XPoCe 2.5 Illegal instruction

Used for discussing the various tools in the book as well as encouraging members to share tools

XPoCe 2.5 Illegal instruction

Postby reggi » Wed Oct 23, 2019 10:45 pm

Hey,

Whenever I trace non-Apple apps that use NSXPC, XPoCe 2.5 crashes:

Code: Select all
VM-macOS:~ user$ sudo lldb ./XPoCe 607
(lldb) target create "./XPoCe"
Current executable set to './XPoCe' (x86_64).
(lldb) settings set -- target.run-args  "607"
(lldb) r
Process 616 launched: '/Users/user/XPoCe' (x86_64)
xpc_dictionary_get_uint64 ( dictionary@0x7fc9e157f990,"f")
 = "<dictionary: 0x7fc9e157f990> { count = 5, transaction: 1, voucher = 0x7fc9e15742d0, contents =
   "f" => <uint64: 0xc5d7f0a2dafee1b1>: 33
   "root" => <data: 0x7fc9e1438110>: { length = 57 bytes, contents = 0x62706c6973743136a038000000000000007f111470696e67... }
   "proxynum" => <uint64: 0xc5d7f0a2dafce1b1>: 1
   "replysig" => <string: 0x7fc9e158e240> { length = 18, contents = "v16@?0@"NSString"8" }
   "sequence" => <uint64: 0xc5d7f0a2dae6b1b1>: 420
}"
NSXPC: BUF@0x7fc9e1438800, 140505044453440 bytes - SimPLISTic® format follows:
Process 616 stopped
* thread #2, stop reason = EXC_BAD_ACCESS (code=1, address=0xfffff03620f4df78)
    frame #0: 0x00000001000025d2 XPoCe`___lldb_unnamed_symbol26$$XPoCe + 1106
XPoCe`___lldb_unnamed_symbol26$$XPoCe:
->  0x1000025d2 <+1106>: callq  0x10001a670               ; symbol stub for: mach_vm_read_overwrite
    0x1000025d7 <+1111>: movq   -0x11b8(%rbp), %rcx
    0x1000025de <+1118>: movq   (%rcx), %rcx
    0x1000025e1 <+1121>: movabsq $0x36317473696c7062, %rdx ; imm = 0x36317473696C7062
Target 0: (XPoCe) stopped.


I'm using macOS 10.14.6 with SIP disabled.
reggi
 
Posts: 5
Joined: Sat Apr 07, 2018 12:43 pm

Re: XPoCe 2.5 Illegal instruction

Postby morpheus » Thu Oct 24, 2019 9:54 am

Definitely a bug. Thanks for letting me know. I do some pretty sick hacks to get that working, and sometimes they're not robust enough in all cases. I'll get on it.
morpheus
Site Admin
 
Posts: 726
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron