Page 2 of 2

Re: Joker now does 64-bit dumps..

PostPosted: Mon Aug 31, 2015 7:22 pm
by backendbilly
hey J,

I'm running Joker to extract a kext that has a "/" in the name. It appears that kexts with "/" in the name won't get extracted. I'm running on x64 Linux.

Code: Select all
joker -K "I/O Kit Driver for USB HID Devices" kernelcache.release.n42.d
This is a 32-bit kernel from iOS 9.x, or later (3216.0.0.1.15)
Found iOS 8+ sysent table @3f2684 (Addr: 0x803f3684)
Processing kexts
Attempting to kextract I/O Kit Driver for USB HID Devices
Found I/O Kit Driver for USB HID Devices at load address: 80ce3000, offset: c98000
Extracted I/O Kit Driver for USB HID Devices


Billy

Re: Joker now does 64-bit dumps..

PostPosted: Mon Aug 31, 2015 9:24 pm
by morpheus
Thanks Billy. That was a bug. Resolved, and I now made -K work with bundle IDs (com.apple.whatever) instead of names - this will simplify since IDs contain no spaces nor slashes.

http://NewOSXBook.com/tools/joker.html

Re: Joker now does 64-bit dumps..

PostPosted: Sat Jan 23, 2016 11:18 pm
by jni
I am using version 2.2.1 and I am trying to get the kexts from a dumped armv7 (4S) 9.0.2 kernelcache. I get a segfault:

Code: Select all
$ joker -k kernelcache_armv7_4s_9_0_2_dumped
Segmentation fault: 11


From lldb the access violation is in function processLoadCommands:

Code: Select all
joker`processLoadCommands:
0x100015cef <+319>: mov    edx, dword ptr [rax + 0x4]
Stop reason : EXC_BAD_ACCESS (code=1, address=0x1c2a24ec0)


This function isn't in the released joker.c file, so I guess it's in "machlib".

Let me know if you need more details for this. Also, are you planning to release the sources of "machlib"?

jeni

Re: Joker now does 64-bit dumps..

PostPosted: Fri Jan 29, 2016 3:03 am
by morpheus
Actually, I do need more details. The new version of joker uses mach lib to figure out the Mach-O bundle headers (rather than look at a decrypted cache's prelink info). I'd need more of a crash report, or a 32-bit dump (I use 64-bit ones myself)

Mach lib is my own , and sources are closed, since I implemented the whole thing from scratch rather than use libmacho.dylib - so I can use it on Linux as well (for JTool, originally). I could probably provide an API if you need one.