Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InterceptorBadSignature arm64 #677

Open
aviramha opened this issue Sep 8, 2022 · 0 comments
Open

InterceptorBadSignature arm64 #677

aviramha opened this issue Sep 8, 2022 · 0 comments

Comments

@aviramha
Copy link
Contributor

aviramha commented Sep 8, 2022

Hi,
we stumbled upon this error (InterceptorBadSignature) when trying to hook a function on macOS arm64.
The assembly of the function we wanted to hook:

ldr        x16,[x28, #0x10]
mov        x17,sp
cmp        x17,x16
b.ls       LAB_100044720
str        x30,[sp, #local_40]!
stur       x29,[sp, #local_48]
sub        x29,sp,#0x8
mov        x0,#0x0
b          LAB_1000445a8
                             LAB_1000445a4                                   XREF[1]:     1000445d0(j)  
add        x0,x0,#0x1
                             LAB_1000445a8                                   XREF[1]:     1000445a0(j)  
adrp       x3,0x10066e000
add        x3=>_runtime.argv,x3,#0xaf0                      = ??
ldr        x4,[x3]=>_runtime.argv                           = ??
adrp       x5,0x1006a1000
add        x5=>_runtime.argc,x5,#0xd64                      = ??
ldrsw      x6,[x5]=>_runtime.argc                           = ??
add        x6,x0,x6
add        x6,x6,#0x1
sbfiz      x6,x6,#0x3,#0x20
ldr        x4,[x4, x6, LSL #0x0]
cbnz       x4,LAB_1000445a4
str        w0,[sp, #local_18]
sxtw       x2,w0
str        x2,[sp, #local_10]
mov        x1,x2
adrp       x0,0x1003c0000
add        x0=>DAT_1003c0c00,x0,#0xc00                      = 0000000000000010h
bl         _runtime.makeslice                               undefined _runtime.makeslice(und
ldr        x3,[sp, #local_10]
adrp       x4,0x100671000
add        x4,x4,#0x4d8
str        x3,[x4]=>DAT_1006714d8                           = ??
adrp       x4,0x100671000
add        x4,x4,#0x4e0
str        x3,[x4]=>DAT_1006714e0                           = ??
adrp       x3,0x1006a2000
add        x3,x3,#0x230
ldr        w4,[x3]=>_runtime.writeBarrier                   = ??
cbnz       w4,LAB_10004462c
adrp       x1,0x100671000
add        x1,x1,#0x4d0
str        x0,[x1]=>_runtime.envs                           = ??
b          LAB_10004464c
                             LAB_10004462c                                   XREF[1]:     100044618(j)  
adrp       x2,0x100671000
add        x2=>_runtime.envs,x2,#0x4d0                      = ??
mov        x3,x0
bl         _runtime.gcWriteBarrier                          undefined _runtime.gcWriteBarrie
adrp       x1,0x100671000
add        x1,x1,#0x4d0
adrp       x3,0x1006a2000
add        x3,x3,#0x230
                             LAB_10004464c                                   XREF[1]:     100044628(j)  
mov        x0,#0x0
b          LAB_100044668
                             LAB_100044654                                   XREF[2]:     1000446e8(j), 100044700(j)  
add        x0,x5,#0x1
adrp       x1,0x100671000
add        x1,x1,#0x4d0
adrp       x3,0x1006a2000
add        x3,x3,#0x230
                             LAB_100044668                                   XREF[1]:     100044650(j)  
ldrsw      x2,[sp, #local_18]
cmp        w0,w2
b.ge       LAB_100044704
str        w0,[sp, #local_14]
adrp       x1,0x10066e000
add        x1=>_runtime.argv,x1,#0xaf0                      = ??
ldr        x2,[x1]=>_runtime.argv                           = ??
adrp       x3,0x1006a1000
add        x3=>_runtime.argc,x3,#0xd64                      = ??
ldrsw      x4,[x3]=>_runtime.argc                           = ??
add        x4,x0,x4
add        x4,x4,#0x1
sbfiz      x4,x4,#0x3,#0x20
ldr        x2,[x2, x4, LSL #0x0]
mov        x0,x2
bl         _runtime.gostring                                undefined _runtime.gostring()
adrp       x2,0x100671000
add        x2=>_runtime.envs,x2,#0x4d0                      = ??
ldr        x3,[x2]=>_runtime.envs                           = ??
ldr        x4,[x2, #0x8]=>DAT_1006714d8                     = ??
ldrsw      x5,[sp, #local_14]
mov        x6,x5
cmp        x6,x4
b.cs       LAB_100044710
sbfiz      x4,x5,#0x4,#0x20
add        x6,x3,x4
str        x1=>_runtime.argv,[x6, #0x8]                     = ??
adrp       x1,0x1006a2000
add        x1=>_runtime.writeBarrier,x1,#0x230              = ??
ldr        w7,[x1]=>_runtime.writeBarrier                   = ??
cbnz       w7,LAB_1000446ec
str        x0,[x3, x4, LSL #0x0]
b          LAB_100044654
                             LAB_1000446ec                                   XREF[1]:     1000446e0(j)  
mov        x3,x0
mov        x2,x6
bl         _runtime.gcWriteBarrier                          undefined _runtime.gcWriteBarrie
adrp       x2,0x100671000
add        x2,x2,#0x4d0
b          LAB_100044654
                             LAB_100044704                                   XREF[1]:     100044670(j)  
ldur       x29=>local_48,[sp, #-0x8]
ldr        x30,[sp], #0x40
ret
                             LAB_100044710                                   XREF[1]:     1000446c4(j)  
mov        x0,x6
mov        x1,x4
bl         _runtime.panicIndex                              undefined _runtime.panicIndex(un
nop
                             LAB_100044720                                   XREF[1]:     10004458c(j)  
mov        x3,x30
bl         _runtime.morestack_noctxt.abi0                   undefined _runtime.morestack_noc
b          _runtime.goenvs_unix                             undefined _runtime.goenvs_unix()
                             -- Flow Override: CALL_RETURN (CALL_TERMINATOR)

related issue:
metalbear-co/mirrord#373
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aviramha