Page 1 of 1

obscurity in iOS91 kernel

PostPosted: Sat Mar 26, 2016 11:58 pm
by backendbilly
Hey J,

It appears (to me at least) that there is a big data section in the 9.1 kernel with very little cross references (from/to strings for example). In comparison to 8.4, it is very easy to cross reference strings (especially in Kexts) to code, but not so much in iOS9.1. Do you have any idea why? Also, when loading 9.1 dump into IDA, a warning comes up saying there is no pre-linked kexts and that the format may have changed??

Billy

Re: obscurity in iOS91 kernel

PostPosted: Sun Mar 27, 2016 1:08 pm
by morpheus
Apple strips more and more with every version. That IDA can't find kexts I can't tell you why - I don't use it. How is Joker handling them? I know that it did well up to and including 9.2.1 (though I never actually did 9.1)

Re: obscurity in iOS91 kernel

PostPosted: Sun Mar 27, 2016 2:08 pm
by backendbilly
Unfortunately that's what I thought too. I was hoping the dumping process was screwed up rather than the stripped symbols.

Re: obscurity in iOS91 kernel

PostPosted: Sun Mar 27, 2016 6:01 pm
by morpheus
Wait for the next version of joker .. I am working on integrating jtool functionality into it so as to figure out internal function calls and symbolicate large parts. More to come soon.

Re: obscurity in iOS91 kernel

PostPosted: Mon Mar 28, 2016 2:15 am
by backendbilly
Looking forward to that J. If you can symbolicate the stripped symbols back, that would be such an amazing addition to joker