search

jmpews / Dobby

a lightweight, multi-platform, multi-architecture hook framework.
Apache License 2.0
4k stars 833 forks source link

x86_64(Simulator) EXC_BAD_ACCESS when call origin_call #149

Closed brendonjkding closed 3 years ago

brendonjkding commented 3 years ago

Before Hook

libAccessibility.dylib`_AXSReduceMotionReduceSlideTransitionsEnabled:
    0x110180a5e <+0>:  push   rbp
    0x110180a5f <+1>:  mov    rbp, rsp
    0x110180a62 <+4>:  cmp    qword ptr [rip + 0x12aee], -0x1 ; _AXSReduceMotionAutoplayMessagesEffectsEnabled.onceToken + 7
    0x110180a6a <+12>: jne    0x110180a75               ; <+23>
    0x110180a6c <+14>: movzx  eax, byte ptr [rip + 0x12aed] ; _kAXSCacheReduceMotionReduceSlideTransitionsEnabled
    0x110180a73 <+21>: pop    rbp
    0x110180a74 <+22>: ret
    0x110180a75 <+23>: lea    rdi, [rip + 0x12adc]      ; _AXSReduceMotionReduceSlideTransitionsEnabled.onceToken
    0x110180a7c <+30>: lea    rsi, [rip + 0xb515]       ; __block_literal_global.1122
    0x110180a83 <+37>: call   0x11018422a               ; symbol stub for: dispatch_once
    0x110180a88 <+42>: jmp    0x110180a6c               ; <+14>

After Hook

libAccessibility.dylib`_AXSReduceMotionReduceSlideTransitionsEnabled:
    0x110180a5e <+0>:  jmp    qword ptr [rip + 0x3b0d059c]
    0x110180a64 <+6>:  cmp    eax, 0x12aee
    0x110180a69 <+11>: push   qword ptr [rbp + 0x9]
    0x110180a6c <+14>: movzx  eax, byte ptr [rip + 0x12aed] ; _kAXSCacheReduceMotionReduceSlideTransitionsEnabled
    0x110180a73 <+21>: pop    rbp
    0x110180a74 <+22>: ret
    0x110180a75 <+23>: lea    rdi, [rip + 0x12adc]      ; _AXSReduceMotionReduceSlideTransitionsEnabled.onceToken
    0x110180a7c <+30>: lea    rsi, [rip + 0xb515]       ; __block_literal_global.1122
    0x110180a83 <+37>: call   0x11018422a               ; symbol stub for: dispatch_once
    0x110180a88 <+42>: jmp    0x110180a6c               ; <+14>

origin_call

    0x14e4c2000: push   rbp
    0x14e4c2001: mov    rbp, rsp
    0x14e4c2004: cmp    qword ptr [rip - 0x3e32eab4], -0x1 ; _AXSReduceMotionAutoplayMessagesEffectsEnabled.onceToken + 7
    0x14e4c200c: and    eax, 0x0
    0x14e4c2011: push   0xa
    0x14e4c2013: sbb    byte ptr [rax], dl
    0x14e4c2015: add    dword ptr [rax], eax
    0x14e4c2017: add    byte ptr [rax], al
    0x14e4c2019: add    byte ptr [rax], al
    0x14e4c201b: add    byte ptr [rax], al
    0x14e4c201d: add    byte ptr [rax], al

Crash at

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000014e4c2013
->  0x14e4c2013: sbb    byte ptr [rax], dl
    0x14e4c2015: add    dword ptr [rax], eax
    0x14e4c2017: add    byte ptr [rax], al
    0x14e4c2019: add    byte ptr [rax], al
jmpews commented 3 years ago

any demo code snippet?

brendonjkding commented 3 years ago 
%hookf(BOOL, _AXSReduceMotionReduceSlideTransitionsEnabled){
    BOOL ret=%orig;
    return ret;
}
    void *libAccessibility = dlopen("/usr/lib/libAccessibility.dylib", RTLD_NOLOAD);
    void *_AXSReduceMotionReduceSlideTransitionsEnabled = dlsym(libAccessibility, "_AXSReduceMotionReduceSlideTransitionsEnabled");
    %init(_AXSReduceMotionReduceSlideTransitionsEnabled=_AXSReduceMotionReduceSlideTransitionsEnabled);
#define MSHookFunction(_func, _new, _orig) \
    do {\
        dobby_enable_near_branch_trampoline();\
        DobbyHook(_func, _new, _orig);\
        dobby_disable_near_branch_trampoline();\
    } while (0)
#endif
jmpews commented 3 years ago

Fixed