用IDA pro打开的时候弹出对话框
The input file has invalid section file offsets.
Usually it means that it has been modified to hide its contents.
IDA pro加载后很多解析错误,比如obj_msgSend解析不出来,尤其是64bit的,我用的是6.8版本Windows泄露版。不知道有没新的泄露版,是否解决了这个问题了。
修改过段偏移? 文件哪来的
dyld cache的话非常正常。具体bug起因因为他这部分代码Apple没开源我也无从得知
dylb_decache得到的32bit及dsc_extractor得到的64bit的,64bit识别率更糟糕,从933的5S机器中复制出的二进制文件
decache的vmaddr是错的。文件偏移好像也是错的。SYMTAB也是错的
那怎么解决,dsc可以操作32bit吗?没试过,不清楚
没dsc源码我也不知道bug在哪无法解决。可以确定的是cache里这些值是内存chunk里的偏移,没有被正确还原
那对于iOS933,你是怎么解压binary的?求教下,先谢了。不管32bit还是64bit
我并没有解压,因为我没有分析系统库的需要
你有兴趣的话可以根据我的错误分析自己修复
好的,谢谢,有时间了我试试。
我的iPhone SE是9.3.3,没碰到啥问题
步骤上应该不会有问题,我是这样做的。
使用iFunBox1.8复制decache文件,32位和64位,然后使用dyld_decache解压32,使用你推荐的dsc解压64bit,然后拖随便一个framework二进制文件到IDA Pro 6.8(Kingsoft泄露Windows版),就会出现上面的提示。你是怎么做的呢,大概说说我参考一下呗
我用的是hopper,不是IDA,感觉区别可能在这个上面
如果方便的话,能不能帮忙看一下这个函数是否和你的版本一样Hopper出来的结果,32bit的
/System/Library/PrivateFrameworks/StoreKitUI.framework/StoreKitUI,因为里面没有objc_msgSend和之前的版本解析出来的相差太远了。blx执行的很奇怪的函数。或许我dyld的cache文件本身复制就有问题。
+[SKUIClientContext defaultContext]:
2b0fbff8 push {r4, r5, r6, r7, lr}
2b0fbffa add r7, sp, #0xc
2b0fbffc push.w {r8, sl, fp}
2b0fc000 sub sp, #0x14
2b0fc002 mov r8, r0
2b0fc004 movw r0, #0xeb2c ; :lower16:(0x36feab44 - 0x2b0fc018)
2b0fc008 movt r0, #0xbee ; :upper16:(0x36feab44 - 0x2b0fc018)
2b0fc00c movw r2, #0x5632 ; :lower16:(0x36ff164c - 0x2b0fc01a)
2b0fc010 movt r2, #0xbef ; :upper16:(0x36ff164c - 0x2b0fc01a)
2b0fc014 add r0, pc ; 0x36feab44
2b0fc016 add r2, pc ; 0x36ff164c
2b0fc018 ldr r1, [r0] ; 0x36feab44
2b0fc01a ldr r0, [r2] ; 0x36ff164c
2b0fc01c blx imp___picsymbolstub4__SUNavigationBarApplyStyling$shim
2b0fc020 mov r7, r7
2b0fc022 blx imp___picsymbolstub4__objc_getAssociatedObject$shim
2b0fc026 mov r5, r0
2b0fc028 movw r0, #0xeb14 ; :lower16:(0x36feab48 - 0x2b0fc034)
2b0fc02c movt r0, #0xbee ; :upper16:(0x36feab48 - 0x2b0fc034)
2b0fc030 add r0, pc ; 0x36feab48
2b0fc032 ldr r1, [r0] ; 0x36feab48
2b0fc034 mov r0, r5
2b0fc036 blx imp___picsymbolstub4__SUNavigationBarApplyStyling$shim
2b0fc03a mov r7, r7
2b0fc03c blx imp___picsymbolstub4__objc_getAssociatedObject$shim
2b0fc040 mov sl, r0
2b0fc042 mov r0, r5
2b0fc044 blx imp___picsymbolstub4__floorf$shim
2b0fc048 mov r0, sl
2b0fc04a blx imp___picsymbolstub4____40-[SKUIReloadConfigurationOperation main]_block_invoke
2b0fc04e mov r7, r7
2b0fc050 blx imp___picsymbolstub4__objc_getAssociatedObject$shim
2b0fc054 mov r4, r0
2b0fc056 cmp r4, #0x0
2b0fc058 beq.w 0x2b0fc200也可能是aslr摧毁了cache?
