EXC_BAD_ACCESS when call origin_call on certain versions of iOS Simulator?

[brendonjkding]

Environment: macOS 10.15.7 (x64) and Simulator in Xcode 12.4

I am using the lastest commit.

I have noticed the target address(0x10d8533ce) on 12.4 is similar to a real device, whereas on 13.5 (and 14.4) it(0x7fff5d9e24f8) is not. Is this difference the culprit?

Infos might be useful

On iOS(Simulator) 12.4

It works without problems

Before hook

    frame #0: 0x000000010d8533ce SpringBoard`___lldb_unnamed_symbol25661$$SpringBoard
SpringBoard`___lldb_unnamed_symbol25661$$SpringBoard:
->  0x10d8533ce <+0>: push   rbp
    0x10d8533cf <+1>: mov    rbp, rsp
    0x10d8533d2 <+4>: pop    rbp
    0x10d8533d3 <+5>: jmp    0x10d9a6844               ; symbol stub for: UIAccessibilityIsReduceMotionEnabled

After hook

    frame #0: 0x000000010b6f63ce SpringBoard`___lldb_unnamed_symbol25661$$SpringBoard
SpringBoard`___lldb_unnamed_symbol25661$$SpringBoard:
->  0x10b6f63ce <+0>: jmp    qword ptr [rip + 0x3083cc34]
    0x10b6f63d4 <+6>: insb   byte ptr es:[rdi], dx
    0x10b6f63d5 <+7>: xor    al, 0x15
    0x10b6f63d7 <+9>: add    byte ptr [rbp + 0x48], dl

orig

    frame #0: 0x000000013bf34020
->  0x13bf34020: push   rbp
    0x13bf34021: mov    rbp, rsp
    0x13bf34024: pop    rbp
    0x13bf34025: jmp    0x10b849844               ; symbol stub for: UIAccessibilityIsReduceMotionEnabled
    0x13bf3402a: jmp    qword ptr [rip]
    0x13bf34030: fsub   dword ptr [rbx + 0x6f]
    0x13bf34033: or     eax, dword ptr [rcx]
    0x13bf34035: add    byte ptr [rax], al

On iOS(Simulator) 13.5

Before hook

(lldb) dis -n SBReduceMotion
SpringBoard`SBReduceMotion:
    0x7fff5d9e24f8 <+0>: push   rbp
    0x7fff5d9e24f9 <+1>: mov    rbp, rsp
    0x7fff5d9e24fc <+4>: pop    rbp
    0x7fff5d9e24fd <+5>: jmp    0x7fff5db53dbc            ; symbol stub for: UIAccessibilityIsReduceMotionEnabled

After hook

(lldb) dis -n SBReduceMotion
SpringBoard`SBReduceMotion:
    0x7fff5d9e24f8 <+0>: push   rbp
    0x7fff5d9e24f9 <+1>: and    eax, 0x80000b02

orig

    frame #0: 0x000000010bde2040
->  0x10bde2040: int3
    0x10bde2041: mov    rbp, rsp
    0x10bde2044: pop    rbp
    0x10bde2045: jmp    0x15db53dbc
    0x10bde204a: jmp    qword ptr [rip]
    0x10bde2050: add    ah, byte ptr [rip + 0x7fff5d9e]
    0x10bde2056: add    byte ptr [rax], al
    0x10bde2058: add    byte ptr [rax], al

Result

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=EXC_I386_BPT, subcode=0x0)
    frame #0: 0x000000010bde2041
->  0x10bde2041: mov    rbp, rsp
    0x10bde2044: pop    rbp
    0x10bde2045: jmp    0x15db53dbc
    0x10bde204a: jmp    qword ptr [rip]
    0x10bde2050: add    ah, byte ptr [rip + 0x7fff5d9e]
    0x10bde2056: add    byte ptr [rax], al
    0x10bde2058: add    byte ptr [rax], al
    0x10bde205a: add    byte ptr [rax], al
Target 0: (SpringBoard) stopped.
(lldb) c
Process 27323 resuming
Process 27323 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x15db53dbc)
    frame #0: 0x000000015db53dbc
error: memory read failed for 0x15db53c00
Target 0: (SpringBoard) stopped.

Demo code snippet(iOS 13.5)

#import <dobby.h>
#import <substrate.h>
#import <dlfcn.h>

#define MSHookFunction(_func, _new, _orig) \
    do {\
            dobby_enable_near_branch_trampoline();\
            DobbyHook(_func, _new, _orig);\
            dobby_disable_near_branch_trampoline();\
    } while (0)

%hookf(BOOL,SBReduceMotion){
    return %orig;
}
%ctor{
    NSLog(@"ctor: testt");
    void *SpringBoard = dlopen("/System/Library/CoreServices/SpringBoard.app/SpringBoard", RTLD_NOLOAD);
    void *SBReduceMotion = dlsym(SpringBoard, "SBReduceMotion");
    %init(SBReduceMotion=SBReduceMotion);
}

[jmpews]

haven't test it on simulator yet, so 12.4 simulator works fine, 13.5 simulator crashed?

