diff --git a/macho-go/pkg/ios/macho/edit.go b/macho-go/pkg/ios/macho/edit.go index 5affe01..dc7a672 100644 --- a/macho-go/pkg/ios/macho/edit.go +++ b/macho-go/pkg/ios/macho/edit.go @@ -472,7 +472,7 @@ func (mc *MachoContext) ReworkForObjc() { main_offset := int(mc.entryoff) var shellcode_offset int - if (mc.header.cputype & 0xff) == 12{ + if (mc.header.cputype & 0xff) == 12 { shellcode = []uint32{ 0x10000008, 0, // x9 = (offset end of __DATA) - (offset shellcode) @@ -488,22 +488,22 @@ func (mc *MachoContext) ReworkForObjc() { 0xF9400509, 0xD61F0120, } - + shellcode_offset = text_start - (ins_size_byte * len(shellcode)) - + encode_movz := func(v int) uint32 { return uint32(uint32(v)<<5 | uint32(0x694)<<21 | uint32(0x09)) } - + // movz_shellcode_offset := encode_movz(shellcode_offset) // movz_main_offset := encode_movz(main_offset) // movz_data_end_offset := encode_movz(data_end) movz_calculate_offset := encode_movz(data_end - shellcode_offset) - + shellcode[1] = movz_calculate_offset // shellcode[10] = movz_data_end_offset // shellcode[19] = movz_main_offset - + fmt.Printf("// shellcode_offset=%x\n", shellcode_offset) fmt.Printf("// main_offset=%x\n", main_offset) fmt.Printf("// data_end=%x\n", data_end) @@ -514,31 +514,69 @@ func (mc *MachoContext) ReworkForObjc() { fmt.Printf("// lc_main_offset=%x\n", lc_main_offset) } else { // TODO: fix to work with offset larger than 0xffff - shellcode = []uint32{ - 0x00058d4c, - 0x66000000, - 0, // offset - 0x57c8014d, - 0x41515256, - 0x088b4d50, - 0x41d1ff41, - 0x5e5a5958, - 0x488b4d5f, - 0xe1ff4108, + // shellcode = []uint32{ + // 0x00058d4c, + // 0x66000000, + // 0, // offset + // 0x57c8014d, + // 0x41515256, + // 0x088b4d50, + // 0x41d1ff41, + // 0x5e5a5958, + // 0x488b4d5f, + // 0xe1ff4108, + // } + + shellcode_x := []uint8{ + 0x4c, 0x8d, 0x05, 0x00, 0x00, 0x00, 0x00, + 0x49, 0xC7, 0xC1, } - shellcode_offset = text_start - (ins_size_byte * len(shellcode)) - - encode_movz := func(v int) uint32 { - return uint32(uint32(v-7)<<16 | uint32(0xb941)) + offset := []uint8{0x00, 0x00, 0x00, 0x00} // offset + shellcode_offset = text_start - 44 + + encode_movz := func(v int) { + for i := 0; i < 4; i++ { + offset[i] = uint8(v >> (i * 8)) + } } - // movz_shellcode_offset := encode_movz(shellcode_offset) - // movz_main_offset := encode_movz(main_offset) - // movz_data_end_offset := encode_movz(data_end) - movz_calculate_offset := encode_movz(data_end - shellcode_offset) + // 7 is shellcode size to get RIP + encode_movz((data_end - text_start) + (44 - 7)) + + shellcode_end := []uint8{ + 0x4d, 0x01, 0xc8, + 0x57, + 0x56, + 0x52, + 0x51, + 0x41, 0x50, + 0x4d, 0x8b, 0x08, + 0x41, 0xff, 0xd1, + 0x41, + 0x58, + 0x59, + 0x5a, + 0x5e, + 0x5f, 0x4d, 0x8b, 0x48, 0x08, + 0x41, 0xff, 0xe1, + } + + shellcode_x = append(shellcode_x, offset...) + shellcode_x = append(shellcode_x, shellcode_end...) + + for i := 0; i < len(shellcode_x)-2; i += 4 { + val := 0 + // little endian + val |= int(shellcode_x[i+0]) << 0 + val |= int(shellcode_x[i+1]) << 8 + val |= int(shellcode_x[i+2]) << 16 + val |= int(shellcode_x[i+3]) << 24 + shellcode = append(shellcode, uint32(val)) + } + + shellcode = append(shellcode, 0x0000e1ff) - shellcode[2] = movz_calculate_offset // shellcode[10] = movz_data_end_offset // shellcode[19] = movz_main_offset @@ -580,6 +618,15 @@ func (mc *MachoContext) RewriteImportsTable(keepSymbols []string) { // but because we keep a few symbols, we need to rewrite the pointers // as well as rebuild the import table and strings table, and bind values + // we keep all symbols that are referenced by libintl.8.dylib + intlSymbols := []string{} + for _, symbol := range allSymbols { + if symbol.Dylib() == "/usr/local/opt/gettext/lib/libintl.8.dylib" { + intlSymbols = append(intlSymbols, symbol.Name()) + } + } + keepSymbols = append(keepSymbols, intlSymbols...) + keepCount := uint32(0) for _, symbol := range keepSymbols { name := symbol