汇编肯定是对的,这就是我说的LC SYMTAB偏移错误导致ida无法正确从地址定位外部符号
理论上你可以手动修复 : )
所以就是说,要么是iFunBox复制的时候ASLR影响了decache文件,要么就是解压的工具不能很好的work,对吧?
__text:000000018C75A63C ; id __cdecl +[SKUIClientContext defaultContext](struct SKUIClientContext_meta *self, SEL)
__text:000000018C75A63C __SKUIClientContext_defaultContext_ ; DATA XREF: __objc_const:000000019C758EE8o
__text:000000018C75A63C
__text:000000018C75A63C var_50 = -0x50
__text:000000018C75A63C var_40 = -0x40
__text:000000018C75A63C var_30 = -0x30
__text:000000018C75A63C var_20 = -0x20
__text:000000018C75A63C var_10 = -0x10
__text:000000018C75A63C var_s0 = 0
__text:000000018C75A63C
__text:000000018C75A63C FC 6F BA A9 STP X28, X27, [SP,#-0x10+var_50]!
__text:000000018C75A640 FA 67 01 A9 STP X26, X25, [SP,#0x50+var_40]
__text:000000018C75A644 F8 5F 02 A9 STP X24, X23, [SP,#0x50+var_30]
__text:000000018C75A648 F6 57 03 A9 STP X22, X21, [SP,#0x50+var_20]
__text:000000018C75A64C F4 4F 04 A9 STP X20, X19, [SP,#0x50+var_10]
__text:000000018C75A650 FD 7B 05 A9 STP X29, X30, [SP,#0x50+var_s0]
__text:000000018C75A654 FD 43 01 91 ADD X29, SP, #0x50
__text:000000018C75A658 F5 03 00 AA MOV X21, X0
__text:000000018C75A65C 08 23 09 F0 ADRP X8, #classRef_SSAccountStore_8@PAGE
__text:000000018C75A660 00 55 46 F9 LDR X0, [X8,#classRef_SSAccountStore_8@PAGEOFF]
__text:000000018C75A664 A8 22 09 D0 ADRP X8, #selRef_defaultStore_14@PAGE
__text:000000018C75A668 01 45 43 F9 LDR X1, [X8,#selRef_defaultStore_14@PAGEOFF]
__text:000000018C75A66C 14 0F E2 96 BL objc_msgSend
__text:000000018C75A670 FD 03 1D AA MOV X29, X29
__text:000000018C75A674 18 0F E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A678 F4 03 00 AA MOV X20, X0
__text:000000018C75A67C A8 22 09 D0 ADRP X8, #selRef_activeAccount_9@PAGE
__text:000000018C75A680 01 49 43 F9 LDR X1, [X8,#selRef_activeAccount_9@PAGEOFF]
__text:000000018C75A684 0E 0F E2 96 BL objc_msgSend
__text:000000018C75A688 FD 03 1D AA MOV X29, X29
__text:000000018C75A68C 12 0F E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A690 F3 03 00 AA MOV X19, X0
__text:000000018C75A694 E0 03 14 AA MOV X0, X20
__text:000000018C75A698 0B 0F E2 96 BL objc_release
__text:000000018C75A69C E0 03 13 AA MOV X0, X19
__text:000000018C75A6A0 6A 1B E2 96 BL j__SSVStoreFrontIdentifierForAccount_4
__text:000000018C75A6A4 FD 03 1D AA MOV X29, X29
__text:000000018C75A6A8 0B 0F E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A6AC F4 03 00 AA MOV X20, X0
__text:000000018C75A6B0 B4 0C 00 B4 CBZ X20, loc_18C75A844
__text:000000018C75A6B4 08 23 09 90 ADRP X8, #selRef__cachePathForStoreFrontIdentifier_@PAGE
__text:000000018C75A6B8 01 19 44 F9 LDR X1, [X8,#selRef__cachePathForStoreFrontIdentifier_@PAGEOFF]
__text:000000018C75A6BC E0 03 15 AA MOV X0, X21
__text:000000018C75A6C0 E2 03 14 AA MOV X2, X20
__text:000000018C75A6C4 FE 0E E2 96 BL objc_msgSend
__text:000000018C75A6C8 FD 03 1D AA MOV X29, X29
__text:000000018C75A6CC 02 0F E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A6D0 F6 03 00 AA MOV X22, X0
__text:000000018C75A6D4 76 01 00 B4 CBZ X22, loc_18C75A700
__text:000000018C75A6D8 08 23 09 F0 ADRP X8, #off_19EBBDA28@PAGE
__text:000000018C75A6DC 00 15 45 F9 LDR X0, [X8,#off_19EBBDA28@PAGEOFF]
__text:000000018C75A6E0 08 23 09 D0 ADRP X8, #selRef_dictionaryWithContentsOfFile__55@PAGE
__text:000000018C75A6E4 01 19 47 F9 LDR X1, [X8,#selRef_dictionaryWithContentsOfFile__55@PAGEOFF]
__text:000000018C75A6E8 E2 03 16 AA MOV X2, X22
__text:000000018C75A6EC F4 0E E2 96 BL objc_msgSend
__text:000000018C75A6F0 FD 03 1D AA MOV X29, X29
__text:000000018C75A6F4 F8 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A6F8 F9 03 00 AA MOV X25, X0
__text:000000018C75A6FC F9 0B 00 B5 CBNZ X25, loc_18C75A878
__text:000000018C75A700
__text:000000018C75A700 loc_18C75A700 ; CODE XREF: +[SKUIClientContext defaultContext]+98j
__text:000000018C75A700 08 23 09 F0 ADRP X8, #off_19EBBDA20@PAGE
__text:000000018C75A704 00 11 45 F9 LDR X0, [X8,#off_19EBBDA20@PAGEOFF]
__text:000000018C75A708 A8 22 09 B0 ADRP X8, #off_19EBAF478@PAGE
__text:000000018C75A70C 01 3D 42 F9 LDR X1, [X8,#off_19EBAF478@PAGEOFF]
__text:000000018C75A710 EB 0E E2 96 BL objc_msgSend
__text:000000018C75A714 FD 03 1D AA MOV X29, X29
__text:000000018C75A718 EF 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A71C F8 03 00 AA MOV X24, X0
__text:000000018C75A720 08 23 09 D0 ADRP X8, #selRef_pathForResource_ofType__52@PAGE
__text:000000018C75A724 01 1D 47 F9 LDR X1, [X8,#selRef_pathForResource_ofType__52@PAGEOFF]
__text:000000018C75A728 62 F8 07 F0 ADRP X2, #cfstr_Skuistoreconfi@PAGE ; "SKUIStoreConfigurations"
__text:000000018C75A72C 42 40 39 91 ADD X2, X2, #cfstr_Skuistoreconfi@PAGEOFF ; "SKUIStoreConfigurations"
__text:000000018C75A730 43 F8 07 F0 ADRP X3, #cfstr_Plist_56@PAGE ; "plist"
__text:000000018C75A734 63 40 34 91 ADD X3, X3, #cfstr_Plist_56@PAGEOFF ; "plist"
__text:000000018C75A738 E1 0E E2 96 BL objc_msgSend
__text:000000018C75A73C FD 03 1D AA MOV X29, X29
__text:000000018C75A740 E5 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A744 F7 03 00 AA MOV X23, X0
__text:000000018C75A748 E0 03 18 AA MOV X0, X24
__text:000000018C75A74C DE 0E E2 96 BL objc_release
__text:000000018C75A750 F7 07 00 B4 CBZ X23, loc_18C75A84C
__text:000000018C75A754 1C 23 09 F0 ADRP X28, #off_19EBBDA28@PAGE
__text:000000018C75A758 80 17 45 F9 LDR X0, [X28,#off_19EBBDA28@PAGEOFF]
__text:000000018C75A75C A8 22 09 B0 ADRP X8, #off_19EBAF018@PAGE
__text:000000018C75A760 01 0D 40 F9 LDR