iOS14.6 注入动态库闪退

tweak里面dlopen一个dylib,之前的手机都没问题,换了14.6的闪退了。
在xcode里看是到了动态库的某个类的load方法闪退了
google了有点像 If hooking in __DATA_CONST/__AUTH_CONST, promise writable before trying to write by maniackk · Pull Request #84 · facebook/fishhook · GitHub 这个,也不知道咋弄
小白请教下各位大佬这是啥情况 :joy:

1678815293.904 48f1442 INFO testApp(8112): startup
1678815293.920 48f1442 INFO testApp(8112): Injecting /Library/MobileSubstrate/DynamicLibraries/AppSyncUnified-FrontBoard.dylib
1678815293.922 48f1442 DEBUG testApp(8112): Injection of /Library/MobileSubstrate/DynamicLibraries/AppSyncUnified-FrontBoard.dylib completed in 2 ms
1678815293.922 48f1442 DEBUG testApp(8112): /Library/MobileSubstrate/DynamicLibraries/AppSyncUnified-FrontBoard.dylib used 80 kbytes of memory
1678815293.922 48f1442 INFO testApp(8112): Injecting /Library/MobileSubstrate/DynamicLibraries/FLEXTweak.dylib
1678815294.019 48f1442 DEBUG xpcproxy(8113): Only accepting explicit executable name for library insertion

{“app_name”:“testApp”,“timestamp”:“2023-03-15 01:28:04.00 +0800”,“app_version”:“1.0”,“slice_uuid”:“f04e884b-1cf6-39d7-bea7-cc368878f7fc”,“adam_id”:0,“build_version”:“1”,“platform”:2,“bundleID”:“com.FLEXProject”,“share_with_app_devs”:0,“is_first_party”:0,“bug_type”:“109”,“os_version”:“iPhone OS 14.6 (18F72)”,“incident_id”:“93FF3669-C193-4ABD-9A3A-B02052350BA6”,“name”:“testApp”}
Incident Identifier: 93FF3669-C193-4ABD-9A3A-B02052350BA6
CrashReporter Key: 0cb1388d2cb9e41bee96c79f8cf021854ffe1aa7
Hardware Model: iPhone11,8
Process: testApp [8047]
Path: /private/var/containers/Bundle/Application/6160F89B-92E2-4D6F-9A0A-D2592D9D4D82/testApp.app/testApp
Identifier: com.FLEXProject
Version: 1 (1.0)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: com.FLEXProject [1027]

Date/Time: 2023-03-15 01:28:03.9252 +0800
Launch Time: 2023-03-15 01:28:03.5390 +0800
OS Version: iPhone OS 14.6 (18F72)
Release Type: User
Baseband Version: 3.04.01
Report Version: 104

Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x0000000102551aa4
VM Region Info: 0x102551aa4 is in 0x102544000-0x10255c000; bytes after start: 55972 bytes before end: 42331
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
mapped file 102538000-102544000 [ 48K] r–/r-- SM=COW …t_id=f1a2365b
—> __TEXT 102544000-10255c000 [ 96K] r–/rw- SM=COW …libFLEX.dylib
__DATA 10255c000-102564000 [ 32K] rw-/rw- SM=COW …libFLEX.dylib

Termination Signal: Bus error: 10
Termination Reason: Namespace SIGNAL, Code 0xa
Terminating Process: exc handler [8047]
Triggered by Thread: 0

