dot/macho
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c241e78cd8
macho/macho-go/pkg/ios/macho/edit.go

1005 lines
30 KiB
Go
Raw Blame History

package macho
import (
"bytes"
"encoding/binary"
"fmt"
"io"
"os"
"math/rand"
"strings"
"time"
"unsafe"
log "github.com/sirupsen/logrus"
. "ios-wrapper/pkg/ios"
"ios-wrapper/pkg/protomodel"
)
// #include "fixups.h"
// #include "arm.h"
import "C"
func rewriteLoadcommandsWithoutCodesignature(mc *MachoContext) {
if mc.Is64bit() {
mc.file.Seek(int64(Header_size_64), io.SeekStart)
} else {
mc.file.Seek(int64(Header_size), io.SeekStart)
}
for _, cmd := range mc.commands {
if cmd.Cmd() == LC_CODE_SIGNATURE {
continue
}
log.WithFields(log.Fields{
"cmd": cmd.Cmd(),
"cmdsize": cmd.Cmdsize(),
"name": cmd.Cmdname(),
}).Trace("Rewrite Load command")
mc.file.Write(cmd.Serialize(mc))
}
}
// Remove Codesign data from Mach-O binary
// There are many caveats to this problem.
// Mostly related to how codesign-allocate works.
// Removing codesign data at the end of __LINKEDIT sement
// is probably easier than removing them at an abitrary location.
//
// Assuming the codesign data is at the end of __LINKEDIT segment.
// The binary is probably signed at the last step, which is common.
//
// CODE_SIGNATURE load commands points to the codesign data offset and size.
// __LINKEDIT section points to data offset and size.
// We have:
//
// linkedit = (section*) LC_SEGMENT.section[0] // name="__LINKEDIT"
// codesign = (linkedit_data_command*) LC_CODE_SIGNATURE
// BinarySize = { f.seek(0, SEEKEND); return f.tell() }
//
// linkedit->fileoff + linkedit->filesize == codesign->dataOff + codesign->dataSize
// linkedit->fileoff + linkedit->filesize == BinarySize
//
// To remove the codesign data, we truncate the file to remove the codesign data.
// Then we update the linkedit->filesize to linkedit->filesize - codesign->dataSize
// We also fix the header to not read the LC_CODE_SIGNATURE,
// because codesign is the last step, the last load command is LC_CODE_SIGNATURE.
// Fix header->ncmds -= 1, header->sizeofcmds -= sizeof(linkedit_data_command)
//
// There's one more caveat, as mentioned by `insert_dylib`. Codesign data is aligned
// by 0x10. So it would have some padding before codesign data. Now that we have
// removed the data, but the padding still exists and is not prefered by codesign-allocate.
// To fix this issue, **again** we assume that the previous section is the String table
// (referenced by symtab) and increase the size of the string table to the end of data.
//
// A better approach could be an extended search for section pointing to the previous data.
// But general cases are String table.
//
// Implementation warnings:
// We have two implementation designs.
// - Re-parse the load commands and edit the value at offset
// - Use parsed load commands data, edit the values, and rewrite header + load commands
func (mc *MachoContext) RemoveCodesign() bool {
if !mc.WriteEnabled() {
return false
}
linkedit := mc.FindSegment("__LINKEDIT")
if linkedit == nil {
log.Warn("The binary has no __LINKEDIT Segment")
return false
}
var codesign *LinkEdit
for _, cmd := range mc.Linkedits() {
if cmd.Cmd() == LC_CODE_SIGNATURE {
codesign = cmd
break
}
}
if codesign == nil {
log.Warn("The binary is not signed, no LC_CODE_SIGNATURE found")
return false
}
filesize := uint64(len(mc.buf))
linkedit_end := uint64(linkedit.Fileoff()) + linkedit.Filesize()
codesign_end := uint64(codesign.Dataoff() + codesign.Datasize())
