Patch Hook for sub_123abc Not Working

[SamL98]

First of all, I'd like to say this is an impressive project (even though I don't understand half the code).

So I am trying to insert a hook into the Spotify app so I can keep track of what songs I skip. In IDA, I found the procedure that handles the media control keys. I found that the code is identical to that in https://github.com/nevyn/SPMediaKeyTap so I was able to obtain the function signature.

I basically copy and pasted your template library and added the following code to hook the desired, unnamed procedure:

#define PARAM_SIGNATURE CGEventTapProxy proxy, \
                        CGEventType type, \
                        CGEventRef event, \
                        void *refcon

int (*sub_10010C230_caller)(PARAM_SIGNATURE) = NULL;

static int Hooked_sub_10010C230(PARAM_SIGNATURE)
{
    LogWithFormat(true, "HERE!");
    int retval = sub_10010C230_caller(proxy, type, event, refcon);

    reset_hook(reinterpret_cast<void*>(Hooked_sub_10010C230));
    return retval;
}

However, when I run with HC_INSERT_LIBRARY=skiphook.dylib /Applications/Spotify.app/Contents/MacOS/Spotify, I get no output when using the media control keys.

The only thing I can think of is that this procedure is passed as a callback, so it presumably runs on not the main thread. Would this affect the hook?

[steven-michaud]

What did you add to the following structure?

    __attribute__((used)) static const hook_desc user_hooks[]
      __attribute__((section("__DATA, __hook"))) =
    {
    }

It should have been something like:

    PATCH_FUNCTION(sub_10010C230, /full/path/to/Spotify.app/Contents/MacOS/Spotify),

Otherwise your code looks fine, and should have worked. Your hook should work on any thread. Though it's conceivable that LogWithFormat() might not have worked, for some reason. Try putting in a NULL dereference and see what happens. Spotify should crash, of course.

[SamL98]

Thank you for the response. I wasn't quite sure what to do with the user_hooks. I added the PATCH_FUNCTION but now I am receiving errors that Hooked_sub_10010C230 and sub_10010C230_caller are undeclared when expanding the PATCH_FUNCTION macro. I feel like there is a simple reason behind this but I can't seem to track it down. I will let you know and close the issue once I do.

[steven-michaud]

One other thing I didn't notice before: HC_INSERT_LIBRARY needs to be a full path.

As for your compile problem ... I have no idea at all :-(

[steven-michaud]

Yet one more thing: The HookCase extension displays useful error messages in the Console app, if the Console app is running before you try to use HC_INSERT_LIBRARY. They all begin with "HookCase", so you can filter on that.

[SamL98]

So this is embarrassing but the compiler errors were because I accidentally put the hook in the #if(0) macro. I took it out and it compiled fine. I changed HC_INSERT_LIBRARY to the full path and added a null dereference in the hook but Spotify doesn't crash. I'll take a look the console to see if I see anything. Thanks again for your help.

[SamL98]

So it looks like the subroutine I was hooking isn't actually called? I hooked a subroutine that is always called in the entry point and I received the log message. It looks like the code was fine, my understanding of how Spotify deals with media control keys was the problem.

[steven-michaud]

Actually I've discovered a bug here -- just not the one you reported.

To work around it, use full paths both in HC_INSERT_LIBRARY and the executable. For example:

    HC_INSERT_LIBRARY=/full/path/to/hook.dylib /full/path/to/Spotify.app/Contents/MacOS/Spotify

I'll open an issue on it when I understand it more fully.