derekselander / dsdump Goto Github PK
View Code? Open in Web Editor NEWAn improved nm + Objective-C & Swift class-dump
dsdump's People
Contributors
Stargazers
Watchers
Forkers
mkll dothanthitiendiettiende fyhsky geekonion xhruso00 ian-mcdowell saagarjha ababook jackyyvan yak0xff lapcat fengjixuchui launchdaemon chrismoran-bkt victor-pavlychko abjurato fly8888 youngshingjun mprowe0 zhencang 5l1v3r1 stefanceriu hehacks macserv kaelsun luckycity jsj2008 retval avltree9798 malhal smallcubed wahello affilares chandhsu soaurabhk lgq2015 asdlei99 superchaom suxinde2009 tcpthecode euler0 yangboyd maxwellsun diegocaridei leoshimo illusionofchaos lixufeng1992 barrcodes sunilsharma08 danboduan jusorlee piowind anrikgwp sico2sico yunhai0417 showmethemoney2022 wenliabc2007 gitwk86 945307242 kuustudio onsucs reidentify ldkfreetoplay sunqingquan c128128 hearsedev keroushe rickmark qingbinzeng kozoro danielpunkass y1024 jasenhuang qwertzy00 mikeyh war3pc briantkelley jauharvp lk26 rhythmcity kila2 strogo chrisvasselli cheniosc codehobby2022 yosignals shellvip homecracker wangzhenyu351x speamtalk zzufeiying yhy2015 00mjk zzzer0o daerduotutu922 0x1306a94 zjjsl1 malhaar gmh5225 alfonsotesaurodsdump's Issues
segfaults on iOS 15 binaries
running on any binaries from iOS/tvOS 15 with --swift or --objc flags gets an immediate segfault crash. I think its related to the newer load commands introduced in iOS 13 but didnt get heavily utilized until 15, specifically LC_DYLD_EXPORTS_TRIE and LC_DYLD_CHAINED_FIXUPS
figured adding details from the crash log might help!
Process: dsdump [2314]
Path: /Users/USER/*/dsdump
Identifier: dsdump
Version: 0
Code Type: X86-64 (Native)
Parent Process: zsh [429]
Responsible: iTerm2 [279]
User ID: 501
Date/Time: 2021-09-23 21:57:53.537 -0700
OS Version: Mac OS X 10.15.4 (19E266)
Report Version: 12
Anonymous UUID: 7D913AF8-DD55-3534-9C1B-3FEC8697F1F0
Time Awake Since Boot: 14000 seconds
System Integrity Protection: disabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000002c
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [2314]
VM Regions Near 0x2c:
-->
__TEXT 0000000100000000-0000000100376000 [ 3544K] r-x/r-x SM=COW /Users/USER/*
Application Specific Information:
dyld2 mode
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 dsdump 0x0000000100014779 -[XRMachOLibrary(Opcode) parseDYLDExports] + 34
1 dsdump 0x0000000100009819 -[XRMachOLibrary initWithPath:] + 5198
2 dsdump 0x0000000100018c46 main + 1258
3 libdyld.dylib 0x00007fff72237cc9 start + 1
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000101304490 rcx: 0x0000000000000000 rdx: 0x000000000000000d
rdi: 0x0000000101304490 rsi: 0x000000010012bfe1 rbp: 0x00007ffeefbfefd0 rsp: 0x00007ffeefbfef70
r8: 0x000000000000004f r9: 0x0000000101307385 r10: 0x0000000100000000 r11: 0x000000010000bb3d
r12: 0x0000000400010657 r13: 0x00007fff7108be40 r14: 0x000000010052ce18 r15: 0x0000000101304490
rip: 0x0000000100014779 rfl: 0x0000000000010202 cr2: 0x000000000000002c
Logical CPU: 6
Error Code: 0x00000004 (no mapping for user data read)
Trap Number: 14
Segmentation fault using --objc on Xcode 13/iOS 15 binaries
I get a segmentation fault when I try to run dsdump --objc on binaries included with the iOS 15 Developer Disk Image on the Xcode 13 beta.
Reproduction steps:
- Download Xcode 13 beta from https://download.developer.apple.com/Developer_Tools/Xcode_13_beta/Xcode_13_beta.xip, decompress it, and put it in your
/Applicationsfolder. - Mount the iOS 15 DDI with
open /Applications/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/15.0/DeveloperDiskImage.dmg - Execute any of these commands, which will result in output like
[1] 11043 segmentation fault dsdump --objc --arch arm64 -U -vv:dsdump --objc --arch arm64 -U -vv /Volumes/DeveloperDiskImage/Library/Frameworks/XCTest.framework/XCTestdsdump --objc --arch arm64 -U -vv /Volumes/DeveloperDiskImage/usr/libexec/testmanagerddsdump --objc --arch arm64 -U -vv /Volumes/DeveloperDiskImage/Library/PrivateFrameworks/XCTAutomationSupport.framework/XCTAutomationSupport
Without the --objc option, there is no segmentation fault.
sha256 mentioned is wrong
I downloaded the dsdump_compiled.zip from the location, but the SHA seems to be different than mentioned in the README.md.
Looks like the binary in this commit, 1a8857e was overridden by a later commit 6770b4a, but forget to update the SHA in README?
README says: 83eebd025b43b58a486235e1bec70a3239995be409605e3ff19bdae07adff917
What I got: 3e8c2ff61f0bebdbc8c542605b8bfa69c96d14e1722ae46db8afd6c50cba5302
/tmp 21:34:18 $ shasum -a 256 ~/Downloads/dsdump_compiled.zip
3e8c2ff61f0bebdbc8c542605b8bfa69c96d14e1722ae46db8afd6c50cba5302
``
Error encountered (WARNING: couldn't find address 0x0 (0x0) in binary!)
Hi
While using dsdump on a Mach-O 64-bit executable arm64, I encountered the error message mentioned. The binary is not a fat binary and only has arm64 version of the code.
WARNING: couldn't find address 0x0 (0x0) in binary!
I tried different command line options but I see the same error.
dsdump --objc <binary>
dsdump --objc -vvvvv <binary>
dsdump --swift <binary>
dsdump --swift -vvvvv <binary>
What else can I do to troubleshoot the issue?
Assertion failed: Demangle.h line 217
Assertion failed: (getNumChildren() > index), function getChild, file /Users/lolgrep/code/swift-source/swift/include/swift/Demangling/Demangle.h, line 217.
Abort trap: 6
Trying to dissasemble:
https://www.icloud.com/iclouddrive/0Yd4RMA1vqAATc1EBAFZn2D6w#BarcodeScanner
Finding ASLR shift
Hi
Sorry, I was trying to ask a question but could not find an option to ask questions, so I raise an issue instead. I managed to write a simple program that can read the data structures of a mach o binary file by following your article on dsdump.
Using those details I got, is it possible to calculate the ASLR shift programmatically so that by adding that value to a function's address before ASLR, I can calculate where the function is in memory.
32 bit architectures support
Is it in future plans?
With iOS 14 images, `--objc -U -vvv` terminates with exception rather than dumping class info
I've tried using dsdump to dump class information for executables on the iOS 14 Developer Disk Image included with Xcode 12, but attempts to do so result in a crash.
