__DATA,__objc_stringobj ?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

__DATA,__objc_stringobj ?

Postby umbri » Thu May 26, 2016 7:14 pm

Hi,
Someone know how to parse "__DATA,__objc_stringobj" section ?
Or maybe some info about this ?

Thank you.
umbri
 
Posts: 9
Joined: Thu May 26, 2016 7:17 am

Re: __DATA,__objc_stringobj ?

Postby morpheus » Thu May 26, 2016 8:57 pm

Post a binary and I'll see if I can help. It's not a section I've encountered, but I can make JTool parse it.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: __DATA,__objc_stringobj ?

Postby umbri » Tue May 31, 2016 2:01 pm

Thank you for response.
I find the answer and if you are interested i have attached binary.
Sorry i can't use default upload: here is link: https://mega.nz/#!l4UlQTaZ!xJ-zmB85BoDj ... uTSuLi8Oes
Here are structs: (i hope :))

struct objstring64_t {
uint64_t isa;
uint64_t str;
uint32_t length;
};

struct objstring_t {
uint32_t isa;
uint32_t str;
uint32_t length;
};
umbri
 
Posts: 9
Joined: Thu May 26, 2016 7:17 am

Re: __DATA,__objc_stringobj ?

Postby morpheus » Tue May 31, 2016 7:49 pm

Turns out jtool already supports it!

Code: Select all
jtool -d __DATA.__objc_stringobj ~/Downloads/arm64Unsigned  | more
Warning: companion file /Users/morpheus/Downloads/arm64Unsigned.ARM64.77720B72-8009-3533-95CC-54AC6432ECC1 not found
Dumping from address 0x100008198 (Segment: __DATA.__objc_stringobj)
0x100008198: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x1000081a0: b8 7e 00 00 01 00 00 00  "mystringishere!!!" -
0x1000081a8: 11 00 00 00 00 00 00 00
0x1000081b0: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x1000081b8: ca 7e 00 00 01 00 00 00  "111111111" -
0x1000081c0: 09 00 00 00 00 00 00 00
0x1000081c8: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x1000081d0: d4 7e 00 00 01 00 00 00  "77777777777777777777" -
0x1000081d8: 14 00 00 00 00 00 00 00
0x1000081e0: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x1000081e8: e9 7e 00 00 01 00 00 00  "%@" -
0x1000081f0: 02 00 00 00 00 00 00 00
0x1000081f8: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x100008200: ec 7e 00 00 01 00 00 00  "XXXX" -
0x100008208: 04 00 00 00 00 00 00 00
0x100008210: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x100008218: f1 7e 00 00 01 00 00 00  "YYYY" -
0x100008220: 04 00 00 00 00 00 00 00
0x100008228: 70 81 00 00 01 00 00 00  _OBJC_CLASS_$_VALERA
0x100008230: 21 7f 00 00 01 00 00 00  "russianдоступнее" -
0x100008238: 19 00 00 00 00 00 00 00


And the format is simple, yes. Class, text.__cstring pointer, and len.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: __DATA,__objc_stringobj ?

Postby umbri » Fri Jun 10, 2016 12:26 pm

Perfecto, ALL OK.

One more question:
how SWIFT string are stored ?

I suppose it is __TEXT,__cstring as normal cstring Class, but when looking more, i can see some garbage with \0, i think there is other struct.
Some info about this ?

Thank you.

UPDATE:
may be helpful: https://github.com/apple/swift/blob/mas ... ring.swift
umbri
 
Posts: 9
Joined: Thu May 26, 2016 7:17 am

Re: __DATA,__objc_stringobj ?

Postby umbri » Sat Jun 11, 2016 6:30 pm

I am trying to patch __cstring literals with my own string.
Can you suggest something ?

I try to create an obfusticator for mach-o binary, right now i try to encrypt cstring, and then decrypt them at runtime, but i am not sure how all stuff works!
I already patch them with same length (trivial), but how to load them before app is started ?
I try to figure how kernel is indexing cstrings and how can I change them!

Any ideas ??

