Soulghost
commented
2 years ago Sorry for the late reply.
- iblessing 1.0 was designed to do simple intraprocedure programming analysis such as cross reference analysis to assist iOS userland exploiting, using static analysis instead of real machine dynamic execute can improve analysis speed and cross between platforms.
- Currently, iblessing can only perform type and const propagation inside functions, methods and blocks, there is no real objc runtime, heap memory and syscalls, so result of the results may be false positive, and we may miss some results.
iblessing 2.0 is now WIP, it will have a dyld_shared_cache loader, objc runtime, syscall handlers, etc. Currently it can load a iOS 14.8 dyld_shared_cache without PAC and load dylibs, it can emulate objc runtime, posix api calls, GCD and XPC. But it is just a PoC, far from a complete solution.
VonLYC
Why not use the real machine to dynamically execute, it may be simpler and more accurate to implement.
How to trigger the methods of all classes when running the simulation, if you construct the class yourself, how to ensure that the member variables of the class are legal, and the external global state is also legal?