JTool II: Testers wanted

Used for discussing the various tools in the book as well as encouraging members to share tools

Re: JTool II: Testers wanted

Postby morpheus » Mon Dec 31, 2018 11:13 am

Ok. Updated, jonios - the FAT bugs you found - fixed. Also, from ChangeLog

12/28/2018 (Vic Falls)
------------------
- -vv can now be used for "very verbose" (e.g. print page hashes with --sig, where just -v won't unless they mismatch)
- -fix for code signature page hashes in fat files (thanks, jonios)
- arm64e correctly identified in fat (now properly handling other various subtypes as well - went back to double check arm
v7/s/k as well)
- arm64_32 (Watch Series IV) now identified and disassembled as well (same as ARM64)

Many Jokerlib improvements: (2,260 symbols)
-------------------------------------------

- more joker symbols (for --analyze) including scheduler and some skywalk

- -d __DATA...* now automatically resolves tagged pointers when in a kernelcache!
Value is still displayed tagged, but resolved to untagged symbol

- "-dec" now available (like joker classic) to decompress compressed (lzvn/lzss) kernelcaches,
though you probably won't need it since now jtool2 handles compressed kernelcaches natively.

- integrated with Xn00p

- shows all zones (by tracking zinit, in case you IDA folk are wondering)
- reconstructs IOService object in __DATA_CONST.__const (the rest of the IO Objects will arrive soon)
(and just wait for Vol II coverage :-)




... And a New Year's update:


01/01/2019 (Chobe)
------------------

- Happy New 2019, people!
- Fixed -[lazy/]bind bug I had, especially with ARM64e bindings.. Now tables displayed correctly
- Now resolving all stubs in arm64e binaries. -d works to resolve all functions.
morpheus
Site Admin
 
Posts: 728
Joined: Thu Apr 11, 2013 6:24 pm

Re: JTool II: Testers wanted

Postby scknight » Wed Jan 02, 2019 9:29 pm

Just tried out the latest release of jtool2 and noticed some section/commands not being listed properly. The below output is on 10.14.2

Code: Select all
$ jtool2
Welcome to JTool 2.0 (α 8, Chobe) compiled on Jan  1 2019 16:41:06. Try "--help" for help
$ jtool2 -l /bin/ls
LC 00: LC_SEGMENT_64             Mem: 0x000000000-0x100000000   __PAGEZERO
LC 01: LC_SEGMENT_64             Mem: 0x100000000-0x100005000   __TEXT
   Mem: 0x100000f0c-0x100004420      __TEXT.__text   (Normal)
   Mem: 0x100004420-0x1000045e8      __TEXT.__stubs   (Symbol Stubs)
   Mem: 0x1000045e8-0x1000048f0      __TEXT.__stub_helper   (Normal)
   Mem: 0x1000048f0-0x100004ae8      __TEXT.__const   
   Mem: 0x100004ae8-0x100004f67      __TEXT.__cstring   (C-String Literals)
   Mem: 0x100004f68-0x100004ff8      __TEXT.__unwind_info   
LC 02: LC_SEGMENT_64             Mem: 0x100005000-0x100006000   __DATA
   Mem: 0x100005000-0x100005010      __DATA.__nl_symbol_ptr   (Non-Lazy Symbol Ptrs)
   Mem: 0x100005010-0x100005038      __DATA.__got   (Non-Lazy Symbol Ptrs)
   Mem: 0x100005038-0x100005298      __DATA.__la_symbol_ptr   (Lazy Symbol Ptrs)
   Mem: 0x1000052a0-0x1000054c8      __DATA.__const   
   Mem: 0x1000054d0-0x1000054f8      __DATA.__data   
   Mem: 0x100005500-0x1000055e0      __DATA.__bss   (Zero Fill)
   Mem: 0x1000055e0-0x10000566c      __DATA.__common   (Zero Fill)
LC 03: LC_SEGMENT_64             Mem: 0x100006000-0x10000a000   __LINKEDIT
LC 04: LC_DYLD_INFO             
      Rebase info: 24    bytes at offset 24576 (0x6000-0x6018)
      Bind info:   120   bytes at offset 24600 (0x6018-0x6090)
   No Weak info
      Lazy info:   1376  bytes at offset 24720 (0x6090-0x65f0)
      Export info: 32    bytes at offset 26096 (0x65f0-0x6610)
LC 05: LC_SYMTAB                
LC 06: LC_DYSYMTAB              
       1 local symbols at index     0
       1 external symbols at index  1
      82 undefined symbols at index 2
      No TOC
      No modtab
     159 Indirect symbols at offset 0x6bb0
LC 07: LC_LOAD_DYLINKER         /usr/lib/dyld
LC 08: LC_UUID                  UUID: A488DD5D-6F9A-3917-8D69-B3A83409F9F4
LC 09: LC_BUILD_VERSION         Build Version:           Platform: MacOS 10.14.0 SDK: 10
LC 10: LC_SOURCE_VERSION        Source Version:          272.220.1.0.0
LC 11: LC_MAIN                  Entry Point:             0x11ec (Mem: 0x1000011ec)
LC 12: LC_LOAD_DYLIB            /usr/lib/libutil.dylib
LC 13: LC_LOAD_DYLIB            /usr/lib/libncurses.5.4.dylib
LC 14: LC_LOAD_DYLIB            /usr/lib/libSystem.B.dylib
LC 15: LC_FUNCTION_STARTS       Offset:     26128, Size:     56 (0x6610-0x6648)
LC 16: LC_DATA_IN_CODE          Offset:     26184, Size:     40 (0x6648-0x6670)
LC 17: LC_CODE_SIGNATURE        Offset:     29184, Size:   9520 (0x7200-0x9730)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 63 && ImmR == 40  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 63 && ImmR == 40  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 1 &&ImmS == 63 && ImmR == 40  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 1 &&ImmS == 63 && ImmR == 40  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 8 && ImmR == 51  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 27 && ImmR == 32  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 8 && ImmR == 51  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 12 && ImmR == 58  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 8 && ImmR == 51  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 12 && ImmR == 48  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 8 && ImmR == 51  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 14 && ImmR == 32  && Immediate ==  1)
0xbadbad: Tell J to fix: -   (N == 0 &&ImmS == 11 && ImmR == 50  && Immediate ==  1)


