-irobf-icall在arm64e,iOS 13.1.3上稳定崩溃 #33
Description
开启-irobf-icall后,在iPhone 11,iOS 13.1.3上稳定崩溃。
相关崩溃日志如下,查看地址,是X9寄存器地址越界,且超出的地址与原始地址相差0x4000000000000000,出现SIGSEGV错误:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x40000001a5284998 -> 0x00000001a5284998 (possible pointer authentication failure)
VM Region Info: 0x1a5284998 is in 0x1a526a000-0x1a529b000; bytes after start: 108952 bytes before end: 91751
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__TEXT 00000001a525f000-00000001a526a000 [ 44K] r-x/r-x SM=COW ...pthread.dylib
---> __TEXT 00000001a526a000-00000001a529b000 [ 196K] r-x/r-x SM=COW ...bobjc.A.dylib
__TEXT 00000001a529b000-00000001a5307000 [ 432K] r-x/r-x SM=COW ...ecrypto.dylib
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [838]
Triggered by Thread: 0
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libobjc.A.dylib 0x00000001a5284998 0x1a526a000 + 108952
1 TestTant 0x00000001022407bc 0x10223c000 + 18364
2 UIKitCore 0x00000001a8fb0364 0x1a8bbb000 + 4150116
3 UIKitCore 0x00000001a8fb4f98 0x1a8bbb000 + 4169624
4 UIKitCore 0x00000001a8fb5384 0x1a8bbb000 + 4170628
5 UIKitCore 0x00000001a962394c 0x1a8bbb000 + 10914124
6 UIKitCore 0x00000001a9623048 0x1a8bbb000 + 10911816
7 UIKitCore 0x00000001a9623fe4 0x1a8bbb000 + 10915812
8 UIKitCore 0x00000001a96351c8 0x1a8bbb000 + 10985928
9 UIKitCore 0x00000001a982171c 0x1a8bbb000 + 13002524
10 UIKitCore 0x00000001a8bfdd24 0x1a8bbb000 + 273700
11 UIKitCore 0x00000001a95e74ac 0x1a8bbb000 + 10667180
12 UIKitCore 0x00000001a95e783c 0x1a8bbb000 + 10668092
13 UIKitCore 0x00000001a918cd7c 0x1a8bbb000 + 6102396
14 FrontBoardServices 0x00000001aa6bf014 0x1aa6b2000 + 53268
15 FrontBoardServices 0x00000001aa6e5bd0 0x1aa6b2000 + 211920
16 FrontBoardServices 0x00000001aa6ca0f8 0x1aa6b2000 + 98552
17 FrontBoardServices 0x00000001aa6e5864 0x1aa6b2000 + 211044
18 libdispatch.dylib 0x00000001a51fd00c 0x1a51fa000 + 12300
19 libdispatch.dylib 0x00000001a51ffd50 0x1a51fa000 + 23888
20 FrontBoardServices 0x00000001aa70c384 0x1aa6b2000 + 369540
21 FrontBoardServices 0x00000001aa70c030 0x1aa6b2000 + 368688
22 FrontBoardServices 0x00000001aa70c59c 0x1aa6b2000 + 370076
23 CoreFoundation 0x00000001a54d1260 0x1a5423000 + 713312
24 CoreFoundation 0x00000001a54d11b4 0x1a5423000 + 713140
25 CoreFoundation 0x00000001a54d0970 0x1a5423000 + 711024
26 CoreFoundation 0x00000001a54cb7ec 0x1a5423000 + 690156
27 CoreFoundation 0x00000001a54cb098 0x1a5423000 + 688280
28 GraphicsServices 0x00000001af635534 0x1af632000 + 13620
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000280f05480 x1: 0x00000001dd40a328 x2: 0x000000010232c4f0 x3: 0x0000000000000008
x4: 0x0000000280f05500 x5: 0x0000000000000000 x6: 0x0000000000000000 x7: 0x0000000000000000
x8: 0x0000000013ee49e4 x9: 0x40000001a5284998 x10: 0x00000000ab39e4f6 x11: 0x0000000000000008
x12: 0x0000000000000008 x13: 0x0000000000000000 x14: 0x0000000000000001 x15: 0x0000000000000019
x16: 0x5d792401022c7cac x17: 0x00000001022c7cac x18: 0x0000000000000000 x19: 0x0000000000000000
x20: 0x000000014c206300 x21: 0x00000001eb2d2000 x22: 0x00000001dd384784 x23: 0x0000000000000001
x24: 0x0000000000000001 x25: 0x00000001e294b888 x26: 0x000000014c205030 x27: 0x00000001eb253000
x28: 0x00000001dd38dda7 fp: 0x000000016dbc1e30 lr: 0x00000001022c7d0c
sp: 0x000000016dbc1e00 pc: 0x40000001a5284998 cpsr: 0x20000000
esr: 0x82000004 (Instruction Abort) Translation fault
IDA反编译后,X9的地址是:
; __unwind {
__text:000000000000077C SUB SP, SP, #0x40
__text:0000000000000780 STP X29, X30, [SP,#0x30+var_s0]
__text:0000000000000784 ADD X29, SP, #0x30
__text:0000000000000788 MOV W8, #0x7B65
__text:000000000000078C MOVK W8, #0xA0CA,LSL#16
__text:0000000000000790 STUR W8, [X29,#var_4]
__text:0000000000000794 MOV W8, #0x9B12
__text:0000000000000798 MOVK W8, #0x974B,LSL#16
__text:000000000000079C STUR W8, [X29,#var_C]
__text:00000000000007A0 LDUR W8, [X29,#var_C]
__text:00000000000007A4 STR X0, [SP,#0x30+var_18]
__text:00000000000007A8 STR X1, [SP,#0x30+var_20]
__text:00000000000007AC STR X2, [SP,#0x30+var_28]
__text:00000000000007B0 LDR X1, [SP,#0x30+var_20]
__text:00000000000007B4 LDR X0, [SP,#0x30+var_18]
__text:00000000000007B8 LDR X2, [SP,#0x30+var_28]
__text:00000000000007BC ADRP X9, #__option_setOname___IndirectCallees@PAGE ; -[SmOption setOrganization:]_IndirectCallees
__text:00000000000007C0 LDR X9, [X9,#__option_setOname___IndirectCallees@PAGEOFF] ; -[SmOption setOrganization:]_IndirectCallees
__text:00000000000007C4 MOV W10, #0xE4F6
__text:00000000000007C8 MOVK W10, #0xAB39,LSL#16
__text:00000000000007CC SUBS W8, W10, W8
__text:00000000000007D0 ADD X9, X9, W8,SXTW
__text:00000000000007D4 MOV X3, #8
__text:00000000000007D8 BLR X9
__text:00000000000007DC LDP X29, X30, [SP,#0x30+var_s0]
__text:00000000000007E0 ADD SP, SP, #0x40
__text:00000000000007E4 RET
__text:00000000000007E4 ; } // starts at 77C