The Developer Disk Image can be found at /Applications/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/14.0/DeveloperDiskImage.dmg after installing the Xcode 12 beta. Double-click it to mount it.
Then, run one of these commands:
dsdump --objc --arch arm64 -U -vvv /Volumes/DeveloperDiskImage/usr/libexec/testmanagerd
dsdump --objc --arch arm64 -U -vvv /Volumes/DeveloperDiskImage/Library/Frameworks/XCTest.framework/XCTest
dsdump will be able to dump some information, but eventually terminates with messages like this:
0x0010006f0c8 XCSynthesizedEventRecord : NSObject <NSSecureCoding>
// class methods
WARNING: couldn't find address 0x11c560002f328 (0x4560002f328) in binary!
2020-06-26 15:59:44.985 dsdump[37156:937781] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** +[NSString stringWithUTF8String:]: NULL cString'
*** First throw call stack:
(
0 CoreFoundation 0x00007fff33aadbe7 __exceptionPreprocess + 250
1 libobjc.A.dylib 0x00007fff6cde55bf objc_exception_throw + 48
2 Foundation 0x00007fff36130af9 +[NSString stringWithUTF8String:] + 174
3 dsdump 0x000000010000ca83 _Z21dumpObjectiveCMethodsP11method_listPKcbbS2_ + 907
4 dsdump 0x000000010000fe53 -[XRMachOLibrary(ObjectiveC) dumpObjectiveCClasses] + 4212
5 dsdump 0x0000000100011028 -[XRMachOLibrary(SymbolDumper) dumpSymbols] + 127
6 dsdump 0x0000000100017f3a main + 1350
7 libdyld.dylib 0x00007fff6df8ccc9 start + 1
)
libc++abi.dylib: terminating with uncaught exception of type NSException
[1] 37156 abort ~/Downloads/dsdump --objc -aarm64 -U -vvv
I suspect this is related to this item in the Xcode 12 release notes:
- When the deployment target is iOS 14 or higher, the linker now converts Objective-C method lists into a new, smaller, read-only relative methods list in __TEXT. These binaries will not work on older versions of iOS or iPadOS. (56880461)
(from https://developer.apple.com/documentation/xcode-release-notes/xcode-12-beta-release-notes)
Segfaults in Monterey 12.3 with dsdump beta
macOS Version: 12.3 (21E230)
Mapped cache: /System/Library/dyld/dyld_shared_cache_x86_64h
Current cache slide: 0x15015000 (not sure if it helps)
When running:
dsdump -oc /System/Library/Frameworks/Foundation.framework/Foundation
Result:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000007f856b8fdd0
Exception Codes: 0x0000000000000001, 0x000007f856b8fdd0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [1998]
VM Region Info: 0x7f856b8fdd0 is not in any region. Bytes after previous region: 8758672952785 Bytes before following region: 96789928018480
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
VM_ALLOCATE (reserved) 10d21c000-10d21f000 [ 12K] r--/r-- SM=NUL ...(unallocated)
---> GAP OF 0x5ffef2de1000 BYTES
MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 dsdump 0x100013ff3 -[XRMachOLibrary(ObjectiveC) dumpObjCClassInfo:resolvedAddress:] + 39
1 dsdump 0x100014c46 -[XRMachOLibrary(ObjectiveC) dumpObjectiveCClasses] + 2493
2 dsdump 0x100015837 -[XRMachOLibrary(SymbolDumper) dumpSymbols] + 127
3 dsdump 0x10001bf26 main + 2002
4 dyld 0x10d16c51e start + 462
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x000007f856b8fdb0 rbx: 0x00007ff7bfefebd1 rcx: 0x000007f856b8fdb0 rdx: 0x00007ff816562bc0
rdi: 0x000007f856b8fdb0 rsi: 0x000000010014db62 rbp: 0x00007ff7bfefeb50 rsp: 0x00007ff7bfefeb30
r8: 0x00007ff856b14988 r9: 0x0000000000000000 r10: 0x00000001003edc62 r11: 0x0000000100013fcc
r12: 0x0000000000000000 r13: 0x00007ff856b8fd88 r14: 0x00007ff816562bc0 r15: 0x00007ffffffffff8
rip: 0x0000000100013ff3 rfl: 0x0000000000010202 cr2: 0x000007f856b8fdd0
From LLDB:
dsdump, -[XRMachOLibrary(ObjectiveC) dumpObjCClassInfo:resolvedAddress:]
0 0x100013fcc <+0>: push rbp
1 0x100013fcd <+1>: mov rbp, rsp
2 0x100013fd0 <+4>: push r15
3 0x100013fd2 <+6>: push r14
4 0x100013fd4 <+8>: push rbx
5 0x100013fd5 <+9>: push rax
6 0x100013fd6 <+10>: mov r14, rdx
7 0x100013fd9 <+13>: movabs r15, 0x7ffffffffff8
8 0x100013fe3 <+23>: mov rdi, rcx
*9 0x100013fe6 <+26>: call 0x100004ec0 ; payload::LoadToDiskTranslator<swift_class_t, true>::disk()
10 0x100013feb <+31>: mov rdi, rax
*11 0x100013fee <+34>: call 0x100004ec0 ; payload::LoadToDiskTranslator<swift_class_t, true>::disk()
-> 12 0x100013ff3 <+39>: mov rbx, qword ptr [rax + 0x20]
13 0x100013ff7 <+43>: and rbx, r15
14 0x100013ffa <+46>: lea rax, [rip + 0x5428df] payload::isInDyldSharedCache ; 0x1005568e0 dsdump.__DATA.__common
15 0x100014001 <+53>: cmp byte ptr [rax], 0x0
When running:
dsdump -sc /System/Library/Frameworks/Combine.framework/Combine
Result:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00007ff7e4e02f2c
Exception Codes: 0x0000000000000001, 0x00007ff7e4e02f2c
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [2061]
VM Region Info: 0x7ff7e4e02f2c is not in any region. Bytes after previous region: 619720493 Bytes before following region: 807477460
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
Stack 7ff7bf700000-7ff7bff00000 [ 8192K] rw-/rwx SM=PRV thread 0
---> GAP OF 0x55115000 BYTES
