Joker segfault with -j option and disassembly ADDADDADD

Used for discussing the various tools in the book as well as encouraging members to share tools

Joker segfault with -j option and disassembly ADDADDADD

Postby forestcorgi » Wed Jul 05, 2017 7:06 pm

When I run joker with -j on a decompressed iPhone6,1 10.2 or 10.2.1 kernelcache, it segfaults after the following output:

Code: Select all
-many lines omitted for brevity-
fffffff007590210:buf headers zone
@TODO: STP (SIMD/FP,off)
@TODO: STP (SIMD/FP,off)
fffffff007596560:fs-event-buf zone
fffffff00759dcc8:rtentry zone


Debugging in GDB gave me the following:

Code: Select all
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a5bcc0 in _IO_vfprintf_internal (s=s@entry=0x7fffffffc970, format=<optimized out>,
    format@entry=0x440e4b "*%s", ap=ap@entry=0x7fffffffca98) at vfprintf.c:1632
1632   vfprintf.c: No such file or directory.


In addition to that crash, the disassembler portion in both joker and jtool seems to randomly output the string "ADD" thousands of times even when the disassembly is otherwise silent (e.g. when processing a 32-bit iOS 9 kernelcache in joker).

Thank you so much for your research and work on these tools. I bought *OS Internals Volume III awhile back and it is fantastic.
forestcorgi
 
Posts: 7
Joined: Wed Jul 05, 2017 5:44 pm

Re: Joker segfault with -j option and disassembly ADDADDADD

Postby morpheus » Wed Jul 05, 2017 9:26 pm

Thanks for the kind words, first. And second, neither stool nor joker officially supports 32bit binaries any longer. I decided to retire that because as of iOS 11 all kernels are 64-bit anyway - leaving just WatchOS 4 as the last bastion of 32-bitness.

That said, it's a bug in MachLib, so I'll try fixing it .
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: Joker segfault with -j option and disassembly ADDADDADD

Postby forestcorgi » Wed Jul 05, 2017 11:45 pm

Thank you so much!
forestcorgi
 
Posts: 7
Joined: Wed Jul 05, 2017 5:44 pm

Re: Joker segfault with -j option and disassembly ADDADDADD

Postby forestcorgi » Tue Jul 18, 2017 11:54 pm

Hi again-

About last time - the "ADD" thing happens for all disassembly operations, 32- and 64-bit.

I also got a new segfault while trying to disassemble the exec binary that's part of the iOS 9 jbme (https://jbme.qwertyoruiop.com/exec).

When I try it with debug output, it gives the following:

Code: Select all
Disassembling from file offset 0x4d90, Address 0x100004d90
   100004d90   STP     X29, X30, [SP, #-16]!   //STP: -16 gets R29, -8 gets R30, OPC: 2   ; *(SP + 0xfffffffffffffff0) = 0x0
   100004d94   ADD     X29, SP, #0       RT: 29, Rn 31, IMM: 0
   ; ___R29 = R31 (0x100004d98) + 0x0 =
   100004d98   SUB     SP, SP, 64           ; SP -= 0x40 (stack frame)
   100004d9c   SUB     X1, X29, #16      ; X1 = 0xaabbcccfffffff0 -|
   100004da0   SUB     X2, X29, #20      ; X2 = 0xaabbcccffffffec -|
   100004da4   ADRP    X8, 120              ; ->R8 = 0x10007c000
   100004da8   LDR     X8, [X8, #72]     ; -R8 = *(R8 + 72) = .. *(0x10007c048, no sym) = -libSystem.B.dylib::_mach_task_self_-
   100004dac   MOVZ    X9, 0x0              ; ->R9 = 0x0
   100004db0   STUR    X31, X29, #-4        ; SP + 0xfffffffffffffffc = 0x0
   100004db4   STUR    X9, X29, #-16        ; SP + 0xfffffffffffffff0 = X9  0x0
   100004db8   STUR    X31, X29, #-20       ; SP + 0xffffffffffffffec = 0x0
   100004dbc   LDR     W0, [X8, #0]      ;;   R0 = *(libSystem.B.dylib::_mach_task_self_)
   100004dc0   BL      libSystem.B.dylib::_task_threads   ; 0x10007abb4
   100004dc4   STR     W0, [SP, #32]        ; *(SP + 0x20) = 0x0
   100004dc8   BL      libSystem.B.dylib::_mach_thread_self   ; 0x10007a9ec
   100004dcc   STUR    X0, X29, #-24        ; SP + 0xffffffffffffffe8 = X0  0x0
   100004dd0   STUR    X31, X29, #-28       ; SP + 0xffffffffffffffe4 = 0x0
Segmentation fault (core dumped)


NOOBJC does not solve the issue.

Thank you again.
forestcorgi
 
Posts: 7
Joined: Wed Jul 05, 2017 5:44 pm

Re: Joker segfault with -j option and disassembly ADDADDADD

Postby Siguza » Wed Jul 19, 2017 7:32 pm

Joker also segfaults once again on the 10.3.3/iPod7,1 kernel when trying to extract kexts.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am


Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests