {
    Dl_info info;
    if (dladdr(addr, &info)) {
        NSLog(@"<hooksubstrate> Resolved symbol at address %p: dli_fname %s, dli_fbase %p, dli_sname %s, dli_saddr %p", addr, info.dli_fname, info.dli_fbase, info.dli_sname, info.dli_saddr);
    }
    else {
        NSLog(@"<hooksubstrate> Can't resolve symbol at address %p", addr);
    }
}

void (*oldMSHookFunction)(void *, void *, void **);

void newMSHookFunction(void *symbol, void *hook, void **old) {
    NSLog(@"<hooksubstrate> MSHookFunction: symbol %p, new %p, old %p", symbol, hook, old);
    resolveSymbol(symbol);
    resolveSymbol(hook);
    resolveSymbol(old);
    oldMSHookFunction(symbol, hook, old);
}

void (*oldMSHookMessageEx)(Class, SEL, IMP, IMP *);

void newMSHookMessageEx(Class c/*lass*/, SEL s/*elector*/, IMP replacement, IMP *result) {
    NSLog(@"<hooksubstrate> MSHookMessageEx: class %@, selector %@, new %p, old %p", NSStringFromClass(c/*lass*/), NSStringFromSelector(s/*elector*/), replacement, result);
    resolveSymbol((const void *) *replacement);
    resolveSymbol((const void *) result);
    oldMSHookMessageEx(c/*lass*/, s/*elector*/, replacement, result);
}

__attribute__((constructor))
static void initialize() {
    MSHookFunction(MSHookMessageEx, &newMSHookMessageEx, &oldMSHookMessageEx);
    MSHookFunction(MSHookFunction, &newMSHookFunction, &oldMSHookFunction);
    NSLog(@"<hooksubstrate> Hooked into MSHookFunction & MSHookMessageEx");
}

带有示例输出（对于旧版本）

> cat /dev/null > /var/log/syslog
> cat /var/log/syslog | grep "Loading"
Sep 12 17:06:54 iPad Clash of Clans[2372]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/HookSubstrate.dylib
Sep 12 17:06:54 iPad Clash of Clans[2372]: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib
> cat /var/log/syslog | grep "<cc>"
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> Hooked into MSHookFunction & MSHookMessageEx
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> MSHookFunction: old 0x845fd, new 0x3af4fd
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> Resolved symbol at address 0x845fd: dli_fname /var/mobile/Applications/1A631C27-CE93-4845-B7FB-0637D600E10C/Clash of Clans.app/Clash of Clans, dli_fbase 0x4000, dli_sname (null), dli_saddr 0x0
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> Resolved symbol at address 0x3af4fd: dli_fname /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib, dli_fbase 0x3a7000, dli_sname _Z20func_hook_new_searchi, dli_saddr 0x3af4fd
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> MSHookMessageEx: class AppController, selector application:didFinishLaunchingWithOptions:, new 0x3afdb5
Sep 12 17:06:54 iPad Clash of Clans[2372]: <cc> Resolved symbol at address 0x3afdb5: dli_fname /Library/MobileSubstrate/DynamicLibraries/xxCOCPlugin.dylib, dli_fbase 0x3a7000, dli_sname _Z60hook_AppController_application_didFinishLaunchingWithOptionsP11objc_objectP13objc_selectorS0_S0_, dli_saddr 0x3afdb5

通过首先在 IDA Pro 中对 _MSHookMes​​sageEx 进行交叉引用，您可以在调整中找到所有挂钩的 Objective C 方法。在调用 _MSHookMes​​sageEx 的函数中，可以看到方法名称已加载到 R1 中，就在调用 _MSHookMes​​sageEx 之前。

要使用 gdb 启动应用程序，请使用 debugserver。它充当 iOS 上远程 gdb 或 lldb 的端点。您可以在此页面上找到有关 debugserver 的更多信息 - http://iphonedevwiki.net/index.php/Debugserver

另外，我建议使用 Theos ( http://iphonedevwiki.net/index.php/Theos ) 来执行函数挂钩。它使 MobileSubtrate 调整的开发变得更加容易。

从你的问题来看，我似乎明白你正试图挂钩 MobileSubtrate 自己的功能，如 MSHookFunction。MobileSubstrate 仅设计用于挂钩其他功能而不是其本身。