[brendonjkding]

Right, 12.4 works fine, but 13.5 and 14.4 crashed.

[jmpews]

it's not dobby fault. as you set breakpoint at SpringBoard`SBReduceMotion

- tips: x86 software breakpoint implementation is wrote int3 at address.

[brendonjkding]

Oh, ashamed of my lack of knowledge. But it still crashed even if i haven't set a breakpoint at SBReduceMotion. The jump destination(0x145a9005e) seems not correct. It should be symbol stub for: UIAccessibilityIsReduceMotionEnabled?

orig

(lldb) p/x _logos_orig$_ungrouped$SBReduceMotion
(BOOL (*)(...)) $0 = 0x00000001077a5000 (0x00000001077a5000)
(lldb) dis -s 0x00000001077a5000 -e 0x00000001077a5000+0x30
    0x1077a5000: push   rbp
    0x1077a5001: mov    rbp, rsp
    0x1077a5004: pop    rbp
    0x1077a5005: jmp    0x145a9005e
    0x1077a500a: jmp    qword ptr [rip]
    0x1077a5010: movabs eax, dword ptr [0x7fff4594ad]
    0x1077a5019: add    byte ptr [rax], al
    0x1077a501b: add    byte ptr [rax], al
    0x1077a501d: add    byte ptr [rax], al
    0x1077a501f: add    byte ptr [rax], al
    0x1077a5021: add    byte ptr [rax], al
    0x1077a5023: add    byte ptr [rax], al
    0x1077a5025: add    byte ptr [rax], al
    0x1077a5027: add    byte ptr [rax], al
    0x1077a5029: add    byte ptr [rax], al
    0x1077a502b: add    byte ptr [rax], al
    0x1077a502d: add    byte ptr [rax], al

Result

(lldb) c
Process 2587 resuming
Process 2587 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x145a9005e)
    frame #0: 0x0000000145a9005e
error: memory read failed for 0x145a90000
Target 0: (SpringBoard) stopped.

[jmpews]

have you try again ? with the latest commit

[brendonjkding]

Before I post the results, I want to say sorry first. It seems I wasn't using latest commit somehow when I open this issue.

With the real latest commit, it no longer crashes at orig_SBReduceMotion. However, I meet with some extra weird crashes.

First, on 12.4, the ptr in the jmp instruction of the replaced function(Sorry, I don't know the term for it) was somehow replaced.