unused shlib __TEXT 7ff815015000-7ff815067000 [ 328K] r-x/r-x SM=COW ... this process
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 dsdump 0x1000045be -[XRMachOLibrary(Swift) preparseSwiftTypes] + 246
1 dsdump 0x1000157fc -[XRMachOLibrary(SymbolDumper) dumpSymbols] + 68
2 dsdump 0x10001bf26 main + 2002
3 dyld 0x10cf3851e start + 462
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x00007ff7e4e02f28 rbx: 0x0000000000000000 rcx: 0xffffffffc08348f8 rdx: 0x00007ff7e4e02f28
rdi: 0x00007ff7e4e02f28 rsi: 0x0000000000000008 rbp: 0x00007ff7bfeff210 rsp: 0x00007ff7bfeff170
r8: 0x00007ff824555b98 r9: 0x0000000000000ed0 r10: 0x00007ff824555000 r11: 0xffffffff9b9a9a50
r12: 0x00007ff82464b78c r13: 0x1fffffffffffffff r14: 0x00007ff7e4e02f28 r15: 0x0000000100455d20
rip: 0x00000001000045be rfl: 0x0000000000010202 cr2: 0x00007ff7e4e02f2c
From LLDB:
dsdump, -[XRMachOLibrary(Swift) preparseSwiftTypes]
0 0x1000044c8 <+0>: push rbp
1 0x1000044c9 <+1>: mov rbp, rsp
2 0x1000044cc <+4>: push r15
3 0x1000044ce <+6>: push r14
4 0x1000044d0 <+8>: push r13
5 0x1000044d2 <+10>: push r12
6 0x1000044d4 <+12>: push rbx
7 0x1000044d5 <+13>: sub rsp, 0x78
8 0x1000044d9 <+17>: mov rsi, qword ptr [rip + 0x3e8e40] ; "ma_ptr"
*9 0x1000044e0 <+24>: call qword ptr [rip + 0x397baa] (void *)0x00007ff8151cd400: objc_msgSend ; 0x10039c090 dsdump.__DATA.__got
10 0x1000044e6 <+30>: mov rbx, rax
11 0x1000044e9 <+33>: lea rcx, [rbp - 0x30]
12 0x1000044ed <+37>: mov qword ptr [rcx], 0x0
13 0x1000044f4 <+44>: lea rsi, [rip + 0x149c2b] "__TEXT" ; 0x10014e126 dsdump.__TEXT.__cstring
14 0x1000044fb <+51>: lea rdx, [rip + 0x149c2b] "__swift5_types" ; 0x10014e12d dsdump.__TEXT.__cstring
15 0x100004502 <+58>: mov rdi, rax
*16 0x100004505 <+61>: call 0x10002229e ; dyld3::MachOLoaded::findSectionContent(char const*, char const*, unsigned long long&) const
17 0x10000450a <+66>: test rax, rax
*18 0x10000450d <+69>: je 0x100004c0c <+1860>
19 0x100004513 <+75>: mov r12, rax
20 0x100004516 <+78>: mov rax, qword ptr [rbp - 0x30]
21 0x10000451a <+82>: test rax, rax
*22 0x10000451d <+85>: je 0x100004c0c <+1860>
23 0x100004523 <+91>: mov qword ptr [rbp - 0x90], rbx
24 0x10000452a <+98>: cmp rax, 0x4
*25 0x10000452e <+102>: jb 0x100004b46 <+1662>
26 0x100004534 <+108>: movabs r13, 0x1fffffffffffffff
27 0x10000453e <+118>: lea r15, [rip + 0x4517db] moduleDescriptorDictionary ; 0x100455d20 dsdump.__DATA.__bss
28 0x100004545 <+125>: xor ebx, ebx
29 0x100004547 <+127>: mov qword ptr [rbp - 0x48], r12
30 0x10000454b <+131>: lea rax, [r12 + 4*rbx]
31 0x10000454f <+135>: movsxd rcx, dword ptr [r12 + 4*rbx]
32 0x100004553 <+139>: lea r14, [rax + 4*rcx]
33 0x100004557 <+143>: mov rdi, r14
*34 0x10000455a <+146>: call 0x100004cb8 ; payload::LoadToDiskTranslator<swift::TargetContextDescriptor<swift::InProcess>, false>::disk()
35 0x10000455f <+151>: mov ecx, dword ptr [rax + 0x4]
36 0x100004562 <+154>: mov qword ptr [rbp - 0x38], r14
37 0x100004566 <+158>: test ecx, ecx
*38 0x100004568 <+160>: je 0x1000045c9 <+257>
39 0x10000456a <+162>: add rax, 0x4
40 0x10000456e <+166>: mov r14, qword ptr [rbp - 0x38]
41 0x100004572 <+170>: mov edx, ecx
42 0x100004574 <+172>: and edx, -0x2
43 0x100004577 <+175>: movsxd rdx, edx
44 0x10000457a <+178>: add rdx, rax
45 0x10000457d <+181>: test cl, 0x1
*46 0x100004580 <+184>: je 0x100004585 <+189>
47 0x100004582 <+186>: mov rdx, qword ptr [rdx]
48 0x100004585 <+189>: test rdx, rdx
*49 0x100004588 <+192>: je 0x1000045c9 <+257>
50 0x10000458a <+194>: mov rdi, r14
*51 0x10000458d <+197>: call 0x100004cb8 ; payload::LoadToDiskTranslator<swift::TargetContextDescriptor<swift::InProcess>, false>::disk()
52 0x100004592 <+202>: movsxd rcx, dword ptr [rax + 0x4]
53 0x100004596 <+206>: test rcx, rcx
*54 0x100004599 <+209>: je 0x1000045b3 <+235>
55 0x10000459b <+211>: add rax, 0x4
56 0x10000459f <+215>: mov r14, rcx
57 0x1000045a2 <+218>: and r14, -0x2
58 0x1000045a6 <+222>: add r14, rax
59 0x1000045a9 <+225>: test cl, 0x1
*60 0x1000045ac <+228>: je 0x1000045b6 <+238>
61 0x1000045ae <+230>: mov r14, qword ptr [r14]
*62 0x1000045b1 <+233>: jmp 0x1000045b6 <+238>
63 0x1000045b3 <+235>: xor r14d, r14d
64 0x1000045b6 <+238>: mov rdi, r14
*65 0x1000045b9 <+241>: call 0x100004cb8 ; payload::LoadToDiskTranslator<swift::TargetContextDescriptor<swift::InProcess>, false>::disk()
-> 66 0x1000045be <+246>: mov ecx, dword ptr [rax + 0x4]
67 0x1000045c1 <+249>: add rax, 0x4
68 0x1000045c5 <+253>: test ecx, ecx
When running:
dsdump -a x86_64 -oc /System/Applications/Calculator.app/Contents/MacOS/Calculator
Result:
0x400000000 is mapped to existing memory, exiting
When running:
dsdump -a x86_64 -sc /System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter
Result:
0x400000000 is mapped to existing memory, exiting
After NOPing the jne instruction at 0x010000da5d (skipping the check that leads to the above)
-[XRMachOLibrary initWithPath:]
...
000000010000da59 cmp dword [rbp+var_60], 0x0
-> 000000010000da5d jne loc_10000e104
...
