search

frida / frida-gum

Cross-platform instrumentation and introspection library written in C
https://frida.re
Other
734 stars 242 forks source link

InterceptorBadSignature arm64 #677

Open aviramha opened 2 years ago

aviramha commented 2 years ago

Hi, we stumbled upon this error (InterceptorBadSignature) when trying to hook a function on macOS arm64. The assembly of the function we wanted to hook:


ldr        x16,[x28, #0x10]
mov        x17,sp
cmp        x17,x16
b.ls       LAB_100044720
str        x30,[sp, #local_40]!
stur       x29,[sp, #local_48]
sub        x29,sp,#0x8
mov        x0,#0x0
b          LAB_1000445a8
                             LAB_1000445a4                                   XREF[1]:     1000445d0(j)  
add        x0,x0,#0x1
                             LAB_1000445a8                                   XREF[1]:     1000445a0(j)  
adrp       x3,0x10066e000
add        x3=>_runtime.argv,x3,#0xaf0                      = ??
ldr        x4,[x3]=>_runtime.argv                           = ??
adrp       x5,0x1006a1000
add        x5=>_runtime.argc,x5,#0xd64                      = ??
ldrsw      x6,[x5]=>_runtime.argc                           = ??
add        x6,x0,x6
add        x6,x6,#0x1
sbfiz      x6,x6,#0x3,#0x20
ldr        x4,[x4, x6, LSL #0x0]
cbnz       x4,LAB_1000445a4
str        w0,[sp, #local_18]
sxtw       x2,w0
str        x2,[sp, #local_10]
mov        x1,x2
adrp       x0,0x1003c0000
add        x0=>DAT_1003c0c00,x0,#0xc00                      = 0000000000000010h
bl         _runtime.makeslice                               undefined _runtime.makeslice(und
ldr        x3,[sp, #local_10]
adrp       x4,0x100671000
add        x4,x4,#0x4d8
str        x3,[x4]=>DAT_1006714d8                           = ??
adrp       x4,0x100671000
add        x4,x4,#0x4e0
str        x3,[x4]=>DAT_1006714e0                           = ??
adrp       x3,0x1006a2000
add        x3,x3,#0x230
ldr        w4,[x3]=>_runtime.writeBarrier                   = ??
cbnz       w4,LAB_10004462c
adrp       x1,0x100671000
add        x1,x1,#0x4d0
str        x0,[x1]=>_runtime.envs                           = ??
b          LAB_10004464c
                             LAB_10004462c                                   XREF[1]:     100044618(j)  
adrp       x2,0x100671000
add        x2=>_runtime.envs,x2,#0x4d0                      = ??
mov        x3,x0
bl         _runtime.gcWriteBarrier                          undefined _runtime.gcWriteBarrie
adrp       x1,0x100671000
add        x1,x1,#0x4d0
adrp       x3,0x1006a2000
add        x3,x3,#0x230
                             LAB_10004464c                                   XREF[1]:     100044628(j)  
mov        x0,#0x0
b          LAB_100044668
                             LAB_100044654                                   XREF[2]:     1000446e8(j), 100044700(j)  
add        x0,x5,#0x1
adrp       x1,0x100671000
add        x1,x1,#0x4d0
adrp       x3,0x1006a2000
add        x3,x3,#0x230
                             LAB_100044668                                   XREF[1]:     100044650(j)  
ldrsw      x2,[sp, #local_18]
cmp        w0,w2
b.ge       LAB_100044704
str        w0,[sp, #local_14]
adrp       x1,0x10066e000
add        x1=>_runtime.argv,x1,#0xaf0                      = ??
ldr        x2,[x1]=>_runtime.argv                           = ??
adrp       x3,0x1006a1000
add        x3=>_runtime.argc,x3,#0xd64                      = ??
ldrsw      x4,[x3]=>_runtime.argc                           = ??
add        x4,x0,x4
add        x4,x4,#0x1
sbfiz      x4,x4,#0x3,#0x20
ldr        x2,[x2, x4, LSL #0x0]
mov        x0,x2
bl         _runtime.gostring                                undefined _runtime.gostring()
adrp       x2,0x100671000
add        x2=>_runtime.envs,x2,#0x4d0                      = ??
ldr        x3,[x2]=>_runtime.envs                           = ??
ldr        x4,[x2, #0x8]=>DAT_1006714d8                     = ??
ldrsw      x5,[sp, #local_14]
mov        x6,x5
cmp        x6,x4
b.cs       LAB_100044710
sbfiz      x4,x5,#0x4,#0x20
add        x6,x3,x4
str        x1=>_runtime.argv,[x6, #0x8]                     = ??
adrp       x1,0x1006a2000
add        x1=>_runtime.writeBarrier,x1,#0x230              = ??
ldr        w7,[x1]=>_runtime.writeBarrier                   = ??
cbnz       w7,LAB_1000446ec
str        x0,[x3, x4, LSL #0x0]
b          LAB_100044654
                             LAB_1000446ec                                   XREF[1]:     1000446e0(j)  
mov        x3,x0
mov        x2,x6
bl         _runtime.gcWriteBarrier                          undefined _runtime.gcWriteBarrie
adrp       x2,0x100671000
add        x2,x2,#0x4d0
b          LAB_100044654
                             LAB_100044704                                   XREF[1]:     100044670(j)  
ldur       x29=>local_48,[sp, #-0x8]
ldr        x30,[sp], #0x40
ret
                             LAB_100044710                                   XREF[1]:     1000446c4(j)  
mov        x0,x6
mov        x1,x4
bl         _runtime.panicIndex                              undefined _runtime.panicIndex(un
nop
                             LAB_100044720                                   XREF[1]:     10004458c(j)  
mov        x3,x30
bl         _runtime.morestack_noctxt.abi0                   undefined _runtime.morestack_noc
b          _runtime.goenvs_unix                             undefined _runtime.goenvs_unix()
                             -- Flow Override: CALL_RETURN (CALL_TERMINATOR)

related issue: https://github.com/metalbear-co/mirrord/issues/373