binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard

Published 20 hours ago verified publisher icon Vector35

Mach-O file parsing missing support for INDIRECT_SYMBOL_LOCAL, INDIRECT_SYMBOL_ABS

Open xusheng6 opened this issue 2 years ago • 3 comments

While analyzing the file virtual-test.zip, when I view the file statically, I get the following value at address 0x100004060:

Screen Shot 2022-08-21 at 5 32 02 PM

The value 0x100000000040d0 is wrong here -- it is a vtable, but it is beyond the address range of the current binary view. If I launch it under the debugger, I can see its correct value:

Screen Shot 2022-08-21 at 5 32 29 PM

And we can see its content:

Screen Shot 2022-08-21 at 5 38 08 PM

I have no idea why it is happening, but I suspect this is related to relocation. Btw, this is an arm64 file so it could also be related

xusheng6 avatar Aug 21 '22 09:08 xusheng6

I would suspect relocations

plafosse avatar Aug 21 '22 10:08 plafosse

So this does have something to do with relocations but not really. For some reason in the binary the table of pointerSymbols has 0x80000000 as the index

image

This must have some significance that we're unaware of.

		unordered_map<size_t, vector<std::pair<section_64*, size_t>>> pointerSymbols;
		for (auto& symbolPointerSection : m_symbolPointerSections)
		{
			size_t needed = symbolPointerSection.size / m_addressSize;
			for (size_t j = 0; (j < needed) && ((j + symbolPointerSection.reserved1) < indirectSymbols.size()); j++)
			{
				LogError("pointerSymbols %d %d %d", j, j+symbolPointerSection.reserved1, indirectSymbols[j + symbolPointerSection.reserved1]);
				pointerSymbols[indirectSymbols[j + symbolPointerSection.reserved1]].push_back(
					std::pair<section_64*, size_t>(&symbolPointerSection, j));
			}
		}

Adding in the above logging code gives us:

pointerSymbols 0 10 4
pointerSymbols 1 11 1
pointerSymbols 2 12 5
pointerSymbols 3 13 6
pointerSymbols 4 14 7
pointerSymbols 5 15 8
pointerSymbols 6 16 9
pointerSymbols 7 17 10
pointerSymbols 8 18 2
pointerSymbols 9 19 11
pointerSymbols 10 20 12
pointerSymbols 11 21 13
pointerSymbols 12 22 -2147483648
pointerSymbols 13 23 -2147483648
pointerSymbols 14 24 -2147483648
pointerSymbols 15 25 16
pointerSymbols 16 26 17

plafosse avatar Aug 30 '22 14:08 plafosse

Looked into this a bit more looks like we're missing support for INDIRECT_SYMBOL_LOCAL and INDIRECT_SYMBOL_ABS More info here: https://opensource.apple.com/source/xnu/xnu-792/EXTERNAL_HEADERS/mach-o/loader.h.auto.html

plafosse avatar Aug 31 '22 15:08 plafosse

In current dev (soon to be stable) builds you at least get notice when we fail to parse these types of symbols.

plafosse avatar Oct 19 '22 12:10 plafosse

The bad pointer values are chained fixups. ( #2867 ) image

0cyn avatar Nov 03 '22 14:11 0cyn

Resolved in builds >= 3.2.3871

0cyn avatar Dec 08 '22 13:12 0cyn