Thank you
umbri
 
Posts: 9
Joined: Thu May 26, 2016 7:17 am

Re: __DATA,__objc_stringobj ?

Postby morpheus » Sat Jun 11, 2016 9:53 pm

Should have separated that to another thread, but per both your questions:

- Swift Strings are either in __TEXT.__cstring or __TEXT.__ustring (unicode). To build them:
Code: Select all
print ("Swift!!!\n");


becomes (along with a $%#$%$# ridiculous amount of Swift constructors:
Code: Select all
...
00000001000014e2        leaq    0x2409(%rip), %rdi      ## literal pool for: "Swift!!!\n"
00000001000014e9        movl    $0x9, %esi
00000001000014ee        movl    $0x1, %r8d
00000001000014f4        movq    0x2b1d(%rip), %rcx      ## literal pool symbol address: _type metadata for Swift.String
00000001000014fb        movq    %rcx, 0x18(%rdx)
00000001000014ff        movq    %rdx, -0x10(%rbp)
0000000100001503        movl    %r8d, %edx
0000000100001506        movq    %rax, -0x18(%rbp)
000000010000150a        callq   0x1000036aa             ## symbol stub for: _Swift.String.init (_builtinStringLiteral : Builtin.RawPointer, byteSize : Builtin.Word, isASCII : Builtin.Int1) -> Swift.String


And the actual string is :

Code: Select all
bash-3.2# jtool -d __TEXT.__cstring a | head -2
Dumping C-Strings from address 0x1000038f2 (Segment: __TEXT.__cstring)..
0x1000038f2: Swift!!!\r
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: __DATA,__objc_stringobj ?

Postby morpheus » Sat Jun 11, 2016 9:58 pm

Per the second question:

- You will have to patch the binary (__DATA._mod_init_func) and create your own loader, or INSERT_LIBRARIES and then perform the decryption. But you will run into some serious problems:

- You'll have to use a stream cipher to decrypt inplace and not change lengths. If you do, you will steal leak string lengths. If you do change lengths, you will A) waste memory B) need to get into memory allocations by yourself.

- The TEXT is r-x so you can't patch in place. In OS X you can get around this with mprotect, On iOS, doing so will also violate signature, and kill you.

- Anyone who can attach a debugger can see your decryption anyway.

I would suggest, however, not to spend TOO much effort on this. For one, iOS has built-in text encryption (LC_ENCRYPTION_INFO[_64]) which also covers __TEXT.__cstring until the binary is loaded into memory (And yes, at that point it is trivial to dump using procexp core, for example).
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: __DATA,__objc_stringobj ?

Postby umbri » Mon Jun 13, 2016 12:20 pm

1) Thank you for response.

2) Thank you for __DATA,__mod_init_func this was new for me. (nice)

3) About LC_ENCRYPTION_INFO[_64], I try to prevent working of automatic tools to patch binaries, this will prevent piracy from "noob" hackers (as most of them are :]), and static patching as well.

4) I understand that all can be patched and hooked, but I try to complicate life for this peoples, and extend spent time.

5) Right now I am doing good with static parsing of mach-o binaries, but I am not sure, can I modify mach-o in runtime ?? before main() is called ? (suggest me pls something to read)

UPDATE:
I think i can do something like this: get address with "_dyld_get_image_vmaddr_slide" and then patch in-memory address of the cstring! will this work ?
umbri
 
Posts: 9
Joined: Thu May 26, 2016 7:17 am

Re: __DATA,__objc_stringobj ?

Postby morpheus » Mon Jun 13, 2016 4:51 pm

On OS X that's not a problem, but iOS , you cannot patch text. The memory of all the __TEXT segment is r-x, and you won't be able to use mprotect(2) on it to make it writable without making the entire page non executable (though on larger binaries it's doable). I still maintain it is a largely wasted effort, be warned.

Getting the address of Mach-O is actually easier than that using the APIs in <mach-o/dyld.h>. _dyld_get_image_header(...) will get you the header, irrespective of slide (since it's in your address space).
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Next

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest

cron