Hi,
How do we know at which memory location __text section of __TEXT segment is loaded in Memory for an app which is running. Is there any tool to know that if yes please let me know.
Thanks Nick
Hi,
How do we know at which memory location __text section of __TEXT segment is loaded in Memory for an app which is running. Is there any tool to know that if yes please let me know.
Thanks Nick
@MouthPutCleanDot FYI
try to remove the mach-O header flags PIE Or lldb Command Line "image lookup " the __TEXT segment
Hi,
Thanks for your reply. Will dig into it.
Already tried the vmmap utiility for iOS but gives error. Tried procexp for iOS but could not make out.
Currently reading the Mach-o file format & all the sections & segment stuff. Load commands
I thiink sooner i’ll figure out how all this is loaded.
Thanks once again. NickIN
What’re you doing this for?
For memory loading dylib?
Hi,
Need to Patch few locations & see what happens in the app.
Here small code from IDA
__text:001A8B92 SUBS R0, #1 ; switch 15 cases
__text:001A8B94 CMP R0, #0xE ; Set cond. codes on Op1 - Op2
__text:001A8B96 BHI.W def_1A8B9A ; jumptable 001A8B9A for all ERROR Need to NOP it.
__text:001A8B9A TBH.W [PC,R0,LSL#1] ; switch jump
__text:001A8B9A ; ---------------------------------------------------------------------------
I need to nop the instruction at 001A8B96 & see program behaviour. Because that takes to all the different error code.
Thanks, NickIN
you can bp after CMP
and change the result dynamically in LLDB, then see what happens
Hi,
Will try lldb sooner. I’ll have having my Mac Mini High end soon.
So far i don’t have any mac. Putty, Jailbroken iOS, IDA & the app.
GDB as debugger. In this struggle of patching i am learning the concept thoroughly.
Mac-o file format will be like back of my head sooner. I am digging into it thoroughly & I feel its an must if you need to code your own tools for RE purpose in future.
LLDB is another tool that I need to learn. I have read it in books only so far.
Thanks for your feedback as always. Appreciate it.
Regards, NickIN
Hi,
Just wanted to update what have learnt so newbie don’t struggle much like i did.
How to get PID of an app.
Method 1: First i struggle to get the PID of an process running. So installed an app DeviceStat which gives the PID of the app.
Method 2: Kept learning & found an tool procexp for iOS which gives us many details of running process.
I still try to understand the tools output. Just search in google for procexp iOS to get the utility.
Method 3: GDB got installed once we jailbreak it. Hope i am correct.
run GDB & once you are the GDB prompt type below command.
info mach-tasks
Results from my iPhone. It has 76 process running. The first digits are PID.
76 processes:
pasteboardd is 304 has task 0x5903
ExampleAPP is 303 has task 0x5a03 <---- Interested in this APP
AppIndexer is 302 has task 0x5b03
removed for clarity purpose.
kernel_task is 0 has task 0x5803
So far so good.
Now i’ll try to answer my own questions where the __text section got loaded in memory here we go
I was interested in
ExampleAPP is 303 has task 0x5a03 <---- Interested in this APP
so we will attach it in gdb giving below command
attach 303
Once gdb attaches it. We will give below command
info mach-regions
Below is the result.
(gdb) info mach-regions
Region from 0xe5000 to 0x579000 (r-x, max r-x; copy, private, not-reserved) (2 s ub-regions)
… from 0x579000 to 0x5d9000 (rw-, max rw-; copy, private, not-reserved) (3 sub-regions)
Its long list but we are in first 2 address to the time being.
Now if we dump the memory address 0xe5000
(gdb) x 0xe5000
0xe5000: 0xfeedface <----- Signature of 32 bit OS X native binary format
So to find your routine for patching in __text Section. Below code from IDA of ExampleAPP
__text:001A8B90 07 98 LDR R0, [SP,#0x6D8+var_6BC]
__text:001A8B92 01 38 SUBS R0, #1 ; switch 15 cases
__text:001A8B94 0E 28 CMP R0, #0xE
__text:001A8B96 00 F2 27 87 BHI.W def_1A8B9A ; jumptable 001A8B9A default case
__text:001A8B9A DF E8 10 F0 TBH.W [PC,R0,LSL#1] ; switch jump
the Compare is at offset 0x1A8B94 to find the exact location in GDB we need to calculate the location of memory.
In IDA the Header starts at 0x4000.
Our Header starts at 0xe5000
To get to 1A8B94 location we have to minus IDA header start which is 0x4000 & ADD out new Header starts which is 0xE5000
So 1A8B94 - 0x4000 + 0xE5000 = 0x289b94
so if we give below command
(gdb) x /10 0x289b94
0x289b94: 0xf200280e 0xe8df8727 0x000ff010 0x00e4007c
0x289ba4: 0x01db0173 0x02b2024d 0x0394031a 0x040803d9
0x289bb4: 0x04dc0472 0x05b00546
Check the byte ordering IDA uses Little Indian so we need to reverse it
so 0x0e2800F2 0x2787dfe8 0x10f00f00
Hope it helps.
Now I need to patch this location so will dig into it again & update you with results.
Regards, NickIN
Note: I don’t have Mac & do the study part with windows only.
I’m too late I guess.
you can just dyld_get_image_header(0), returns a mach_header
iterate the mach-o from there.
Remember the in-mem Mach-O is single arch only.
Iterate for LCs which type==LC_SEGMENT OR LC_SEGMENT_64
You’ll get VM address there,
add ASLR offset to that address, which also could be obtained through dyld API
Cheers.