[Mac] Probably X64ImageInterpreter Issue on parse Lib???

Hi I found an issue on parse dylib section whit X64ImageInterpreter...

example :

libcc-premium.dylib https://mega.nz/file/vOxSwSBT#JHML0acS9CNiCwHdneuMaJ5u5cHfEhTVO-FABPgW-j0

whit you code fnGenerateKeyB have a bug...

if (auto lpKeyword = m_Image.SearchSection(section__cstring, [](const void* base, size_t i, size_t size) {

                static const char Keyword[] = "me30I";
                if (i + sizeof(Keyword) <= size) {
                    return memcmp(ARL::AddressOffset(base, i), Keyword, sizeof(Keyword)) == 0;
                } else {
                    return false;
                }
        }); lpKeyword) {
            if (auto lpXrefKeyword = m_Image.SearchSection(section__text, [section__text, KeywordRva = m_Image.ConvertPtrToRva(lpKeyword)](const void* base, size_t i, size_t size) {
                if (i + sizeof(uint32_t) <= size) {
                    auto rip = section__text->addr + (i + 4);
                    auto off = ARL::AddressRead<uint32_t>(base, i);
                    return rip + off == KeywordRva;
                } else {
                    return false;
                }
            }); lpXrefKeyword) {

lpKeyword = have a correct offset 00000000012D79D9 but lpXrefKeyword have wrong offset :

000000000b05bae instead 00000000012E4C80

is X64ImageInterpreter bug on m_Image.SearchSection(..) or what? thank's for reply

Can you tell me what 00000000012D79D9 is? Is it RVA or file offset?

I tried both, but none of them points to the keyword me30I. It is impossible to be the value of lpKeyword.

sorry I got the wrong value on fnGenerateKeyA ("K0xD8MjZAGa6R") but the problem is on fnGenerateKeyB

for ...static const char Keyword[] = "me30I";...

lpKeyword RVA = 0x000000000230df3b <- Is Ok!!

lpXrefKeyword RVA = 0x0000000000b05bae <--- this is wrong it must be 0x00000000012E4C80

From Ida x64 :

__cstring:000000000230DF3B aMe30i db 'me30I',0 ; DATA XREF: sub_12E4BEC+94↑o

__text:00000000012E4C80 lea rsi, aMe30i ; "me30I"

well, try modify original code from

...
...
                if (auto lpXrefKeyword = m_Image.SearchSection(section__text, [section__text, KeywordRva = m_Image.ConvertPtrToRva(lpKeyword)](const void* base, size_t i, size_t size) {
                    if (i + sizeof(uint32_t) <= size) {
                        auto rip = section__text->addr + (i + 4);
                        auto off = ARL::AddressRead<uint32_t>(base, i);
                        return rip + off == KeywordRva;
                    } else {
                        return false;
                    }
                }); lpXrefKeyword) {
...
...

...
...
                if (auto lpXrefKeyword = m_Image.SearchSection(section__text, [section__text, KeywordRva = m_Image.ConvertPtrToRva(lpKeyword)](const void* base, size_t i, size_t size) {
                    if (i + sizeof(uint32_t) <= size) {
                        auto rip = section__text->addr + (i + 4);
                        auto off = ARL::AddressRead<uint32_t>(base, i);
                        return rip + off == KeywordRva && 
                            ARL::AddressRead<uint8_t>(base, i - 3) == 0x48 &&   // well, I think it should use LEA instruction to load address of keyword
                            ARL::AddressRead<uint8_t>(base, i - 2) == 0x8d;     // and in 64-bit mode, LEA has "48 8D" prefix.
                    } else {
                        return false;
                    }
                }); lpXrefKeyword) {
...
...

lpKeyword RVA = 0x000000000230df3b

lpXrefKeyword RVA = 0x00000000012e4c83

Perfect.. Thank's for your best support you are my hero..

Best Regards

DeltaFoX 1 年間前に閉じられました

会話に参加するにはサインインしてください。

#6 [Mac] Probably X64ImageInterpreter Issue on parse Lib???