// linkedit is the last item in Mach-O binary
if linkedit_end != filesize {
log.Panic("Link edit is not the last item")
return false
}
// codesign is the last in linkedit
if linkedit_end != codesign_end {
log.Panic("Code sign data is not the last item in link edit segment")
return false
}
linkedit_newsize := linkedit.Filesize() - uint64(codesign.Datasize())
if (mc.symtab.stroff+mc.symtab.strsize)%0x10 == 0 {
// codesign requires padding of 0x10
// if strtab+strsize & 0xff < 0x8, it will pad til 0x10
// when removed codesign, we truncate the file to offset at 0x8 rather at 0x10
} else {
linkedit_newsize -= 8
}
mc.file.Truncate(int64(uint64(linkedit.Fileoff()) + linkedit_newsize))
mc.symtab.strsize = uint32(linkedit.Fileoff()+linkedit_newsize) - mc.symtab.stroff
// fix linkedit section
if mc.Is64bit() {
linkedit.(*Segment64).filesize = linkedit_newsize
} else {
linkedit.(*Segment32).filesize = uint32(linkedit_newsize)
}
// rewrite load commands
mc.UpdateHeaderRemoveLcmd(codesign.Cmdsize())
rewriteLoadcommandsWithoutCodesignature(mc)
// erase old LC_CODE_SIGNATURE data
old_codesign_lcmd_offset := func() uint64 {
loadcmd_size := int64(mc.Header().sizeofcmds)
if mc.Is64bit() {
return uint64(loadcmd_size) + Header_size_64
} else {
return uint64(loadcmd_size) + Header_size
}
}()
// size of codesign = sizeof linkedit_data_command = 4 * 4
mc.file.WriteAt(make([]byte, 4*4), int64(old_codesign_lcmd_offset))
// mc.file.Seek(old_codesign_lcmd_offset, io.SeekStart)
// mc.file.Write(make([]byte, 4*4))
return true
}
func (mc *MachoContext) RemoveInitFunctions() bool {
if mc.WriteEnabled() {
for _, ptr := range mc.InitFunctions() {
if mc.Is64bit() {
mc.file.WriteAt([]byte{0, 0, 0, 0, 0, 0, 0, 0}, int64(ptr.offset))
} else {
mc.file.WriteAt([]byte{0, 0, 0, 0}, int64(ptr.offset))
}
log.WithFields(log.Fields{
"offset": fmt.Sprintf("0x%x", ptr.Offset()),
"value": fmt.Sprintf("0x%x", ptr.Value()),
}).Debug("Remove init pointer")
}
return true
}
return false
}
func (mc *MachoContext) RemoveUnnecessaryInfo() bool {
for _, command := range mc.commands {
switch command.(type) {
case *LinkEdit:
var le = command.(*LinkEdit)
if le.Cmdname() != "LC_FUNCTION_STARTS" && le.Cmdname() != "LC_DATA_IN_CODE" {
continue
}
var start int64 = int64(le.dataoff)
var end int64 = start + int64(le.datasize)
for i := start; i < end; i++ {
mc.file.WriteAt([]byte{0}, i)
}
continue
default:
continue
}
}
return false
}
func (mc *MachoContext) RewriteHeader() {
var offset uint64
var start uint64
if mc.Is64bit() {
start = Header_size_64
} else {
start = Header_size
}
mc.file.Seek(0, io.SeekStart)
offset = start
for _, cmd := range mc.commands {
nwrite, _ := mc.file.WriteAt(cmd.Serialize(mc), int64(offset))
offset += uint64(nwrite)
}
mc.header.ncmds = uint32(len(mc.commands))
mc.header.sizeofcmds = uint32(offset - start)
mc.file.WriteAt(mc.header.Serialize(mc), 0)
}
func (mc *MachoContext) AddLoadCmd(lcmd LoadCommand) {
var offset uint64
payload := lcmd.Serialize(mc)
if uint64(len(payload)) > mc.PaddingSize() {
log.WithFields(log.Fields{
"cmd": lcmd,
"len(cmd)": len(payload),
"available": mc.PaddingSize(),
}).Panic("Not enough space to add load command")
}
if mc.Is64bit() {
offset = Header_size_64 + uint64(mc.header.sizeofcmds)
} else {
offset = Header_size + uint64(mc.header.sizeofcmds)
}
log.WithFields(log.Fields{
"cmd": lcmd.Cmdname(),
"size": len(payload),
"offset": offset,
}).Debug("Adding Load Command")
mc.file.WriteAt(payload, int64(offset))