Details

``` Process 33917 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = step over frame #0: 0x0000000131eee8f7 CustomReduceMotion.dylib`_logosLocalCtor_a50b3343(argc=1, argv=0x00007ffeecad49a0, envp=0x00007ffeecad49b0) at Tweak.xm:270:15 267 } 268 %init(SpringBoard,SBReduceMotion=SBReduceMotion); 269 -> 270 Class CSCoverSheetTransitionSettings_Class; 271 if(@available(iOS 13.0,*)){ 272 CSCoverSheetTransitionSettings_Class=%c(CSCoverSheetTransitionSettings); 273 } Target 0: (SpringBoard) stopped. (lldb) dis -a 0x00000001036193ce SpringBoard`___lldb_unnamed_symbol25661$$SpringBoard: 0x1036193ce <+0>: jmp qword ptr [rip + 0x2e97ac34] 0x1036193d4 <+6>: insb byte ptr es:[rdi], dx 0x1036193d5 <+7>: xor al, 0x15 (lldb) p/x *(long*)(0x1036193d4+0x2e97ac34) (long) $15 = 0x0000000131eeff30 (lldb) dis -s 0x0000000131eeff30 -e 0x0000000131eeff30+50 CustomReduceMotion.dylib`_logos_function$SpringBoard$SBReduceMotion: 0x131eeff30 <+0>: push rbp 0x131eeff31 <+1>: mov rbp, rsp 0x131eeff34 <+4>: sub rsp, 0x10 0x131eeff38 <+8>: cmp qword ptr [rip + 0x6498], 0x0 ; bottomBarEnabled + 7 0x131eeff40 <+16>: je 0x131eeff65 ; <+53> at Tweak.xm:121:12 0x131eeff46 <+22>: mov rax, qword ptr [rip + 0x648b] ; switcherEnabled 0x131eeff4d <+29>: sub rax, 0x1 0x131eeff53 <+35>: cmp rax, 0x0 0x131eeff57 <+39>: setne cl 0x131eeff5a <+42>: and cl, 0x1 0x131eeff5d <+45>: mov byte ptr [rbp - 0x1], cl (lldb) wa se e 0x1036193d4+0x2e97ac34 Watchpoint created: Watchpoint 4: addr = 0x131f94008 size = 8 state = enabled type = w new value: 5132713776 (lldb) c Process 33917 resuming Watchpoint 4 hit: old value: 5132713776 new value: 5133385776 Process 33917 stopped * thread #9, queue = 'com.apple.root.utility-qos', stop reason = watchpoint 4 frame #0: 0x00000001368880f0 libGLProgrammability.dylib`mem_CreatePool + 106 libGLProgrammability.dylib`mem_CreatePool: -> 0x1368880f0 <+106>: add rbx, rax 0x1368880f3 <+109>: mov qword ptr [rax + 0x10], rbx 0x1368880f7 <+113>: mov qword ptr [rax + 0x28], rcx 0x1368880fb <+117>: pop rbx 0x1368880fc <+118>: pop r14 0x1368880fe <+120>: pop rbp 0x1368880ff <+121>: ret 0x136888100 <+122>: call 0x1368fbda4 ; symbol stub for: abort Target 0: (SpringBoard) stopped. (lldb) c Process 33917 resuming Watchpoint 4 hit: old value: 5133385776 new value: 5133385848 Process 33917 stopped * thread #9, queue = 'com.apple.root.utility-qos', stop reason = watchpoint 4 frame #0: 0x0000000136888182 libGLProgrammability.dylib`mem_Alloc + 62 libGLProgrammability.dylib`mem_Alloc: -> 0x136888182 <+62>: cmp rsi, qword ptr [rdi + 0x10] 0x136888186 <+66>: ja 0x13688818c ; <+72> 0x136888188 <+68>: test dl, dl 0x13688818a <+70>: je 0x1368881dc ; <+152> 0x13688818c <+72>: lea r14, [r12 + rcx + 0x8] 0x136888191 <+77>: and r14, r13 0x136888194 <+80>: mov qword ptr [rbx + 0x8], rax 0x136888198 <+84>: mov r15, qword ptr [rbx + 0x18] Target 0: (SpringBoard) stopped. (lldb) bt * thread #9, queue = 'com.apple.root.utility-qos', stop reason = watchpoint 4 * frame #0: 0x0000000136888182 libGLProgrammability.dylib`mem_Alloc + 62 frame #1: 0x0000000136889f46 libGLProgrammability.dylib`NewScopeInPool + 29 frame #2: 0x0000000136885ac4 libGLProgrammability.dylib`InitCPP + 457 frame #3: 0x000000013688825a libGLProgrammability.dylib`InitScanner + 14 frame #4: 0x0000000136888057 libGLProgrammability.dylib`glpInitPreprocessor + 104 frame #5: 0x000000013685bacb libGLProgrammability.dylib`glpCompileShader + 71 frame #6: 0x000000013687b7fd libGLProgrammability.dylib`ShCompile + 151 frame #7: 0x000000013672cf8b GLEngine`gleShaderParse + 393 frame #8: 0x00000001366c5451 GLEngine`glCompileShaderIncludeARB_Exec + 484 frame #9: 0x0000000106c070a6 SiriUICore`-[SUICFlamesView _setupShaders] + 334 frame #10: 0x0000000106c087eb SiriUICore`-[SUICFlamesView _initGLAndSetupDisplayLink:] + 161 frame #11: 0x0000000106c068ca SiriUICore`-[SUICFlamesView _prewarmShaders] + 29 frame #12: 0x0000000106c067c0 SiriUICore`+[SUICFlamesView prewarmShadersForScreen:initialFrame:activeFrame:fidelity:prewarmInBackground:] + 192 frame #13: 0x0000000106c066e4 SiriUICore`+[SUICFlamesView prewarmShadersForScreen:activeFrame:fidelity:] + 156 frame #14: 0x00000001353cf211 Assistant`__92-[ACSpringBoardPluginController _prewarmFlamesViewShadersInBackgroundForScreen:activeFrame:]_block_invoke + 287 frame #15: 0x0000000110da6ccf libdispatch.dylib`_dispatch_call_block_and_release + 12 frame #16: 0x0000000110da7d02 libdispatch.dylib`_dispatch_client_callout + 8 frame #17: 0x0000000110db6c5f libdispatch.dylib`_dispatch_root_queue_drain + 751 frame #18: 0x0000000110db7330 libdispatch.dylib`_dispatch_worker_thread2 + 97 frame #19: 0x00000001111929f7 libsystem_pthread.dylib`_pthread_wqthread + 220 frame #20: 0x0000000111191b77 libsystem_pthread.dylib`start_wqthread + 15 ```

Second, on 13.5, it crashes at orig__AXSReduceMotionReduceSlideTransitionsEnabled which should work after #149 was fixed.

Details

``` 0 ??? 0x00007ffece376000 0 + 140732358156288 1 CustomReduceMotion.dylib 0x0000000105331454 _logos_function$AXS$_AXSReduceMotionReduceSlideTransitionsEnabled() + 132 (Tweak.xm:111) 2 com.apple.UIKitCore 0x00007fff485eda37 -[UIViewController _transitionForModalTransitionStyle:appearing:] + 18 ```

I think these crashes are beyond this issue. In addition, instead of continuously bothering you, maybe I should do some research myself. So I'm closing this issue. But please let me know if you need any additional infos or the full original project(CustomReduceMotion) that meets with these crashes. Thank you very much for your help!

[jmpews]

if you could send CustomReduceMotion, i'l try to reproduce the crash and fix it.

[brendonjkding]

Thank you, I have sent you an invite link.

[jmpews]

could you send me a message with telegram https://t.me/IOFramebuffer ?

[brendonjkding]

Sure, I'm https://t.me/brendonjkding