joker.ELF64 SEGFAULT with -j option

Used for discussing the various tools in the book as well as encouraging members to share tools

joker.ELF64 SEGFAULT with -j option

Postby littlelailo » Fri Feb 23, 2018 6:17 pm

When running joker.ELF64 on any kernelcache using the -j option to get Jtool compatible output, it will SEGFAULT.
joker wihtout any arguments:
Code: Select all
Usage: joker [-j] [-MmaSsKk] _filename_
 _filename_ should be a decrypted iOS kernelcache, or kernel dump. Tested on ARMv7/s 3.x-9.3, and ARM64 through 11.0

 -m: dump Mach Traps and MIG tables (NEW)
 -a: dump everything
 -k: dump kexts
 -K: kextract [kext_bund[code][/code]le_id_or_name_shown_in_-k|all] to JOKER_DIR or /tmp
 -S: dump sysctls
 -s: dump UNIX syscalls
 -j: Jtool compatible output (to companion file) - 64bit kernels only

-dec: Decompress kernelcache to /tmp/kernel (complzss only at this stage)

Kernels not included. Get your own dump or decrypted kernel from iPhoneWiki, or Apple itself (as of iOS 10b1! Thanks, guys!)

4.0b with MACF Policies, stub symbolication, SPLIT KEXTS, no Sandbox Profiles (still beta, and AAPL enlarged profile again in 11..) , kpp kernel zones(!) - and - IOUserClient methods!!
Compiled on Sep 10 2017

Contains code from Haruhiko Okumura (CompuServe 74050,1022) from BootX-81//bootx.tproj/sl.subproj/lzss.c


Joker when running with the -j option:
Code: Select all
mmapped: 0x7fb65f366000
still HERE
Feeding me a compressed kernelcache, eh? That's fine, now. I can decompress! (Type -dec _file_ if you want to save to file)!
Compressed Size: 13378574, Uncompressed: 26394624. Unknown (CRC?): 0xc62367ad, Unknown 1: 0x1
btw, KPP is at 13379010 (0xcc25c2)..And I saved it for you in /tmp/kpp
Got kernel at 437
got mem 0x7fb65da30010
mmapped: 0x7fb65da30010
This is a 64-bit kernel from iOS 11.x (b1+), or later (4570.40.9.0.0)
Opened companion File: kernelcache.release.ipad4bm.ARM64.B6DFE92C-7465-3A4F-A8F7-2AC46F9D6780
Opening companion file
Found _secure_monitor at offset 0xbc4c, Addr: 0xfffffff007093c4c
Found _start_cpu at offset 0xb018, Addr: 0xfffffff007093018
Auto-Disassembling __TEXT_EXEC.__text from 0xfffffff007088000 to find rest..
This may take a little while, but you only need to do this once
Disassembling from file offset 0x84000, Address 0xfffffff007088000 , mmapped 0x7fb65da30010
kdb_printf:0xfffffff0070c81d0
Got zone_array: 0xfffffff0075d5e70!
GOT zinit: 0xfffffff0070f5ae0
fffffff0075d5d60:waitq sets zone
(It SEGFAULTS here)


GDB log:
Code: Select all
Program received signal SIGSEGV, Segmentation fault.
0x0000000000402b8a in function_identifier (Symbol=0xa6f4f0 <jtool_symbol_cache+2898288> "_zinit", Regs=0x1d1105c0 <Regs>, Call=1) at joker.c:991

Register state:
Code: Select all
rax            0x77     119
rbx            0x0      0
rcx            0x0      0
rdx            0x0      0
rsi            0x20000  131072
rdi            0x7ffffca4fdac   140737432059308
rbp            0x7ffffffdcd70   0x7ffffffdcd70
rsp            0x7ffffffdcaf0   0x7ffffffdcaf0
r8             0x0      0
r9             0x21000  135168
r10            0x22     34
r11            0x4001   16385
r12            0xd0bd0  854992
r13            0x7ffffffde150   140737488216400
r14            0x0      0
r15            0x0      0
rip            0x402b8a 0x402b8a <function_identifier+1032>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0


Code at that address:
Code: Select all
=> 0x402b8a <function_identifier+1032>: mov    %al,(%rdx)


backtrace:
Code: Select all
#0  0x0000000000402b8a in function_identifier (Symbol=0xa6f4f0 <jtool_symbol_cache+2898288> "_zinit", Regs=0x1d1105c0 <Regs>, Call=1) at joker.c:991
#1  0x000000000041b7af in doInstr (Instr=0x7ffffffdd860, Print=0) at disass.c:2751
#2  0x000000000041c671 in disassembleARMCommon (File=0x7ffffca30010 "\317\372\355\376\f", Address=18446744005108072448, Sections=0x1d0e9a40 <Segments>, opts=36, len=-1) at disass.c:3186
#3  0x000000000041c75f in disassembleARM64 (File=0x7ffffca30010 "\317\372\355\376\f", Address=18446744005108072448, Sections=0x1d0e9a40 <Segments>, opts=32, len=-1) at disass.c:3225
#4  0x000000000041c8ed in disassemble (File=0x7ffffca30010 "\317\372\355\376\f", Address=18446744005108072448, Sections=0x1d0e9a40 <Segments>, opts=32, len=-1) at disass.c:3307
#5  0x0000000000408830 in main (argc=3, argv=0x7ffffffde158) at joker.c:3663


kernelcache used: 4bm out of http://appldnld.apple.com/ios11.2.6/091 ... store.ipsw
(I've also tested it against others)

Steps to reproduce:
1. download the zip from above
2. extract the zip
3. run joker.ELF64 -j kernelcache.release.4bm
4. wait till it segfaults


Because the .universal version works perfectly on my mac, I will use that one till this bug is fixed.

Thank you in advanced,
littlelailo
littlelailo
 
Posts: 8
Joined: Thu Sep 28, 2017 6:48 pm

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests