How to know Memory Location where __text section is loaded

NickIN · 2016 年1 月 4 日 10:50

Hi,

How do we know at which memory location __text section of __TEXT segment is loaded in Memory for an app which is running. Is there any tool to know that if yes please let me know.

Thanks Nick

snakeninny · 2016 年1 月 4 日 13:45

@MouthPutCleanDot FYI

Young · 2016 年1 月 4 日 13:52

try to remove the mach-O header flags PIE Or lldb Command Line "image lookup " the __TEXT segment

NickIN · 2016 年1 月 4 日 14:54

Hi,
Thanks for your reply. Will dig into it.

Already tried the vmmap utiility for iOS but gives error. Tried procexp for iOS but could not make out.

Currently reading the Mach-o file format & all the sections & segment stuff. Load commands
I thiink sooner i’ll figure out how all this is loaded.

Thanks once again. NickIN

snakeninny · 2016 年1 月 5 日 04:12

What’re you doing this for?

Young · 2016 年1 月 6 日 02:16

For memory loading dylib?

NickIN · 2016 年1 月 6 日 07:25

Hi,

Need to Patch few locations & see what happens in the app.

Here small code from IDA

__text:001A8B92                 SUBS            R0, #1  ; switch 15 cases
__text:001A8B94                 CMP             R0, #0xE ; Set cond. codes on Op1 - Op2
__text:001A8B96                 BHI.W           def_1A8B9A ; jumptable 001A8B9A for all ERROR Need to NOP it.
__text:001A8B9A                 TBH.W           [PC,R0,LSL#1] ; switch jump
__text:001A8B9A ; ---------------------------------------------------------------------------

I need to nop the instruction at 001A8B96 & see program behaviour. Because that takes to all the different error code.

Thanks, NickIN

snakeninny · 2016 年1 月 6 日 07:50

you can bp after CMP and change the result dynamically in LLDB, then see what happens

NickIN · 2016 年1 月 6 日 08:10

Hi,

Will try lldb sooner. I’ll have having my Mac Mini High end soon.

So far i don’t have any mac. Putty, Jailbroken iOS, IDA & the app.
GDB as debugger. In this struggle of patching i am learning the concept thoroughly.

Mac-o file format will be like back of my head sooner. I am digging into it thoroughly & I feel its an must if you need to code your own tools for RE purpose in future.

LLDB is another tool that I need to learn. I have read it in books only so far.

Thanks for your feedback as always. Appreciate it.

Regards, NickIN

NickIN · 2016 年1 月 11 日 11:52

Hi,

Just wanted to update what have learnt so newbie don’t struggle much like i did.

How to get PID of an app.

Method 1: First i struggle to get the PID of an process running. So installed an app DeviceStat which gives the PID of the app.

Method 2: Kept learning & found an tool procexp for iOS which gives us many details of running process.
I still try to understand the tools output. Just search in google for procexp iOS to get the utility.

Method 3: GDB got installed once we jailbreak it. Hope i am correct.

run GDB & once you are the GDB prompt type below command.

info mach-tasks

Results from my iPhone. It has 76 process running. The first digits are PID.

76 processes:
pasteboardd is 304 has task 0x5903
ExampleAPP is 303 has task 0x5a03 <---- Interested in this APP
AppIndexer is 302 has task 0x5b03

removed for clarity purpose.

kernel_task is 0 has task 0x5803

So far so good.

Now i’ll try to answer my own questions where the __text section got loaded in memory here we go

I was interested in
ExampleAPP is 303 has task 0x5a03 <---- Interested in this APP

so we will attach it in gdb giving below command

attach 303

Once gdb attaches it. We will give below command

info mach-regions

Below is the result.

(gdb) info mach-regions
Region from 0xe5000 to 0x579000 (r-x, max r-x; copy, private, not-reserved) (2 s ub-regions)
… from 0x579000 to 0x5d9000 (rw-, max rw-; copy, private, not-reserved) (3 sub-regions)

Its long list but we are in first 2 address to the time being.

Now if we dump the memory address 0xe5000
(gdb) x 0xe5000
0xe5000: 0xfeedface <----- Signature of 32 bit OS X native binary format

So to find your routine for patching in __text Section. Below code from IDA of ExampleAPP

__text:001A8B90 07 98                  LDR             R0, [SP,#0x6D8+var_6BC]
__text:001A8B92 01 38                  SUBS            R0, #1  ; switch 15 cases
__text:001A8B94 0E 28                  CMP             R0, #0xE
__text:001A8B96 00 F2 27 87            BHI.W           def_1A8B9A ; jumptable 001A8B9A default case
__text:001A8B9A DF E8 10 F0            TBH.W           [PC,R0,LSL#1] ; switch jump

the Compare is at offset 0x1A8B94 to find the exact location in GDB we need to calculate the location of memory.

In IDA the Header starts at 0x4000.
Our Header starts at 0xe5000

To get to 1A8B94 location we have to minus IDA header start which is 0x4000 & ADD out new Header starts which is 0xE5000

So 1A8B94 - 0x4000 + 0xE5000 = 0x289b94

so if we give below command

(gdb) x /10 0x289b94
0x289b94: 0xf200280e 0xe8df8727 0x000ff010 0x00e4007c
0x289ba4: 0x01db0173 0x02b2024d 0x0394031a 0x040803d9
0x289bb4: 0x04dc0472 0x05b00546

Check the byte ordering IDA uses Little Indian so we need to reverse it
so 0x0e2800F2 0x2787dfe8 0x10f00f00

Hope it helps.

Now I need to patch this location so will dig into it again & update you with results.

Regards, NickIN

Note: I don’t have Mac & do the study part with windows only.

Zhang · 2016 年1 月 16 日 22:57

I’m too late I guess.
you can just dyld_get_image_header(0), returns a mach_header
iterate the mach-o from there.
Remember the in-mem Mach-O is single arch only.
Iterate for LCs which type==LC_SEGMENT OR LC_SEGMENT_64
You’ll get VM address there,
add ASLR offset to that address, which also could be obtained through dyld API
Cheers.