Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

objc2_xrefs_helper erroneous selector replacement #46

Open
strictlymike opened this issue Mar 27, 2017 · 1 comment
Open

objc2_xrefs_helper erroneous selector replacement #46

strictlymike opened this issue Mar 27, 2017 · 1 comment

Comments

@strictlymike
Copy link
Contributor

Note to self for later...

python/flare/objc2_xrefs_helper.py can replace selectors erroneously.

Example: 4fe4b9560e99e33dabca553e2eeee510 (OSX XAgent), virtual addresses 0x100014F61 and 0x100014FA5

ID for each is an NSThread object held in r12 and later r13, and SEL is start, but objc2_xrefs_helper.py replaces this with __Keylogger_start (-[Keylogger start]). Here is the first case:

100014F58 call    cs:_objc_msgSend_ptr ; [NSThread initWithTarget:selector:object]
100014F58                         ; Creates NSThread targeting [BootXLoader postThread]
100014F5E mov     r12, rax
100014F61 mov     rsi, qword ptr cs:__Keylogger_start_ ; Keylogger - (void)start
100014F68 mov     rdi, r12
100014F6B call    cs:_objc_msgSend_ptr ; [r12 start]

Perhaps objc2_xrefs_helper.py doesn't realize this selector is only unique within this binary but also pertains to objects whose interfaces are not implemented in this binary?
@strictlymike
Copy link
Contributor Author

Workaround is to locate the fix in Patched Bytes (Ctrl+Alt+P or Edit -> Patch program -> Patched bytes) and revert the patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@strictlymike