mc.UpdateHeaderAddLcmd(uint32(len(payload)))
}
func (mc *MachoContext) AddDylib(dylib string) {
if mc.DylibExisted(dylib) {
log.WithFields(log.Fields{
"dylib": dylib,
}).Debug("Adding dylib but existed")
return
}
name := []byte(dylib)
name = append(name, 0)
dylib_lcmd := Dylib{
c: LoadCmd{cmd: LC_LOAD_DYLIB, cmdsize: 0},
name: name,
nameoff: 24,
timestamp: 0,
current_version: 0,
compatibility_version: 0,
}
mc.AddLoadCmd(&dylib_lcmd)
}
func (mc *MachoContext) AddRPath(rpath string) {
if mc.RPathExisted(rpath) {
log.WithFields(log.Fields{
"rpath": rpath,
}).Debug("Adding rpath but existed")
return
}
path := []byte(rpath)
path = append(path, 0)
rpath_lcmd := RPath{
c: LoadCmd{cmd: LC_RPATH, cmdsize: 0},
offset: 12,
path: path,
}
mc.AddLoadCmd(&rpath_lcmd)
}
func (mc *MachoContext) UpdateHeaderAddLcmd(size uint32) {
if mc.WriteEnabled() {
mc.header.ncmds += 1
mc.header.sizeofcmds += size
mc.file.WriteAt(mc.header.Serialize(mc), 0)
}
}
func (mc *MachoContext) UpdateHeaderRemoveLcmd(size uint32) {
if mc.WriteEnabled() {
mc.header.ncmds -= 1
mc.header.sizeofcmds -= size
mc.file.WriteAt(mc.header.Serialize(mc), 0)
}
}
func (mc *MachoContext) RemoveBindSymbols() {
if !mc.WriteEnabled() {
return
}
rand.Seed(time.Now().UnixNano())
isModernSymbol := mc.dyldinfo == nil
isLegacySymbol := !isModernSymbol
if isModernSymbol {
mc.removeBindSymbolsModern()
} else {
mc.removeBindSymbolsLegacy()
}
// Objective-C stub replaces main which can only appears in executable
if mc.Header().IsExecutable() {
mc.ReworkForObjc()
}
for _, symbol := range mc.CollectBindSymbols() {
if !symbol.SafeForRemoval() {
continue
}
if isLegacySymbol {
// for legacy resolve the opcodes can be rewritten as 0x00
mc.file.WriteAt(make([]byte, 8), int64(symbol.file_address))
} else {
// for modern resolve the opcodes must not be rewritten as 0x00
// because it contains 2 types of opcodes, BIND and REBASE
// we only fix BIND and leave REBASE intact
// However, each opcodes has a *next* field to the next opcode
// So if we want to leave the header intact (contains pointers, size)
// We should rewrite this as REBASE opcode (so no symbol lookup happens)
// and it can continue
// we can write random values, because the loader just do
// (high8 << 56 | target) - mach_header
// or something, so no symbol lookup and no error at runtime
target := rand.Int()
high8 := rand.Int()
value := C.MakeRebaseFixupOpcode(C.int(symbol.next), C.ulonglong(target), C.ulonglong(high8))
v := make([]byte, 8)
mc.byteorder.PutUint64(v, uint64(value))
fmt.Printf("change to rebase at %x\n", symbol.file_address)
mc.file.WriteAt(v, int64(symbol.file_address))
}
}
}
func (mc *MachoContext) removeBindSymbolsModern() {
// we don't mess up the chain
// we clear the imports table, and the raw opcodes
// clearing imports table disables static analysis
// clearing opcodes forces runtime manual mapping
// imports item are defined by mc.fixups.imports_format
// basic case is dyld_chained_import, 4 bytes
start := mc.fixups.dataoff
size := mc.fixups.datasize
fixups := new(Fixups)
fixups.Deserialize(mc, mc.buf[start:start+size])
start = mc.fixups.dataoff + fixups.imports_offset
size = fixups.imports_count * 4
fmt.Printf("// Erase at=0x%x size=0x%x\n", start, size)
mc.file.WriteAt(make([]byte, size), int64(start))
// string reference are at the end of this section
start = mc.fixups.dataoff + fixups.symbols_offset
size = mc.fixups.Datasize() - fixups.symbols_offset
fmt.Printf("// Erase at=0x%x size=0x%x\n", start, size)
mc.file.WriteAt(make([]byte, size), int64(start))
fixups.imports_count = 0
mc.file.WriteAt(fixups.Serialize(mc), int64(mc.fixups.dataoff))
}
func (mc *MachoContext) removeBindSymbolsLegacy() {
start := mc.dyldinfo.lazy_bind_off
size := mc.dyldinfo.lazy_bind_size
// set lazy opcodes to 0x00 == DO_BIND
// but no symbol state to bind
mc.file.WriteAt(make([]byte, size), int64(start))
}
func (mc *MachoContext) RewriteImportsTable(keepSymbols []string) {
allSymbols := mc.CollectBindSymbols()
fixups, fixupsOffset := mc.Fixups()
importTable := fixups.ImportsOffset(uint32(fixupsOffset))
symbolTable := fixups.SymbolsOffset(uint32(fixupsOffset))
symbolTablePtr := symbolTable
// in removeBindSymbolsModern, we erase these pointers in file
// but because we keep a few symbols, we need to rewrite the pointers
// as well as rebuild the import table and strings table, and bind values
// some symbols are annoyingly distributed by another library
// dispite the name asking for X, the dyld loads a Y library
// LC_DYLD_ID of Y is equal to X and dyld can resolve these symbols
// because we do not search for library using LC_DYLD_ID,
// paths are mistaken and will not resolve symbols
//
// the most common library that has this behavior is libintl
// and fixing the resolver takes time, we temporarily ignore this library
// and so we keep symbols referenced by libintl
intlSymbols := []string{}
for _, symbol := range allSymbols {
if symbol.Dylib() == "/usr/local/opt/gettext/lib/libintl.8.dylib" {
intlSymbols = append(intlSymbols, symbol.Name())
}
}
keepSymbols = append(keepSymbols, intlSymbols...)
keepCount := uint32(0)
for _, symbol := range keepSymbols {
name := symbol
lib := ""
parts := strings.Split(symbol, ",")
if len(parts) == 2 {
name = parts[0]
lib = parts[1]
}
symbolInfo := (*ImportSymbol)(nil)
for _, s := range allSymbols {
if s.Name() != name {
continue
}
if lib == "" || lib == s.Dylib() {
symbolInfo = s
break
}
}
if symbolInfo == nil {
// symbol not found
continue
}
fmt.Printf("keep symbol %s\n", name)
fmt.Printf("importTable at 0x%x; stringTable at 0x%x\n", importTable, symbolTablePtr)
fmt.Printf("bind value at 0x%x\n", symbolInfo.file_address)
// write string to string table
mc.file.WriteAt([]byte(name), int64(symbolTablePtr))
// fix bind value
rebaseOpcodeBytes := make([]byte, 8)
mc.file.ReadAt(rebaseOpcodeBytes, int64(symbolInfo.file_address))
rebaseOpcode := mc.byteorder.Uint64(rebaseOpcodeBytes)
bindOpcode := C.MakeBindFixupOpcodeFromRebase(C.uint64_t(rebaseOpcode), C.uint(keepCount))
{
v := make([]byte, 8)
mc.byteorder.PutUint64(v, uint64(bindOpcode))
mc.file.WriteAt(v, int64(symbolInfo.file_address))
}
// write import data to import table
entry := C.MakeImportTableEntry(C.uint(symbolInfo.LibOrdinal()), C.uint(symbolTablePtr-symbolTable))
{
v := make([]byte, 4)
mc.byteorder.PutUint32(v, uint32(entry))
mc.file.WriteAt(v, int64(importTable))
}
keepCount += 1
importTable += 4
symbolTablePtr += uint32(len(name)) + 1
}
fixups.imports_count = keepCount
mc.file.WriteAt(fixups.Serialize(mc), int64(mc.fixups.dataoff))
}
func (mc *MachoContext) RemoveSymbolTable() {
// try to remove symtab and dysymtab
mc.removeSymtabCommand()
mc.removeDySymtabCommand()
}
func (mc *MachoContext) removeSymtabCommand() {
ptr := int64(0)
if mc.Is64bit() {
ptr, _ = mc.file.Seek(int64(Header_size_64), io.SeekStart)
} else {
ptr, _ = mc.file.Seek(int64(Header_size), io.SeekStart)
}
var symtab_fix *Symtab
for _, cmd := range mc.commands {
if cmd.Cmd() != LC_SYMTAB {
ptr += int64(cmd.Cmdsize())
continue
}
var symtab = cmd.(*Symtab)
symtab_fix = symtab
// erase strings referenced
start := int64(symtab_fix.stroff)
size := symtab_fix.strsize
fmt.Printf("// Erase at=0x%x size=0x%x\n", start, size)
mc.file.WriteAt(make([]byte, size), start)
// erase nlist64 symbol items
start = int64(symtab_fix.symoff)
size = symtab_fix.nsyms * 16
fmt.Printf("// Erase at=0x%x size=0x%x\n", start, size)
mc.file.WriteAt(make([]byte, size), start)
symtab_fix.symoff = 0
symtab_fix.nsyms = 0
symtab_fix.stroff = 0
symtab_fix.strsize = 0
mc.file.Seek(ptr, io.SeekStart)
mc.file.Write(symtab_fix.Serialize(mc))
break
}
mc.file.Seek(0, io.SeekStart)
}
func (mc *MachoContext) removeDySymtabCommand() {
ptr := int64(0)
if mc.Is64bit() {
ptr, _ = mc.file.Seek(int64(Header_size_64), io.SeekStart)
} else {
ptr, _ = mc.file.Seek(int64(Header_size), io.SeekStart)
}
for _, cmd := range mc.commands {
if cmd.Cmd() != LC_DYSYMTAB {
ptr += int64(cmd.Cmdsize())
continue
}
var dysymtab = cmd.(*DySymtab)
dysymtab_fix := dysymtab
dysymtab_fix.indirectsymoff = 0
dysymtab_fix.nindirectsyms = 0
mc.file.Seek(ptr, io.SeekStart)
mc.file.Write(dysymtab_fix.Serialize(mc))
}
}
func (mc *MachoContext) RemoveExportTrie() {
var start int64
var size int
if mc.dyldinfo != nil {
// legacy export trie
start = int64(mc.dyldinfo.export_off)
size = int(mc.dyldinfo.export_size)
mc.file.WriteAt(make([]byte, size), start)
} else if mc.exports != nil {
// modern export trie
start = int64(mc.exports.dataoff)
size = int(mc.exports.datasize)
mc.file.WriteAt(make([]byte, size), start)
} else {
// no export trie (??)
// should never occur unless this binary is modified
}
}
// this function breaks the file by adding another segment at
// the end of the file
func (mc *MachoContext) RemoveStrings() {
// add a new writable segment with a section
// loop over the instructions for adrp,add instructions
// if the access points to old cstring section, update
// with new values from the new segment and section.
// data references, e.g., pointer to string, are compiled
// into Rebase symbol, so actively check for rebase and
// rewrite the rebase value to new segment, section offset.
// save the strings into a file for recovery. should keep linear
// format as before, or customized order, if want complex.
// __LINKEDIT must be at the end of the section for the binary
// to be able to resign, so we have to move __LINKEDIT down
// by how much? by the page aligned size of the added segment
// but __LINKEDIT also contains data for link time data
// (fixed ups and bytecode chain) so have to modify
// their reference down too,
// symtab and dysymtab can be ignored, by removing them lmao
var cstring *Section64;
for _, command := range mc.commands {
switch command.(type) {
case *Segment64:
var segment = command.(*Segment64)
if bytes.Compare(bytes.Trim(segment.SegName(), "\x00"), []byte("__TEXT")) == 0 {
for _, section := range segment.Sections() {
if bytes.Compare(bytes.Trim(section.SectName(), "\x00"), []byte("__cstring")) == 0 {
cstring = section.(*Section64)
}
}
}
continue
default:
continue
}
}
if cstring == nil {
return
}
// get last segment, as the start point we extend from
// this assumes that the segment are ordered correctly,
// first segment offset is lower then second segment offset,
// and so on, yielding last segment is the last part of the
// binary. Our new segment add another part to the binary
// at the end.