000000010000e104 lea rdi, qword [aPIsMappedToExi] ; argument "format" for method imp___stubs__printf, "%p is mapped to existing memory, exiting\\n", CODE XREF=-[XRMachOLibrary initWithPath:]+339
000000010000e10b mov rsi, r15
000000010000e10e xor eax, eax
000000010000e110 call imp___stubs__printf ; printf
000000010000e115 mov edi, 0x1 ; argument "status" for method imp___stubs__exit
000000010000e11a call imp___stubs__exit ; exit
When running:
dsdump_patched -a x86_64 -oc /System/Applications/Calculator.app/Contents/MacOS/Calculator
Result:
Works as expected
When running:
dsdump_patched -a x86_64 -sc /System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter
Result:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000004245a24a0
Exception Codes: 0x0000000000000001, 0x00000004245a24a0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [2526]
VM Region Info: 0x4245a24a0 is not in any region. Bytes after previous region: 605017249 Bytes before following region: 105535326509920
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
mapped file 400000000-4004a5000 [ 4756K] r--/rwx SM=COW ...t_id=c08ab0d9
---> GAP OF 0x5ffbffb5b000 BYTES
MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 dsdump_patched 0x100004582 -[XRMachOLibrary(Swift) preparseSwiftTypes] + 186
1 dsdump_patched 0x1000157fc -[XRMachOLibrary(SymbolDumper) dumpSymbols] + 68
2 dsdump_patched 0x10001bf26 main + 2002
3 dyld 0x109a7a51e start + 462
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000400159958 rbx: 0x0000000000000000 rcx: 0x0000000024448b49 rdx: 0x00000004245a24a0
rdi: 0x0000000400159954 rsi: 0x0000000000000008 rbp: 0x00007ff7bfeff1e0 rsp: 0x00007ff7bfeff140
r8: 0x0000000400003290 r9: 0x0000000000000ed0 r10: 0x0000000400000000 r11: 0x00007ff3bfefe530
r12: 0x000000040039e354 r13: 0x1fffffffffffffff r14: 0x0000000400159954 r15: 0x0000000100455d20
rip: 0x0000000100004582 rfl: 0x0000000000010202 cr2: 0x00000004245a24a0
From LLDB:
dsdump_patched, -[XRMachOLibrary(Swift) preparseSwiftTypes]
0 0x1000044c8 <+0>: push rbp
1 0x1000044c9 <+1>: mov rbp, rsp
2 0x1000044cc <+4>: push r15
3 0x1000044ce <+6>: push r14
4 0x1000044d0 <+8>: push r13
5 0x1000044d2 <+10>: push r12
6 0x1000044d4 <+12>: push rbx
7 0x1000044d5 <+13>: sub rsp, 0x78
8 0x1000044d9 <+17>: mov rsi, qword ptr [rip + 0x3e8e40] ; "ma_ptr"
*9 0x1000044e0 <+24>: call qword ptr [rip + 0x397baa] (void *)0x00007ff8151cd400: objc_msgSend ; 0x10039c090 dsdump_1.__DATA.__got
10 0x1000044e6 <+30>: mov rbx, rax
11 0x1000044e9 <+33>: lea rcx, [rbp - 0x30]
12 0x1000044ed <+37>: mov qword ptr [rcx], 0x0
13 0x1000044f4 <+44>: lea rsi, [rip + 0x149c2b] "__TEXT" ; 0x10014e126 dsdump_1.__TEXT.__cstring
14 0x1000044fb <+51>: lea rdx, [rip + 0x149c2b] "__swift5_types" ; 0x10014e12d dsdump_1.__TEXT.__cstring
15 0x100004502 <+58>: mov rdi, rax
*16 0x100004505 <+61>: call 0x10002229e ; dyld3::MachOLoaded::findSectionContent(char const*, char const*, unsigned long long&) const
17 0x10000450a <+66>: test rax, rax
*18 0x10000450d <+69>: je 0x100004c0c <+1860>
19 0x100004513 <+75>: mov r12, rax
20 0x100004516 <+78>: mov rax, qword ptr [rbp - 0x30]
21 0x10000451a <+82>: test rax, rax
*22 0x10000451d <+85>: je 0x100004c0c <+1860>
23 0x100004523 <+91>: mov qword ptr [rbp - 0x90], rbx
24 0x10000452a <+98>: cmp rax, 0x4
*25 0x10000452e <+102>: jb 0x100004b46 <+1662>
26 0x100004534 <+108>: movabs r13, 0x1fffffffffffffff
27 0x10000453e <+118>: lea r15, [rip + 0x4517db] moduleDescriptorDictionary ; 0x100455d20 dsdump_1.__DATA.__bss
28 0x100004545 <+125>: xor ebx, ebx
29 0x100004547 <+127>: mov qword ptr [rbp - 0x48], r12
30 0x10000454b <+131>: lea rax, [r12 + 4*rbx]
31 0x10000454f <+135>: movsxd rcx, dword ptr [r12 + 4*rbx]
32 0x100004553 <+139>: lea r14, [rax + 4*rcx]
33 0x100004557 <+143>: mov rdi, r14
*34 0x10000455a <+146>: call 0x100004cb8 ; payload::LoadToDiskTranslator<swift::TargetContextDescriptor<swift::InProcess>, false>::disk()
35 0x10000455f <+151>: mov ecx, dword ptr [rax + 0x4]
36 0x100004562 <+154>: mov qword ptr [rbp - 0x38], r14
37 0x100004566 <+158>: test ecx, ecx
*38 0x100004568 <+160>: je 0x1000045c9 <+257>
39 0x10000456a <+162>: add rax, 0x4
40 0x10000456e <+166>: mov r14, qword ptr [rbp - 0x38]
41 0x100004572 <+170>: mov edx, ecx
42 0x100004574 <+172>: and edx, -0x2
43 0x100004577 <+175>: movsxd rdx, edx
44 0x10000457a <+178>: add rdx, rax
45 0x10000457d <+181>: test cl, 0x1
*46 0x100004580 <+184>: je 0x100004585 <+189>
-> 47 0x100004582 <+186>: mov rdx, qword ptr [rdx]
48 0x100004585 <+189>: test rdx, rdx
Hope this provides you with enough information. If you need anything else please let me know and if you ever decide to push the source for this version I am fairly confident I could fix it myself.
Thanks again for taking the time!
how can i class dump xcode 14
can you give me way to class-dump my IPA file
dsdump for objective c classes is not working.
I have been trying to extract objective classes from AFNetworking binary file. It is not working and giving segmentation fault.
commands tried:
./dsdump --objc -vvv AFNetworking
./dsdump -o AFNetworking```
Error on M1 Mac for dump Console app
In the help content, there is a demo.
Thoroughly dump the Swift content in color in the Console app dsdump --swift /Applications/Utilities/Console.app/Contents/MacOS/Console -cvvvv
And I tried it with the following
> dsdump --swift /System/Applications/Utilities/Console.app/Contents/MacOS/Console -cvvvv
Multiple arches found: [ x86_64 | arm64e ]
Use --arches (-a) (or ARCH env var) to specify arch
> dsdump --swift /System/Applications/Utilities/Console.app/Contents/MacOS/Console -cvvvv -a x86_64
WARNING: couldn't find address 0x3ef031b44 (0x3ef031b44) in binary!
[1] 62677 segmentation fault dsdump --swift -cvvvv -a x86_64
> dsdump --swift /System/Applications/Utilities/Console.app/Contents/MacOS/Console -cvvvv -a arm64e
2022-02-10 01:06:52.500 dsdump[62697:1005801] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndexedSubscript:]: index 259 beyond bounds for empty array'
*** First throw call stack:
(
0 CoreFoundation 0x000000019eb82af8 __exceptionPreprocess + 240
1 libobjc.A.dylib 0x000000019e8cde14 objc_exception_throw + 60
2 CoreFoundation 0x000000019ec54378 -[__NSCFString characterAtIndex:].cold.1 + 0
3 CoreFoundation 0x000000019eaee494 -[__NSArrayM objectAtIndexedSubscript:] + 188
4 dsdump 0x0000000102ef3784 __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke_2 + 148
5 dsdump 0x0000000102efdfe0 _ZNK5dyld311MachOLoaded9walkChainER11DiagnosticsPNS0_25ChainedFixupPointerOnDiskEtbjU13block_pointerFvS4_RbE + 300
6 dsdump 0x0000000102efe168 _ZNK5dyld311MachOLoaded27forEachFixupInSegmentChainsER11DiagnosticsPK30dyld_chained_starts_in_segmentbU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskES5_RbE + 180
7 dsdump 0x0000000102efdd98 _ZNK5dyld311MachOLoaded23forEachFixupInAllChainsER11DiagnosticsPK28dyld_chained_starts_in_imagebU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskEPK30dyld_chained_starts_in_segmentRbE + 92
8 dsdump 0x0000000102ef36c0 __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke + 124
9 dsdump 0x0000000102f0c0c4 _ZNK5dyld313MachOAnalyzer15withChainStartsER11DiagnosticsyU13block_pointerFvPK28dyld_chained_starts_in_imageE + 140
10 dsdump 0x0000000102ef3560 -[XRMachOLibrary(Opcode) printChainDetails:callback:] + 284
11 dsdump 0x0000000102ee9e3c -[XRMachOLibrary handleLoadCommand:] + 368
12 dsdump 0x0000000102effa60 _ZNK5dyld39MachOFile18forEachLoadCommandER11DiagnosticsU13block_pointerFvPK12load_commandRbE + 160
13 dsdump 0x0000000102ee972c -[XRMachOLibrary initWithPath:] + 956
14 dsdump 0x0000000102ef69f8 main + 1400
15 dyld 0x000000010375d08c start + 520
)
libc++abi: terminating with uncaught exception of type NSException
[1] 62697 abort dsdump --swift -cvvvv -a arm64e
Nested types get dumped without their Outer type
It looks like if a type is nested
class ViewController: UIViewController {
}
extension ViewController {
final class View: UIView {
}
}it would list
class ViewController: UIViewController
as well as
class View: UIView
Is there anyway it would be able to retain the outer type
class ViewController.View
Getting bad CPU type in executable error
Running the pre-compiled version on a jailbroken iOS 12.4 iPhone X (unc0ver) results in this error.
Please advice.
Dumping classes to files?
I was wondering if using this tool there's the ability to dump separate classes/protocols as separate files on disk. Basically, I'm looking for a similar feature to using "-H -o <output_dir>" with the class-dump tool (https://github.com/nygard/class-dump).
If this isn't possible natively with the tool, I'm sure I could do some text manipulation by just outputting the entire output to a file...
Missing LC_DYLD_EXPORTS_TRIE support
Hey 👋,
./dsdump -vvvvv --swift <app> segfaults, this- in my case- comes from not checking if self->dyldInfo exists.
Adding a quick check, I'm able to get some borked output but dsdump will crash eventually.
Here's some documentation and line where dyldInfo is set; LC_DYLD_INFO{,_ONLY} is missing & replaced on newer binaries that target 15 for "load-time improvements".
Thanks
https://github.com/qyang-nj/llios/blob/main/exported_symbol/README.md
https://github.com/qyang-nj/llios/blob/main/dynamic_linking/chained_fixups.md
https://medium.com/geekculture/how-ios-15-makes-your-app-launch-faster-51cf0aa6c520
TLDR: "If the binary is targeted at iOS 14+ or is linked with -fixup_chains linker flag, the same information is stored in LC_DYLD_EXPORTS_TRIE load command instead."
> jtool2 -l <app>
LC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO
LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x1020e0000 __TEXT
Mem: 0x100006138-0x101b3aaf0 __TEXT.__text (Normal)
Mem: 0x101b3aaf0-0x101b42bf0 __TEXT.__stubs (Symbol Stubs)
Mem: 0x101b42bf0-0x101b42bf8 __TEXT.__init_offsets (?! (Value 16))
Mem: 0x101b42bf8-0x101b7e790 __TEXT.__objc_methlist
Mem: 0x101b7e790-0x101ce4fe8 __TEXT.__const
Mem: 0x101ce4ff0-0x101de79cc __TEXT.__cstring (C-String Literals)
Mem: 0x101de79d0-0x101e6ac71 __TEXT.__swift5_typeref
Mem: 0x101e6ac74-0x101e6ac78 __TEXT.__swift5_entry
Mem: 0x101e6ac78-0x101e6ccf8 __TEXT.__swift5_builtin
Mem: 0x101e6cd00-0x101ee29b0 __TEXT.__swift5_reflstr
Mem: 0x101ee29b0-0x101f56c54 __TEXT.__swift5_fieldmd
Mem: 0x101f56c54-0x101f679fc __TEXT.__swift5_assocty
Mem: 0x101f679fc-0x101f73d74 __TEXT.__swift5_proto
Mem: 0x101f73d74-0x101f7a748 __TEXT.__swift5_types
Mem: 0x101f7a748-0x101fcebc5 __TEXT.__objc_methname (C-String Literals)
Mem: 0x101fcebc8-0x101fd0660 __TEXT.__swift5_protos
Mem: 0x101fd0660-0x101fee7a0 __TEXT.__swift5_capture
Mem: 0x101fee7a0-0x101ff4df0 __TEXT.__gcc_except_tab
Mem: 0x101ff4df0-0x101ff8e77 __TEXT.__objc_classname (C-String Literals)
Mem: 0x101ff8e77-0x10200252c __TEXT.__objc_methtype (C-String Literals)
Mem: 0x10200252c-0x1020696d4 __TEXT.__unwind_info
Mem: 0x1020696d8-0x1020dfff4 __TEXT.__eh_frame
LC 02: LC_SEGMENT_64 Mem: 0x1020e0000-0x10221c000 __DATA_CONST
Mem: 0x1020e0000-0x1020efb58 __DATA_CONST.__got (Non-Lazy Symbol Ptrs)
Mem: 0x1020efb58-0x1021e8f80 __DATA_CONST.__const
Mem: 0x1021e8f80-0x102212b80 __DATA_CONST.__cfstring
Mem: 0x102212b80-0x102218ff0 __DATA_CONST.__objc_classlist (Normal)
Mem: 0x102218ff0-0x102219080 __DATA_CONST.__objc_nlclslist (Normal)
Mem: 0x102219080-0x1022196e0 __DATA_CONST.__objc_catlist (Normal)
Mem: 0x1022196e0-0x1022196e8 __DATA_CONST.__objc_nlcatlist (Normal)
Mem: 0x1022196e8-0x10221a138 __DATA_CONST.__objc_protolist
Mem: 0x10221a138-0x10221a140 __DATA_CONST.__objc_imageinfo
LC 03: LC_SEGMENT_64 Mem: 0x10221c000-0x1025bc000 __DATA
Mem: 0x10221c000-0x10231faa0 __DATA.__objc_const
Mem: 0x10231faa0-0x102334e00 __DATA.__objc_selrefs (Literal Pointers)
Mem: 0x102334e00-0x102335458 __DATA.__objc_protorefs
Mem: 0x102335458-0x102336f10 __DATA.__objc_classrefs (Normal)
Mem: 0x102336f10-0x102337c88 __DATA.__objc_superrefs (Normal)
Mem: 0x102337c88-0x102339d5c __DATA.__objc_ivar
Mem: 0x102339d60-0x1023c7338 __DATA.__objc_data
Mem: 0x1023c7338-0x1024974c4 __DATA.__data
Mem: 0x1024974c8-0x102497560 __DATA.__objc_stublist
Mem: 0x102497560-0x102497578 __DATA.__objc_catlist2
Mem: 0x102497578-0x102497630 __DATA.__swift51_hooks
Mem: 0x102497630-0x1024976e8 __DATA.__swift_hooks
Mem: 0x1024976f0-0x10259b4b8 __DATA.__bss (Zero Fill)
Mem: 0x10259b4c0-0x1025bab40 __DATA.__common (Zero Fill)
LC 04: LC_SEGMENT_64 Mem: 0x1025bc000-0x102814000 __LINKEDIT
LC 05: LC_DYLD_CHAINED_FIXUPS
LC 06: LC_DYLD_EXPORTS_TRIE
LC 07: LC_SYMTAB
LC 08: LC_DYSYMTAB
1 local symbols at index 0
2 external symbols at index 1
5231 undefined symbols at index 3
No TOC
No modtab
10795 Indirect symbols at offset 0x25aec78
LC 09: LC_LOAD_DYLINKER /usr/lib/dyld
LC 10: LC_UUID UUID: 07BC6697-C0CD-3F20-9077-0E568FBE1BC3
LC 11: LC_BUILD_VERSION Build Version: Platform: iOS 14.1.0 SDK: 15
LC 12: LC_SOURCE_VERSION Source Version: 0.0.0.0.0
LC 13: LC_MAIN Entry Point: 0x6138 (Mem: 0x1025a15f9)
LC 14: LC_ENCRYPTION_INFO_64 Encryption: 0 from offset 24576 spanning 4096 bytes
Possible to Compile On Linux?
I'm using arch linux and have cloned swift, ran update-checkout script.
How should I compile from here (if possible).
PS: there was an issue asking for ios binaries, did you ever get around to making those?
Thanks.
Public branch for v1 beta in progress?
I spent some time this morning getting the current master branch to build, and scratching my head at the differences in behavior between it and the b3 binary. I realized (I think) that the binaries are being generated from a different source base. Maybe a private fork/branch?
I understand if you would rather keep that branch private, maybe for now, or maybe forever. But in case you don't care one way or the other, I would be happy to have the latest changes as I tinker with maybe fixing some crashes in the use cases I care most about.
Uncaught exception crash with iOS 16 beta 1 binaries
Attempting to dump the UIKitCore binary in Xcode 14 beta 1 leads to a crash. The same command used against the latest version of Xcode 13 outputs successfully.
Been a while since I've used this tool so I can't say for sure it's not a problem with my particular incantation. But I tried minimizing the options I was using, and couldn't get anything working.
➜ dsdump_beta ./dsdump --objc -a arm64 --verbose=5 /Applications/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore --defined > ~/Desktop/UIKitCore.txt
2022-06-12 16:26:44.286 dsdump[51927:10158746] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndexedSubscript:]: index 0 beyond bounds for empty array'
*** First throw call stack:
(
0 CoreFoundation 0x00000001b1bcd198 __exceptionPreprocess + 240
1 libobjc.A.dylib 0x00000001b1917e04 objc_exception_throw + 60
2 CoreFoundation 0x00000001b1c9f16c -[__NSCFString characterAtIndex:].cold.1 + 0
3 CoreFoundation 0x00000001b1b38bd4 -[__NSArrayM objectAtIndexedSubscript:] + 188
4 dsdump 0x0000000104b2787c __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke_2 + 748
5 dsdump 0x0000000104b31ef4 _ZNK5dyld311MachOLoaded9walkChainER11DiagnosticsPNS0_25ChainedFixupPointerOnDiskEtbjU13block_pointerFvS4_RbE + 96
6 dsdump 0x0000000104b32148 _ZNK5dyld311MachOLoaded27forEachFixupInSegmentChainsER11DiagnosticsPK30dyld_chained_starts_in_segmentbU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskES5_RbE + 180
7 dsdump 0x0000000104b31d78 _ZNK5dyld311MachOLoaded23forEachFixupInAllChainsER11DiagnosticsPK28dyld_chained_starts_in_imagebU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskEPK30dyld_chained_starts_in_segmentRbE + 92
8 dsdump 0x0000000104b27560 __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke + 124
9 dsdump 0x0000000104b400a4 _ZNK5dyld313MachOAnalyzer15withChainStartsER11DiagnosticsyU13block_pointerFvPK28dyld_chained_starts_in_imageE + 140
10 dsdump 0x0000000104b27400 -[XRMachOLibrary(Opcode) printChainDetails:callback:] + 284
11 dsdump 0x0000000104b1ddb0 -[XRMachOLibrary handleLoadCommand:] + 368
12 dsdump 0x0000000104b33a40 _ZNK5dyld39MachOFile18forEachLoadCommandER11DiagnosticsU13block_pointerFvPK12load_commandRbE + 160
13 dsdump 0x0000000104b1d6a0 -[XRMachOLibrary initWithPath:] + 956
14 dsdump 0x0000000104b2a954 main + 1588
15 dyld 0x00000001053d108c start + 520
)
libc++abi: terminating with uncaught exception of type NSException
Crash when parsing CoreDevice.framework
Repro:
- Install Xcode 15
- Download and extract https://github.com/DerekSelander/dsdump/blob/master/compiled/dsdump_compiled.zip
- Execute:
$ ~/Downloads/dsdump -a arm64 --objc /Library/Developer/PrivateFrameworks/CoreDevice.framework/CoreDevice
[1] 3344 segmentation fault ~/Downloads/dsdump -a arm64 --swift
Crash report: https://gist.github.com/rolfbjarne/7e226427136d762e927208abc08b957d
I tried the beta version too:
$ ~/Downloads/dsdump_0.8.3/dsdump -a arm64 --objc /Library/Developer/PrivateFrameworks/CoreDevice.framework/CoreDevice
2023-10-10 11:56:40.932 dsdump[3458:861129] *** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndexedSubscript:]: index 0 beyond bounds for empty array'
*** First throw call stack:
(
0 CoreFoundation 0x00000001810ab104 __exceptionPreprocess + 176
1 libobjc.A.dylib 0x0000000180bc9fd0 objc_exception_throw + 60
2 CoreFoundation 0x00000001811959b4 -[__NSCFString characterAtIndex:].cold.1 + 0
3 CoreFoundation 0x000000018101eb48 -[__NSArrayM objectAtIndexedSubscript:] + 188
4 dsdump 0x0000000104e3c3b8 __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke_2 + 748
5 dsdump 0x0000000104e46848 _ZNK5dyld311MachOLoaded9walkChainER11DiagnosticsPNS0_25ChainedFixupPointerOnDiskEtbjU13block_pointerFvS4_RbE + 308
6 dsdump 0x0000000104e469c8 _ZNK5dyld311MachOLoaded27forEachFixupInSegmentChainsER11DiagnosticsPK30dyld_chained_starts_in_segmentbU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskES5_RbE + 180
7 dsdump 0x0000000104e465f8 _ZNK5dyld311MachOLoaded23forEachFixupInAllChainsER11DiagnosticsPK28dyld_chained_starts_in_imagebU13block_pointerFvPNS0_25ChainedFixupPointerOnDiskEPK30dyld_chained_starts_in_segmentRbE + 92
8 dsdump 0x0000000104e3c09c __53-[XRMachOLibrary(Opcode) printChainDetails:callback:]_block_invoke + 124
9 dsdump 0x0000000104e54860 _ZNK5dyld313MachOAnalyzer15withChainStartsER11DiagnosticsyU13block_pointerFvPK28dyld_chained_starts_in_imageE + 140
10 dsdump 0x0000000104e3bf3c -[XRMachOLibrary(Opcode) printChainDetails:callback:] + 284
11 dsdump 0x0000000104e327b4 -[XRMachOLibrary handleLoadCommand:] + 368
12 dsdump 0x0000000104e482c0 _ZNK5dyld39MachOFile18forEachLoadCommandER11DiagnosticsU13block_pointerFvPK12load_commandRbE + 160
13 dsdump 0x0000000104e32038 -[XRMachOLibrary initWithPath:] + 1456
14 dsdump 0x0000000104e31a40 -[XRMachOLibrary initWithCPath:] + 144
15 dsdump 0x0000000104e3f4ac main + 1912
16 dyld 0x0000000180bfbf28 start + 2236
)
libc++abi: terminating due to uncaught exception of type NSException
[1] 3458 abort ~/Downloads/dsdump_0.8.3/dsdump -a arm64 --objc
Publish release!!!
README is borked
The most recent commit 55f854a seems to have borked the README.
Errors due to mapped memory
Anyone had similar issues? The error message references to mmap() mostly on Google. My memory is free (no apps open), other apps are not recalling the issue with memory. What else can it be?
$ dsdump --arch arm64 -U -vvv ../../../ios-analysis/IPA/Payload/NN.app/NN
0x400000000 is mapped to existing memory, exiting
Query regarding DSdump License
Hi,
I am exploring dsdump to be used for one of my use cases in my team. Currently there is no licensing information in the source code which according to github means it cannot be used.
"However, without a license, the default copyright laws apply, meaning that you retain all rights to your source code and no one may reproduce, distribute, or create derivative works from your work."
Is this intended ? If not can you please update the license accordingly.
dsdump doesn't like protected executables
$ dsdump -s /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock
WARNING: couldn't find address 0x3aae3545b (0x3aae3545b) in binary!
Segmentation fault: 11
I think we should at the very least try to detect these and abort if we're not going to handle them correctly.
With iOS 14 images, dsdump terminates with an assertion failure if --arch option is not specified.
I've tried using dsdump on some executables on the iOS 14 Developer Disk Image and found that if you don't specify the -a/--arch option, then dsdump apparently can't determine the default architecture and will terminate.
The Developer Disk Image can be found at /Applications/Xcode-beta.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/14.0/DeveloperDiskImage.dmg after installing the Xcode 12 beta. Double-click it to mount it.
Then, run one of these commands:
dsdump /Volumes/DeveloperDiskImage/usr/libexec/testmanagerd
dsdump /Volumes/DeveloperDiskImage/Library/Frameworks/XCTest.framework/XCTest
The output is
Multiple arches found: [ arm64 | arm64e ]
Assertion failed: (len == sizeof(uint32_t)), function -[XRMachOLibrary(FAT) defaultArchitectureName]_block_invoke, file /Users/lolgrep/code/dsdump/dsdump/FAT/XRMachOLibrary+FAT.mm, line 144.
[1] 37661 abort ~/Downloads/dsdump
The workaround is to simply add --arch arm64 or --arch arm64e to the command line.
Unmatched brackets for empty classes?
Classes with no members are listed with empty brackets:
dsdump/dsdump/XRMachOLibrary+Swift.mm
Line 356 in 9ca7faa
Is this intentional?
dsdump from shared cache?
Now that Big Sur is only shipping with a shared cache, it would be awesome to dsdump a framework from within the shared cache. Even support for extracted libraries would be sweet!
segfaults on M1 Mac for arch arm64e
I build dsdump on M1 Mac myself. It works fine for x86_64 arch library, but fails for arm64e arch library
- first run
dsdump -sc /usr/libexec/sharingd
Multiple arches found: [ x86_64 | arm64e ]
Use --arches (-a) (or ARCH env var) to specify arch
so add -a x86_64, fine
dsdump -sc /usr/libexec/sharingd -a x86_64
protocol sharingd.SDContactStoreInterface // 5 requirements
protocol sharingd.SDAirDropHashStore // 12 requirements
struct __C.Name {
// Properties
var _rawValue : NSString
}
class __C.CFString {
class __C.CGImage {
struct __C.FileProtectionType {
// Properties
var _rawValue : NSString
}
struct __C.FileAttributeKey {
// Properties
var _rawValue : NSString
}
struct sharingd.SDAirDropContactHashManagerContext {
// Properties
let systemMonitor : SDCUSystemMonitorInterface // +0x0
let contactStore : SDContactStoreInterface // +0x8
let hashStore : SDAirDropHashStore // +0x30
let notificationCenter : NSNotificationCenter // +0x40
let distributedNotificationCenter : NSNotificationCenter // +0x48
let coalescerMinDelay : Double // +0x50
let coalescerMaxDelay : Double // +0x58
}
class sharingd.SDXPCHelperImageCache : NSObject /usr/lib/libobjc.A.dylib {
// ObjC -> Swift bridged methods
0x1001d7730 @objc SDXPCHelperImageCache.init <stripped>
// Swift methods
0x1001d4a20 class func static SDXPCHelperImageCache.clearCacheWithSync(_:) // method
0x1001d52d0 class func static SDXPCHelperImageCache.purgeAvatars() // method
0x1001d55d0 class func static SDXPCHelperImageCache.evict(contactIdentifier:) // method
0x1001d6440 class func static SDXPCHelperImageCache.setImage(_:forKey:contactIDs:) // method
0x1001d6950 class func static SDXPCHelperImageCache.cacheIsEmpty() // method
0x1001d6af0 class func static SDXPCHelperImageCache.imageForKey(_:contactIDs:) // method
0x1001d6ff0 class func static SDXPCHelperImageCache.cacheCount() // method
}
enum sharingd.CacheError {
// Properties
WARNING: couldn't find address 0x0 (0x0) in binary!
case imageDestinationCreateFailed : ��
WARNING: couldn't find address 0x0 (0x0) in binary!
case imageDestinationFinalizeFailed : ��
WARNING: couldn't find address 0x0 (0x0) in binary!