J says: Those actually are listed very properly. It's my fault - I accidentally left a wrong debug message in (Oops :oops: ) fixed in tgz now
scknight
 
Posts: 46
Joined: Thu Nov 10, 2016 1:01 pm

Re: JTool II: Testers wanted

Postby darkknight » Thu Jan 03, 2019 7:00 pm

So one feature I particularly liked in jtool was the -d objc for Mach-O 64-bit executable x86_64. And while you couldn't disassemble, I found it worked in instances where tools like class-dump failed. I noticed that feature is no longer in jtool2
JCOLOR=1 jtool2 -v -d objc "/Applications/...."
'objc' is not an address, segment, section or symbol


Gone in jtool2 then?

J says: HECK, NO! That's MY favorite feature too! I just haven't gotten to it yet because I'm engrossed in Joker work. Speaking of... read further.. :-)
darkknight
 
Posts: 92
Joined: Mon Apr 18, 2016 10:49 pm

JTool II now does IOKit Classes!

Postby morpheus » Tue Jan 15, 2019 4:28 am

After a bit of testing, I have found a way to reliably determine Vtables of all IOKit classes - in 1469 (A12 - iPhone11, iPad8) kernels only:

Code: Select all
root@Qilin (~) #jtool2 --analyze /NewOSXBook/OS/kernelcache.release.ipad8                                           
Analyzing kernelcache..
This is Darwin Kernel Version 18.2.0: Mon Nov 12 20:32:02 PST 2018; root:xnu-4903.232.2~1/RELEASE_ARM64_T8027
-- Processing __TEXT_EXEC.__text..
Disassembling 22550368 bytes from address 0xfffffff007a00000 (offset 0x9fc000):
Done disassembling
Analyzing __DATA_CONST..
processing flows...
Analyzing __DATA_DATA..
Analyzing __DATA.__sysctl_set..
Got 153 IOKit Classes
opened companion file ./kernelcache.release.ipad8.ARM64.743592A6-FD89-3E57-A16C-85224AA2C477
Dumping symbol cache to file
Symbolicated 2565 symbols to ./kernelcache.release.ipad8.ARM64.743592A6-FD89-3E57-A16C-85224AA2C477
root@Qilin (~) #grep TVN ./kernelcache.release.ipad8.ARM64.743592A6-FD89-3E57-A16C-85224AA2C477 | tail                23:27
0xfffffff0077ea290:__ZTVN24IOTimeSyncIntervalFilter9MetaClassE
0xfffffff0077ea3d8:__ZTVN27IOTimeSyncIntervalFilterIIR9MetaClassE
0xfffffff0077ea458:__ZTVN27IOTimeSyncIntervalFilter1289MetaClassE
0xfffffff0077ea5a0:__ZTVN30IOTimeSyncIntervalFilterIIR1289MetaClassE
0xfffffff0077eabc0:__ZTVN17IOTimeSyncService9MetaClassE
0xfffffff0077eacd0:__ZTVN18IOTimeSyncNotifier9MetaClassE
0xfffffff0077eb330:__ZTVN32IOTimeSyncClockManagerUserClient9MetaClassE
0xfffffff0077eb960:__ZTVN29IOTimeSyncUserFilteredService9MetaClassE
0xfffffff0077ebfc0:__ZTVN39IOTimeSyncUserFilteredServiceUserClient9MetaClassE
0xfffffff0077edac0:__ZTVN34AppleMobileFileIntegrityUserClient9MetaClassE


I'm generating the symbols as C++ mangled names - Darwin's c++filt handles them well - for some reason Linux doesn't.

Please help test this and let me know if something doesn't make sense. It might need a fix or two yet.
morpheus
Site Admin
 
Posts: 728
Joined: Thu Apr 11, 2013 6:24 pm

Previous

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests