Interceptor on arm64 breaks functions with internal backward jumps to the middle of the trampoline (offset +4)

I encountered a crash when hooking CoreFoundation's `CFStringGetCharacterAtIndex` on iOS/arm64 using the latest release. It overwrites the first 8 bytes of the function to place the trampoline. However, this specific function contains internal backward branches that target offset +4.

# Original Disassembly

```assembly
CoreFoundation`CFStringGetCharacterAtIndex:
    0x194d61494 <+0>:   tbz    x0, #0x3f, 0x194d614a0     ; <+12>
    0x194d61498 <+4>:   mov    x2, x1
    0x194d6149c <+8>:   b      0x19508f340                ; objc_msgSend$characterAtIndex:
    ...
    0x194d614cc <+56>:  tbz    w8, #0x0, 0x194d61498      ; Jumps back to +4
```

# Hooked Disassembly

```assembly
CoreFoundation`CFStringGetCharacterAtIndex:
    0x194d61494 <+0>:   adrp   x16, -595979
    0x194d61498 <+4>:   br     x16
    0x194d6149c <+8>:   b      0x19508f340                ; objc_msgSend$characterAtIndex:
    ...
    0x194d614cc <+56>:  tbz    w8, #0x0, 0x194d61498      ; Jumps to +4 (now 'br x16')
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Interceptor on arm64 breaks functions with internal backward jumps to the middle of the trampoline (offset +4) #1083

Original Disassembly

Hooked Disassembly

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Interceptor on arm64 breaks functions with internal backward jumps to the middle of the trampoline (offset +4) #1083

Description

Original Disassembly

Hooked Disassembly

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions