which part of the key code to remove the signature restriction about DYLD_INSERT_LIBRARIES

Question

which part of the key code to remove the signature restriction about DYLD_INSERT_LIBRARIES

ccp10841054 opened this issue 2 years ago · comments

iFengOoo commented 2 years ago

Steven Michaud · Answer 1 · Thu Sep 29 2022 23:39:47 GMT+0800 (China Standard Time)

Your question is very unclear. For the sake of argument, though, I'll assume you're asking something like this:

Which part of HookCase's code removes Apple's restrictions on the use of DYLD_INSERT_LIBRARIES?

The answer is "none of it". HookCase doesn't remove Apple's restrictions on DYLD_INSERT_LIBRARIES. Instead, as the README file says, it "re-implements and extends Apple's DYLD_INSERT_LIBRARIES functionality". It comes at the problem from a completely different direction -- a kernel extension. This bypasses the code (mostly in /usr/lib/dyld) that Apple uses to implement DYLD_INSERT_LIBRARIES, and "re-implements" it, without using any of Apple's code. Because HookCase is built from scratch (from the ground up), it can bypass Apple's restrictions and add new functionality.

As extensive as it is, the code in HookCase is very parsimonious. Pretty much all of it is needed to accomplish its task (of re-implementing and extending Apple's DYLD_INSERT_LIBRARIES functionality). Remove almost any part of it and HookCase will no longer work at all. The only exception is the part that implements watchpoints. This can be disabled without effecting the rest of HookCase's functionality.

Steven Michaud · Answer 2 · Wed Oct 19 2022 00:26:48 GMT+0800 (China Standard Time)

HookCase doesn't work like that.

HookCase is open-source, and well-documented (especially if you include the code comments). You clearly haven't read, or haven't understood, any of it. There's nothing I can do to help you.