// last segment is always the linkedits
last_segment := mc.Segments()[len(mc.Segments()) - 1]
fmt.Printf("last segment %v %s\n", last_segment, string(last_segment.SegName()))
// all data must be inside the segment (or in header)
// occupy the segment of linkedit and move linkedit down
segstart := last_segment.Vmaddr()
// segment must be page aligned, and the size is based on
// the section size
secstart := segstart
secsize := cstring.Size()
filestart := last_segment.Fileoff()
// align to page address, not sure if neccessary, because the
// loader can pick up from anywhere and load in memory (mmap)
if filestart % 0x4000 != 0 {
filestart += 0x4000 - (filestart % 0x4000)
}
fmt.Printf("section size %x\n", secsize)
secsize_aligned := uint64(0)
if secsize % 0x4000 == 0 {
// very rare, but possible, it occupies whole pages
secsize_aligned = secsize
} else {
secsize_aligned = secsize + (0x4000 - (secsize % 0x4000))
}
filesize := secsize_aligned
segname := make([]byte, 16)
copy(segname, []byte("__BSHIELD"))
secname := make([]byte, 16)
copy(secname, []byte("__secrets"))
fmt.Printf("segstart %x\n", segstart)
fmt.Printf("file_start %x\n", filestart)
// size of the section and segment is defined by the total
// space for strings required
new_cstring_section := Section64{
sectname: secname,
segname: segname,
addr: secstart,
size: secsize,
offset: uint32(filestart),
align: 3, // idk, see AddSection
reloff: 0,
nreloc: 0,
flags: 0,
reserved1: 0,
reserved2: 0,
reserved3: 0,
}
string_segment := Segment64{
c: LoadCmd{cmd: LC_SEGMENT_64, cmdsize: 0},
segname: segname,
vmaddr: segstart,
vmsize: secsize_aligned,
fileoff: filestart,
filesize: filesize,
maxprot: 3, // read/write
initprot: 3, // read/write
nsects: 1,
flags: 0,
sections: []*Section64{&new_cstring_section},
}
// rewrite the header to be correct
// mc.AddLoadCmd(&string_segment)
edit_segname := make([]byte, 16)
copy(edit_segname, []byte("__LINKEDIT"))
edit_segment := Segment64{
c: LoadCmd{cmd: LC_SEGMENT_64, cmdsize: 0},
segname: edit_segname,
vmaddr: segstart + secsize_aligned, // move down
vmsize: last_segment.Vmsize(),
fileoff: filestart + filesize,
filesize: last_segment.Filesize(),
maxprot: 1, // read/write
initprot: 1, // read/write
nsects: 0,
flags: 0,
sections: []*Section64{},
}
// modify the segment list
mc.segments[len(mc.segments) - 1] = &string_segment
mc.segments = append(mc.segments, &edit_segment)
// modify the command list
for i, cmd := range mc.commands {
if cmd.(*Segment64) == last_segment.(*Segment64) {
mc.commands = append(mc.commands[:i + 1], mc.commands[i:]...)
mc.commands[i] = &string_segment
mc.commands[i + 1] = &edit_segment
break
}
}
// modify offset in other commands to use new link edit offset
edit_offset_migrate := func (file_offset uint64) uint64 {
// they should keep the old offset,
// but the base related to linkedit is modified
relative_offset := file_offset - last_segment.Fileoff()
return relative_offset + edit_segment.Fileoff()
}
for _, cmd := range mc.commands {
if lcmd, ok := cmd.(*LinkEdit); ok {
lcmd.dataoff = uint32(edit_offset_migrate(uint64(lcmd.dataoff)))
}
if lcmd, ok := cmd.(*Symtab); ok {
lcmd.stroff = uint32(edit_offset_migrate(uint64(lcmd.stroff)))
lcmd.symoff = uint32(edit_offset_migrate(uint64(lcmd.symoff)))
}
if lcmd, ok := cmd.(*DySymtab); ok {
lcmd.indirectsymoff = uint32(edit_offset_migrate(uint64(lcmd.indirectsymoff)))
}
}
mc.RewriteHeader()
tmp_file := mc.file.Name()
// has to reopen file as append
mc.file.Close()
mc.file, _ = os.OpenFile(tmp_file, os.O_RDWR | os.O_APPEND, 0644)
// make extra space
expected_end := edit_segment.Fileoff() + edit_segment.Filesize()
end, _ := mc.file.Seek(0, io.SeekEnd)
if end < int64(expected_end) {
mc.file.WriteAt(make([]byte, expected_end - uint64(end)), end)
}
// close and reopen as read/write, the buffer at the end is now empty
mc.file.Close()
mc.file, _ = os.OpenFile(tmp_file, os.O_RDWR, 0644)
// peek at old link edit and move down
old_linkedit := make([]byte, last_segment.Filesize())
mc.file.ReadAt(old_linkedit, int64(last_segment.Fileoff()))
mc.file.WriteAt(old_linkedit, int64(edit_segment.Fileoff()))
// prepare dummy bytes into new string segment, 0 for now
dummy := make([]byte, edit_segment.Fileoff() - string_segment.Fileoff())
copy(dummy, []byte("We R BShield\n"))
mc.file.WriteAt(dummy, int64(string_segment.Fileoff()))
// TODO: erase old strings
// re-read internal buffer
last, _ := mc.file.Seek(0, io.SeekEnd)
mc.buf = make([]byte, last)
mc.file.Seek(0, io.SeekStart)
if _, err := io.ReadFull(mc.file, mc.buf); err != nil {
// panic?