X1, [X8,#off_19EBAF018@PAGEOFF]
__text:000000018C75A764 D6 0E E2 96 BL objc_msgSend
__text:000000018C75A768 C8 22 09 90 ADRP X8, #selRef_initWithContentsOfFile__48@PAGE
__text:000000018C75A76C 01 0D 41 F9 LDR X1, [X8,#selRef_initWithContentsOfFile__48@PAGEOFF]
__text:000000018C75A770 E2 03 17 AA MOV X2, X23
__text:000000018C75A774 D2 0E E2 96 BL objc_msgSend
__text:000000018C75A778 F8 03 00 AA MOV X24, X0
__text:000000018C75A77C A8 22 09 B0 ADRP X8, #off_19EBAF3C0@PAGE
__text:000000018C75A780 19 E1 41 F9 LDR X25, [X8,#off_19EBAF3C0@PAGEOFF]
__text:000000018C75A784 E1 03 19 AA MOV X1, X25
__text:000000018C75A788 E2 03 14 AA MOV X2, X20
__text:000000018C75A78C CC 0E E2 96 BL objc_msgSend
__text:000000018C75A790 FD 03 1D AA MOV X29, X29
__text:000000018C75A794 D0 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A798 FA 03 00 AA MOV X26, X0
__text:000000018C75A79C 9A 03 00 B5 CBNZ X26, loc_18C75A80C
__text:000000018C75A7A0 A8 22 09 D0 ADRP X8, #selRef_rangeOfString__95@PAGE
__text:000000018C75A7A4 01 25 41 F9 LDR X1, [X8,#selRef_rangeOfString__95@PAGEOFF]
__text:000000018C75A7A8 02 F8 07 B0 ADRP X2, #stru_19C65BD30@PAGE ; ","
__text:000000018C75A7AC 42 C0 34 91 ADD X2, X2, #stru_19C65BD30@PAGEOFF ; ","
__text:000000018C75A7B0 E0 03 14 AA MOV X0, X20
__text:000000018C75A7B4 C2 0E E2 96 BL objc_msgSend
__text:000000018C75A7B8 E8 03 00 AA MOV X8, X0
__text:000000018C75A7BC E9 FB 40 B2 MOV X9, #0x7FFFFFFFFFFFFFFF
__text:000000018C75A7C0 1F 01 09 EB CMP X8, X9
__text:000000018C75A7C4 40 02 00 54 B.EQ loc_18C75A80C
__text:000000018C75A7C8 A9 22 09 D0 ADRP X9, #selRef_substringToIndex__80@PAGE
__text:000000018C75A7CC 21 7D 44 F9 LDR X1, [X9,#selRef_substringToIndex__80@PAGEOFF]
__text:000000018C75A7D0 E0 03 14 AA MOV X0, X20
__text:000000018C75A7D4 E2 03 08 AA MOV X2, X8
__text:000000018C75A7D8 B9 0E E2 96 BL objc_msgSend
__text:000000018C75A7DC FD 03 1D AA MOV X29, X29
__text:000000018C75A7E0 BD 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A7E4 FB 03 00 AA MOV X27, X0
__text:000000018C75A7E8 E0 03 18 AA MOV X0, X24
__text:000000018C75A7EC E1 03 19 AA MOV X1, X25
__text:000000018C75A7F0 E2 03 1B AA MOV X2, X27
__text:000000018C75A7F4 B2 0E E2 96 BL objc_msgSend
__text:000000018C75A7F8 FD 03 1D AA MOV X29, X29
__text:000000018C75A7FC B6 0E E2 96 BL objc_retainAutoreleasedReturnValue
__text:000000018C75A800 FA 03 00 AA MOV X26, X0
__text:000000018C75A804 E0 03 1B AA MOV X0, X27
__text:000000018C75A808 AF 0E E2 96 BL objc_release
__text:000000018C75A80C
__text:000000018C75A80C loc_18C75A80C ; CODE XREF: +[SKUIClientContext defaultContext]+160j
__text:000000018C75A80C ; +[SKUIClientContext defaultContext]+188j
__text:000000018C75A80C 80 17 45 F9 LDR X0, [X28,#off_19EBBDA28@PAGEOFF]
