flare-ida objc2_xrefs_helper erroneous selector replacement

objc2_xrefs_helper erroneous selector replacement

Open strictlymike opened this issue 8 years ago • 1 comments

Note to self for later...

python/flare/objc2_xrefs_helper.py can replace selectors erroneously.

Example: 4fe4b9560e99e33dabca553e2eeee510 (OSX XAgent), virtual addresses 0x100014F61 and 0x100014FA5

ID for each is an NSThread object held in r12 and later r13, and SEL is start, but objc2_xrefs_helper.py replaces this with __Keylogger_start (-[Keylogger start]). Here is the first case:

100014F58 call    cs:_objc_msgSend_ptr ; [NSThread initWithTarget:selector:object]
100014F58                         ; Creates NSThread targeting [BootXLoader postThread]
100014F5E mov     r12, rax
100014F61 mov     rsi, qword ptr cs:__Keylogger_start_ ; Keylogger - (void)start
100014F68 mov     rdi, r12
100014F6B call    cs:_objc_msgSend_ptr ; [r12 start]

Perhaps objc2_xrefs_helper.py doesn't realize this selector is only unique within this binary but also pertains to objects whose interfaces are not implemented in this binary?

Mar 27 '17 23:03 strictlymike

Workaround is to locate the fix in Patched Bytes (Ctrl+Alt+P or Edit -> Patch program -> Patched bytes) and revert the patch.

Mar 27 '17 23:03 strictlymike

flare-ida flare-ida copied to clipboard

objc2_xrefs_helper erroneous selector replacement

flare-ida
flare-ida copied to clipboard