}
// loop over __TEXT,__text and find all occurances of (adrp, add)
// edit the offset to points to new region
// because adrp sets the register to the address page at its address
// (for page align 0x4000), e.g.,
// `adrp x0` instruction at 0x100003f70, yields x0 = 0x100003000
// technically, adrp can offset as far as 33-bit, roughly 4GB memory
// so we should be very free, because very few program goes this far
// but if this happens, god bless you
// encoding ADRP is actually hard hmmge?
// this part uses file offsets for calculations
in_cstring := func (offset uint64) bool {
cstring_start := uint64(cstring.Offset())
cstring_end := cstring_start + cstring.Size()
return (offset >= cstring_start) && (offset < cstring_end)
}
text := mc.segments[1]
text_start := text.Fileoff()
text_end := text_start + text.Filesize()
inst := make([]byte, 4)
for addr := text_start; addr < text_end; addr = addr + 4 {
mc.file.ReadAt(inst, int64(addr))
inst_adrp := binary.LittleEndian.Uint32(inst)
mc.file.ReadAt(inst, int64(addr + 4))
inst_add := binary.LittleEndian.Uint32(inst)
if !(C.is_adrp(C.uint(inst_adrp)) != 0 && C.is_add(C.uint(inst_add)) != 0) {
continue
}
base := (addr >> 12) << 12
// calculate the old string reference
ref_base := C.adrp_imm_get(C.uint(inst_adrp))
ref_offset := C.add_imm_get(C.uint(inst_add))
ref := base + uint64(ref_base + ref_offset)
if (!in_cstring(ref)) {
continue
}
oldstr := uint64(ref)
oldstr_relative := oldstr - uint64(cstring.Offset())
// find the new string address
// using oldstr relative address to cstring section
newstr := uint64(new_cstring_section.Offset()) + oldstr_relative
newstr_base := (newstr >> 12) << 12 // to calculate new offset in adrp
newstr_offset := newstr - newstr_base // to calculate new offset in add
C.adrp_imm_set((*C.uint32_t)(unsafe.Pointer(&inst_adrp)), C.uint(newstr_base - base))
C.add_imm_set((*C.uint32_t)(unsafe.Pointer(&inst_add)), C.uint(newstr_offset))
binary.LittleEndian.PutUint32(inst, inst_adrp)
mc.file.WriteAt(inst, int64(addr))
binary.LittleEndian.PutUint32(inst, inst_add)
mc.file.WriteAt(inst, int64(addr + 4))
}
// modify the rebase table (for both opcode and fixups chain versions)
// this is for pointer references
isModernSymbol := mc.dyldinfo == nil
isLegacySymbol := !isModernSymbol
for _, symbol := range mc.CollectBindSymbols() {
if isLegacySymbol {
} else {
// (high8 << 56 | target) - mach_header
ref := uint64(symbol.high8 << 56 | symbol.target)
if (!in_cstring(ref)) {
continue
}
oldstr := ref
oldstr_relative := oldstr - uint64(cstring.Offset())
newstr := uint64(new_cstring_section.Offset()) + oldstr_relative
target := newstr & 0x00FFFFFFFFFFFFFF
high8 := newstr >> 56
value := C.MakeRebaseFixupOpcode(C.int(symbol.next), C.ulonglong(target), C.ulonglong(high8))
v := make([]byte, 8)
mc.byteorder.PutUint64(v, uint64(value))
fmt.Printf("change to rebase at %x\n", symbol.file_address)
mc.file.WriteAt(v, int64(symbol.file_address))
}
}
}
func (mc *MachoContext) AddSection(segname string, name string, size int) Section {
// mc.file.WriteAt(mc.header.Serialize(mc), 0)
var ret Section
var buffer bytes.Buffer
for _, command := range mc.commands {
switch command.(type) {
case *Segment64:
var virtualAddr uint64
