search

mandiant / flare-ida

IDA Pro utilities from FLARE team
Apache License 2.0
2.24k stars 465 forks source link

objc2_xrefs_helper erroneous selector replacement #46

Open strictlymike opened 7 years ago

strictlymike commented 7 years ago

Note to self for later...

python/flare/objc2_xrefs_helper.py can replace selectors erroneously.

Example: 4fe4b9560e99e33dabca553e2eeee510 (OSX XAgent), virtual addresses 0x100014F61 and 0x100014FA5

ID for each is an NSThread object held in r12 and later r13, and SEL is start, but objc2_xrefs_helper.py replaces this with __Keylogger_start (-[Keylogger start]). Here is the first case:

100014F58 call    cs:_objc_msgSend_ptr ; [NSThread initWithTarget:selector:object]
100014F58                         ; Creates NSThread targeting [BootXLoader postThread]
100014F5E mov     r12, rax
100014F61 mov     rsi, qword ptr cs:__Keylogger_start_ ; Keylogger - (void)start
100014F68 mov     rdi, r12
100014F6B call    cs:_objc_msgSend_ptr ; [r12 start]

Perhaps objc2_xrefs_helper.py doesn't realize this selector is only unique within this binary but also pertains to objects whose interfaces are not implemented in this binary?

strictlymike commented 7 years ago

Workaround is to locate the fix in Patched Bytes (Ctrl+Alt+P or Edit -> Patch program -> Patched bytes) and revert the patch.