Hi,
I’ve encountered a puzzling code (and behavior) in iOS’s mach_absolute_time. I’m looking at 32 bit. It starts from reading a byte from 0xffff4088+0x8. These addresses should be kernel addresses, no? mach_vm_region on this address fails. In your book you mention commpage, but at another address.
When I try to read it via lldb – it fails as well. I can read the same byte with the injected code though.
Do you know:
- What is there?
- How big is this region and where it starts?
P.S. I ran a quick disassembly of all functions in the same dylib and only this one starts with reading from this address
mach_absolute_time puzzling code
2 posts
• Page 1 of 1
mach_absolute_time puzzling code
by moshe » Mon Apr 04, 2016 7:03 pm
- moshe
- Posts: 3
- Joined: Mon Apr 04, 2016 6:58 pm
Re: mach_absolute_time puzzling code
by morpheus » Wed Apr 13, 2016 12:41 pm
That address is very likely the commpage after all. If you look at jlaunchctl source, this is a hard coded "magic" which changes in 32 or 64. You can see that in OS X's launchctl hostinfo (which displays "last known mach absolute time". Read the bytes (all 8 of them) several times - if they change, it's the right value.
- morpheus
- Site Admin
- Posts: 667
- Joined: Thu Apr 11, 2013 6:24 pm
2 posts
• Page 1 of 1
Return to Questions and Answers
Who is online
Users browsing this forum: No registered users and 4 guests