var fileOffset uint64
var segment = command.(*Segment64)
if bytes.Compare(bytes.Trim(segment.SegName(), "\x00"), []byte(segname)) != 0 {
buffer.Write(segment.Serialize(mc))
continue
} else {
virtualAddr = segment.Vmaddr()
fileOffset = segment.Fileoff()
for _, section := range segment.Sections() {
virtualAddr += section.Size()
// if section.Offset() != 0 {
fileOffset += section.Size()
// }
}
align := uint64(4)
alignment := align - (fileOffset % align)
fileOffset += alignment
virtualAddr += alignment
enoughSpace := segment.Fileoff()+segment.Filesize() >= fileOffset+uint64(size)
if !enoughSpace {
fmt.Println("Not enough space to store saved info in __DATA segment, need resize (not supported now)")
panic("Not enough space to store saved info in __DATA segment, need resize (not supported now)")
}
}
var section Section64
section.sectname = make([]byte, 16)
copy(section.sectname, name)
section.segname = make([]byte, 16)
copy(section.segname, segname)
section.size = uint64(size)
section.reloff = 0
section.nreloc = 0
section.flags = 0
section.align = 3
section.reserved1 = 0
section.reserved2 = 0
section.reserved3 = 0
// addr will increment from the last section
// offset will increment from the last section + size
// be careful of Virtual section (bss)
section.addr = virtualAddr
section.offset = uint32(fileOffset)
segment.nsects += 1
buffer.Write(segment.Serialize(mc))
buffer.Write(section.Serialize(mc))
fmt.Printf("Add a new section with addr=0x%x, fileoffset=0x%x\n", section.addr, section.offset)
ret = &section
continue
default:
buffer.Write(command.Serialize(mc))
continue
}
}
mc.header.sizeofcmds = uint32(buffer.Len())
header := mc.header.Serialize(mc)
mc.file.WriteAt(header, 0)
mc.file.WriteAt(buffer.Bytes(), int64(len(header)))
return ret
}
func (mc *MachoContext) WriteInfoToData(info *protomodel.MachoInfo) {
encode := func() []byte {
buffer := new(bytes.Buffer)
for _, table := range info.Symbols.Tables {
binary.Write(buffer, mc.byteorder, table.LibIndex)
binary.Write(buffer, mc.byteorder, table.Nsymbols)
for _, symbol := range table.Symbols {
binary.Write(buffer, mc.byteorder, (symbol.SymbolIndex<<8)|symbol.SegmentIndex)
binary.Write(buffer, mc.byteorder, symbol.Offset)
}
}
instructions := buffer.Bytes()
buffer = new(bytes.Buffer)
for _, lib := range info.Symbols.Libs {
buffer.WriteString(lib)
buffer.WriteByte(0)
}
liblist := buffer.Bytes()
buffer = new(bytes.Buffer)
for _, symbol := range info.Symbols.Symbols {
buffer.WriteString(symbol)
buffer.WriteByte(0)
}
symbollist := buffer.Bytes()
buffer = new(bytes.Buffer)
// offset to liblist
binary.Write(buffer, mc.byteorder, uint32(len(instructions)))
// offset to symbollist
binary.Write(buffer, mc.byteorder, uint32(len(instructions)+len(liblist)))
buffer.Write(instructions)
buffer.Write(liblist)
buffer.Write(symbollist)
return buffer.Bytes()
}
encoded := encode()
// encoded := []byte{0x11,0x22,0x33, 0x44}
section := mc.AddSection("__DATA", "selfbind", len(encoded))
if mc.Is64bit() {
var s *Section64 = section.(*Section64)
mc.file.WriteAt(encoded, int64(s.Offset()))
} else {
var s *Section32 = section.(*Section32)
mc.file.WriteAt(encoded, int64(s.Offset()))
}
}
Reference in New Issue View Git Blame Copy Permalink