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libFLEX.dylib 0x0000000102551aa4 0x102544000 + 55972
1 libobjc.A.dylib 0x0000000195a2a660 0x195a19000 + 71264
2 dyld 0x00000001025ea480 0x1025e8000 + 9344
3 dyld 0x00000001025fda70 0x1025e8000 + 88688
4 dyld 0x00000001025fb960 0x1025e8000 + 80224
5 dyld 0x00000001025fba2c 0x1025e8000 + 80428
6 dyld 0x00000001025ee86c 0x1025e8000 + 26732
7 dyld 0x00000001025f6f70 0x1025e8000 + 61296
8 libdyld.dylib 0x0000000180baef60 0x180ba8000 + 28512
9 FLEXTweak.dylib 0x000000010252bdd4 0x102524000 + 32212
10 dyld 0x00000001026039fc 0x1025e8000 + 113148
11 dyld 0x0000000102603c84 0x1025e8000 + 113796
12 dyld 0x00000001025fda8c 0x1025e8000 + 88716
13 dyld 0x00000001025fb960 0x1025e8000 + 80224
14 dyld 0x00000001025fba2c 0x1025e8000 + 80428
15 dyld 0x00000001025ee86c 0x1025e8000 + 26732
16 dyld 0x00000001025f6f70 0x1025e8000 + 61296
17 libdyld.dylib 0x0000000180baef60 0x180ba8000 + 28512
18 substitute-loader.dylib 0x0000000102c27b2c 0x102b94000 + 604972
19 substitute-loader.dylib 0x0000000102df20c8 0x102b94000 + 2482376
20 substitute-loader.dylib 0x0000000102df20ec 0x102b94000 + 2482412
21 substitute-loader.dylib 0x0000000102df2110 0x102b94000 + 2482448
22 substitute-loader.dylib 0x0000000102dc2c78 0x102b94000 + 2288760
23 substitute-loader.dylib 0x0000000102d05448 0x102b94000 + 1512520
24 substitute-loader.dylib 0x0000000102d0479c 0x102b94000 + 1509276
25 substitute-loader.dylib 0x0000000102d24218 0x102b94000 + 1638936
26 substitute-loader.dylib 0x0000000102d0890c 0x102b94000 + 1526028
27 dyld 0x0000000102603880 0x1025e8000 + 112768
28 dyld 0x0000000102603c84 0x1025e8000 + 113796
29 dyld 0x00000001025fda8c 0x1025e8000 + 88716
30 dyld 0x00000001025fb960 0x1025e8000 + 80224
31 dyld 0x00000001025fba2c 0x1025e8000 + 80428
32 dyld 0x00000001025ee86c 0x1025e8000 + 26732
33 dyld 0x00000001025f6f70 0x1025e8000 + 61296
34 libdyld.dylib 0x0000000180baef60 0x180ba8000 + 28512
35 substitute-inserter.dylib 0x00000001027c923c 0x1026e0000 + 954940
36 substitute-inserter.dylib 0x0000000102b020a0 0x1026e0000 + 4333728
37 substitute-inserter.dylib 0x0000000102abd340 0x1026e0000 + 4051776
38 dyld 0x0000000102603880 0x1025e8000 + 112768
39 dyld 0x0000000102603c84 0x1025e8000 + 113796
40 dyld 0x00000001025fda8c 0x1025e8000 + 88716
41 dyld 0x00000001025fb960 0x1025e8000 + 80224
42 dyld 0x00000001025fba2c 0x1025e8000 + 80428
43 dyld 0x00000001025ea900 0x1025e8000 + 10496
44 dyld 0x00000001025f0550 0x1025e8000 + 34128
45 dyld 0x00000001025e9258 0x1025e8000 + 4696
46 dyld 0x00000001025e9038 0x1025e8000 + 4152

Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000102560248 x1: 0x00000001d020bfe4 x2: 0x000000000000000e x3: 0x0000000000000008
x4: 0x000000000000004c x5: 0x0000000000000044 x6: 0x0000000000000000 x7: 0x0000000000000120
x8: 0x0000000000000000 x9: 0x00000001d020b000 x10: 0x00000001e349f000 x11: 0x0000000005c00000
x12: 0x0000000000000004 x13: 0x0000000000000000 x14: 0x0000000000000004 x15: 0x000000000000000c
x16: 0x00000001ccad8c30 x17: 0x00000001ec0ac980 x18: 0x0000000000000000 x19: 0x0000000000000001
x20: 0x0000000280c2c408 x21: 0x0000000195a4c421 x22: 0x0000000102551aa4 x23: 0x00000001d78f2000
x24: 0x0000000280c2c400 x25: 0x00000001d020bfe4 x26: 0x0000000102560248 x27: 0x00000001e349f000
x28: 0x00000001d78f2000 fp: 0x000000016dad2a90 lr: 0x0000000195a2a660
sp: 0x000000016dad2a10 pc: 0x0000000102551aa4 cpsr: 0x60000000
esr: 0x82000007 (Instruction Abort) Translation fault

没有符号信息,那么我们就当是利用地址排查Bug。
首先堆栈最后定在0 libFLEX.dylib 0x0000000102551aa4 0x102544000 + 55972
那么很显然,是libFLEX库里崩了。
由于dylib是动态库,因此我们不需要关系基地址是多少,只关注偏移量即可,偏移量是55972,转成16进制也就是0xDAA4,那么把libFLEX放到IDA中,定位到0xDAA4,看着是个什么函数。
libFLEX一定要是手机上崩溃的这个,不然偏移量会不同。

然后,就可以查看寄存器了。
对于OC函数来说,x0,x1寄存器是固定的self和selector地址,之后如果参数小于8个,那么分别对应到x0-x7八个寄存器。如果再多,会放到栈上,具体放在哪个寄存器里需要逆向去看。

首先x0是0x0000000102560248,那么看一下这个地址落在哪里,看地址范围的话估计还是在libFLEX里,然后是x1 0x00000001d020bfe4,这个先不管,x2传了一个常数0xe,x3传了一个常数0x8,这些要么是枚举,要么是Int,反正不会是对象(因为对象一定是要传地址的)。所以如果需要传对象,但是传了个int进来,那么可能是空指针异常。

一般如果崩溃时寄存器的表现如下:

  1. 第一种,如果地址的数值是0x1xxxxxxxx,这种是正常的内存地址,大概率是访问的内存地址被释放了。
  2. 第二种,如果地址的数值是0x4或0x8等这样比较小的数值,那大概率访问的内存地址是空指针null,出现的原因通常是汇编指令对空指针进行地址偏移。
  3. 第三种,如果地址的数值是0x3a321129b9a9008e这种很长很大的数值,这种比较大的概率是野指针,地址还没有从系统映射到当前进程的内存空间。而野指针一般由于多线程操作对象导致.
3 个赞

把动态库重新签名就可以了,我人傻了,装了AppSync为啥还要签名 :joy:
感谢老哥答复

6