__text:000000018C75A810 A8 22 09 B0 ADRP X8, #off_19EBAF030@PAGE
__text:000000018C75A814 01 19 40 F9 LDR X1, [X8,#off_19EBAF030@PAGEOFF]
__text:000000018C75A818 A9 0E E2 96 BL objc_msgSend
__text:000000018C75A81C E2 03 00 AA MOV X2, X0
__text:000000018C75A820 A8 22 09 B0 ADRP X8, #off_19EBAF358@PAGE
__text:000000018C75A824 01 AD 41 F9 LDR X1, [X8,#off_19EBAF358@PAGEOFF]
__text:000000018C75A828 E0 03 1A AA MOV X0, X26
__text:000000018C75A82C A4 0E E2 96 BL objc_msgSend
__text:000000018C75A830 40 01 00 34 CBZ W0, loc_18C75A858
__text:000000018C75A834 E0 03 1A AA MOV X0, X26
__text:000000018C75A838 A4 0E E2 96 BL __CalLogMaster_copyWithZone___0 ; -[CalLogMaster copyWithZone:]_0
__text:000000018C75A83C F9 03 00 AA MOV X25, X0
__text:000000018C75A840 07 00 00 14 B loc_18C75A85C
__text:000000018C75A844 ; ---------------------------------------------------------------------------
__text:000000018C75A844
__text:000000018C75A844 loc_18C75A844 ; CODE XREF: +[SKUIClientContext defaultContext]+74j
__text:000000018C75A844 15 00 80 D2 MOV X21, #0
__text:000000018C75A848 27 00 00 14 B loc_18C75A8E4
__text:000000018C75A84C ; ---------------------------------------------------------------------------
__text:000000018C75A84C
__text:000000018C75A84C loc_18C75A84C ; CODE XREF: +[SKUIClientContext defaultContext]+114j
__text:000000018C75A84C E0 03 17 AA MOV X0, X23
__text:000000018C75A850 9D 0E E2 96 BL objc_release
__text:000000018C75A854 1E 00 00 14 B loc_18C75A8CC
__text:000000018C75A858 ; ---------------------------------------------------------------------------
__text:000000018C75A858
__text:000000018C75A858 loc_18C75A858 ; CODE XREF: +[SKUIClientContext defaultContext]+1F4j
__text:000000018C75A858 19 00 80 D2 MOV X25, #0
__text:000000018C75A85C
__text:000000018C75A85C loc_18C75A85C ; CODE XREF: +[SKUIClientContext defaultContext]+204j
__text:000000018C75A85C E0 03 1A AA MOV X0, X26
__text:000000018C75A860 99 0E E2 96 BL objc_release
__text:000000018C75A864 E0 03 18 AA MOV X0, X24
__text:000000018C75A868 97 0E E2 96 BL objc_release
__text:000000018C75A86C E0 03 17 AA MOV X0, X23
__text:000000018C75A870 95 0E E2 96 BL objc_release
__text:000000018C75A874 D9 02 00 B4 CBZ X25, loc_18C75A8CC
__text:000000018C75A878
__text:000000018C75A878 loc_18C75A878 ; CODE XREF: +[SKUIClientContext defaultContext]+C0j
__text:000000018C75A878 A8 22 09 B0 ADRP X8, #off_19EBAF018@PAGE
__text:000000018C75A87C 01 0D 40 F9 LDR X1, [X8,#off_19EBAF018@PAGEOFF]
__text:000000018C75A880 E0 03 15 AA MOV X0, X21
__text:000000018C75A884 8E 0E E2 96 BL objc_msgSend
__text:000000018C75A888 A8 22 09 B0 ADRP X8, #selRef_initWithConfigurationDictionary__0@PAGE
__text:000000018C75A88C 01 79 42 F9 LDR X1, [X8,#selRef_initWithConfigurationDictionary__0@PAGEOFF]
__text:000000018C75A890 E2 03 19 AA MOV X2, X25
__text:000000018C75A894 8A 0E E2 96 BL objc_msgSend
__text:000000018C75A898 F5 03 00 AA MOV X21, X0
__text:000000018C75A89C D5 01 00 B4 CBZ X21, loc_18C75A8D4
__text:000000018C75A8A0 A8 22 09 B0 ADRP X8, #off_19EBAF188@PAGE
__text:000000018C75A8A4 01 C5 40 F9 LDR X1, [X8,#off_19EBAF188@PAGEOFF]
__text:000000018C75A8A8 E0 03 14 AA MOV X0, X20
__text:000000018C75A8AC 84 0E E2 96 BL objc_msgSend
__text:000000018C75A8B0 48 23 09 F0 ADRP X8, #_OBJC_IVAR_$_SKUIClientContext._storeFrontIdentifier@PAGE ; NSString *_storeFrontIdentifier;
__text:000000018C75A8B4 09 95 84 B9 LDRSW X9, [X8,#_OBJC_IVAR_$_SKUIClientContext._storeFrontIdentifier@PAGEOFF] ; NSString *_storeFrontIdentifier;
__text:000000018C75A8B8 A8 6A 69 F8 LDR X8, [X21,X9]
__text:000000018C75A8BC A0 6A 29 F8 STR X0, [X21,X9]
__text:000000018C75A8C0 E0 03 08 AA MOV X0, X8
__text:000000018C75A8C4 80 0E E2 96 BL objc_release
__text:000000018C75A8C8 03 00 00 14 B loc_18C75A8D4
__text:000000018C75A8CC ; ---------------------------------------------------------------------------
__text:000000018C75A8CC
__text:000000018C75A8CC loc_18C75A8CC ; CODE XREF: +[SKUIClientContext defaultContext]+218j
__text:000000018C75A8CC ; +[SKUIClientContext defaultContext]+238j
__text:000000018C75A8CC 19 00 80 D2 MOV X25, #0
__text:000000018C75A8D0 15 00 80 D2 MOV X21, #0
__text:000000018C75A8D4
__text:000000018C75A8D4 loc_18C75A8D4 ; CODE XREF: +[SKUIClientContext defaultContext]+260j
__text:000000018C75A8D4 ; +[SKUIClientContext defaultContext]+28Cj
__text:000000018C75A8D4 E0 03 16 AA MOV X0, X22
__text:000000018C75A8D8 7B 0E E2 96 BL objc_release
__text:000000018C75A8DC E0 03 19 AA MOV X0, X25
__text:000000018C75A8E0 79 0E E2 96 BL objc_release
__text:000000018C75A8E4
__text:000000018C75A8E4 loc_18C75A8E4 ; CODE XREF: +[SKUIClientContext defaultContext]+20Cj
__text:000000018C75A8E4 E0 03 14 AA MOV X0, X20
__text:000000018C75A8E8 77 0E E2 96 BL objc_release
__text:000000018C75A8EC E0 03 13 AA MOV X0, X19
__text:000000018C75A8F0 75 0E E2 96 BL objc_release
__text:000000018C75A8F4 E0 03 15 AA MOV X0, X21
__text:000000018C75A8F8 FD 7B 45 A9 LDP X29, X30, [SP,#0x50+var_s0]
__text:000000018C75A8FC F4 4F 44 A9 LDP X20, X19, [SP,#0x50+var_10]
__text:000000018C75A900 F6 57 43 A9 LDP X22, X21, [SP,#0x50+var_20]
__text:000000018C75A904 F8 5F 42 A9 LDP X24, X23, [SP,#0x50+var_30]
__text:000000018C75A908 FA 67 41 A9 LDP X26, X25, [SP,#0x50+var_40]
__text:000000018C75A90C FC 6F C6 A8 LDP X28, X27, [SP+0x50+var_50],#0x60
__text:000000018C75A910 60 0E E2 16 B objc_autoreleaseReturnValue
对的,你的汇编是正确的,是iOS9.3.3里的吧,你是怎么复制decache文件及用什么工具解压decache的?
手动改了下符号, BL里面是个跳板, IDA没有正确识别
直接复制, 没有解压