case imageSourceCreateFailed : ��
}
class sharingd.SDAirDropHashStoreCDB : _SwiftObject /usr/lib/swift/libswiftCore.dylib {
// Properties
var reader : CUKeyValueStoreReader<NSData, NSData>
var stagedAdditions : SDAirDropHashStoreEntry
var stagedDeletedIDs : Set<String>
var loaded : Bool
var destroyed : Bool
// Swift methods
0x1001dbfa0 func SDAirDropHashStoreCDB.rebuildRequired.getter // getter
0x1001dc150 func SDAirDropHashStoreCDB.load() // method
0x1001dc7e0 func SDAirDropHashStoreCDB.stageAddEntries(_:) // method
0x1001dd0f0 func SDAirDropHashStoreCDB.stageDeleteEntriesForContact(withID:) // method
0x1001dd710 func SDAirDropHashStoreCDB.persist() // method
0x1001df710 func SDAirDropHashStoreCDB.destroy() // method
0x1001df9b0 func SDAirDropHashStoreCDB.contact(forLongHash:) // method
0x1001dff80 func SDAirDropHashStoreCDB.contacts(forLongHash:) // method
0x1001e0cc0 func SDAirDropHashStoreCDB.contact(forMediumHash:) // method
0x1001e1280 func SDAirDropHashStoreCDB.contacts(forMediumHash:) // method
0x1001e1c40 func SDAirDropHashStoreCDB.contains(shortHash:) // method
}
class sharingd.SDContactChangeHistoryEvent : _SwiftObject /usr/lib/swift/libswiftCore.dylib {
// Swift methods
}
class sharingd.SDContactChangeHistoryDropEverythingEvent : SDContactChangeHistoryEvent { }
class sharingd.SDContactChangeHistoryAddEvent : SDContactChangeHistoryEvent {
// Properties
let contact : CNContact
// Swift methods
}
class sharingd.SDContactChangeHistoryDeleteEvent : SDContactChangeHistoryEvent {
// Properties
let contactIdentifier : String
// Swift methods
}
class sharingd.SDContactChangeHistoryUpdateEvent : SDContactChangeHistoryEvent {
// Properties
let contact : CNContact
// Swift methods
}
class sharingd.SDContactStore : _SwiftObject /usr/lib/swift/libswiftCore.dylib, SDContactStoreInterface {
// Properties
let didChangeNotificationName : Name
let meContactDidChangeNotificationName : Name
let contactStore : CNContactStore
// Swift methods
0x1001eda90 func <stripped> // method
0x1001edbd0 func <stripped> // method
0x1001ee120 func <stripped> // method
}
enum sharingd.SDRunState {
// Properties
case notStarted
case inProgress
case completed
case failed
case skip
}
class sharingd.OnceManager : _SwiftObject /usr/lib/swift/libswiftCore.dylib {
// Properties
var onceList : Set<Int> // +0x10 (0x8)
// Swift methods
}
class sharingd.PushableTimer : _SwiftObject /usr/lib/swift/libswiftCore.dylib {
// Properties
WARNING: couldn't find address 0x0 (0x0) in binary!
let noLaterThan : {� // +0x19 (0x0)
let timer : OS_dispatch_source_timer // +0x0 (0x8)
// Swift methods
0x1001f03f0 class func PushableTimer.__allocating_init(fireAt:noLaterThan:queue:handler:) // init
0x1001f0510 func PushableTimer.reschedule(deadline:) // method
0x1001f0720 func PushableTimer.resume() // method
0x1001f0740 func PushableTimer.cancel() // method
}
class sharingd.SDB389BubbleMonitor : _SwiftObject /usr/lib/swift/libswiftCore.dylib {
// Properties
WARNING: couldn't find address 0x0 (0x0) in binary!
var allDevices : empty-list
var queue : OS_dispatch_queue?
var updateHandler : ()?
WARNING: couldn't find address 0x0 (0x0) in binary!
var lostHandler : empty-list
let bubbleScanner : SFDeviceDiscovery
let rssiThreshold : Int
WARNING: couldn't find address 0x0 (0x0) in binary!
var bubbleDevices : empty-list
// Swift methods
0x1001f0860 func SDB389BubbleMonitor.allDevices.getter // getter
0x1001f0890 func SDB389BubbleMonitor.allDevices.setter // setter
0x1001f08d0 func SDB389BubbleMonitor.allDevices.modify // modifyCoroutine
0x1001f0910 func SDB389BubbleMonitor.queue.getter // getter
0x1001f0950 func SDB389BubbleMonitor.queue.setter // setter
0x1001f0990 func SDB389BubbleMonitor.queue.modify // modifyCoroutine
0x1001f09c0 func SDB389BubbleMonitor.inBubbleCount.getter // getter
0x1001f09d0 func SDB389BubbleMonitor.updateHandler.getter // getter
0x1001f0a10 func SDB389BubbleMonitor.updateHandler.setter // setter
0x1001f0a80 func SDB389BubbleMonitor.updateHandler.modify // modifyCoroutine
0x1001f0ab0 func SDB389BubbleMonitor.lostHandler.getter // getter
0x1001f0af0 func SDB389BubbleMonitor.lostHandler.setter // setter
0x1001f0b60 func SDB389BubbleMonitor.lostHandler.modify // modifyCoroutine
0x1001f0b90 func SDB389BubbleMonitor.closestB389sInBubble.getter // getter
}
class sharingd.InstanceCounter {
struct sharingd.IntegerPacker {
// Properties
let sourcesPerTarget : Int
}
enum sharingd.PackError {
// Properties
case wrongPackLength
}
struct sharingd.ShortHash {
// Properties
WARNING: couldn't find address 0x0 (0x0) in binary!
let storage : g� // +0x0
}
struct sharingd.MediumHash {
// Properties
let shortHash : ShortHash // +0x0
WARNING: couldn't find address 0x0 (0x0) in binary!
let lastMediumByte : A� // +0x2
}
struct sharingd.LongHash {
// Properties
WARNING: couldn't find address 0x0 (0x0) in binary!
let storage : u� // +0x0
}
struct sharingd.SDHashStoreContact {
// Properties
let id : String // +0x0
let emailOrPhone : String // +0x10
}
struct sharingd.SDAirDropHashStoreEntry {
// Properties
let hashStoreContact : SDHashStoreContact // +0x0
let longHash : LongHash // +0x20
let mediumHash : MediumHash // +0x40
}
class sharingd.SDAirDropHandlerIPA : SDAirDropHandler {
// ObjC -> Swift bridged methods
0x1001f6ec0 @objc SDAirDropHandlerIPA.canHandleTransfer <stripped>
0x1001f6ed0 @objc SDAirDropHandlerIPA.transferTypes <stripped>
0x1001f6f10 @objc SDAirDropHandlerIPA.suitableContentsDescription <stripped>
0x1001f7450 @objc SDAirDropHandlerIPA.singleItemActionTitle <stripped>
0x1001f7510 @objc SDAirDropHandlerIPA.initWithTransfer:bundleIdentifier: <stripped>
}
class sharingd.SDDeferrableOperation : NSObject /usr/lib/libobjc.A.dylib {
// Properties
let identifier : String // +0x8 (0x10)
WARNING: couldn't find address 0x0 (0x0) in binary!
var preventUntilDate : �� // +0x0 (0x0)
let operation : (_:) // +0x0 (0x10)
let queue : OS_dispatch_queue // +0x0 (0x8)
WARNING: couldn't find address 0x0 (0x0) in binary!
var timedReasons : String // +0x0 (0x8)
var reasons : Set<String> // +0x0 (0x8)
var pendingOperation : Bool // +0x0 (0x1)
var mainTimer : OS_dispatch_source_timer? // +0x0 (0x8)
// ObjC -> Swift bridged methods
0x1001f7770 @objc SDDeferrableOperation.initWithIdentifier:queue:operation: <stripped>
0x1001f7d00 @objc SDDeferrableOperation.addReason: <stripped>
0x1001f8340 @objc SDDeferrableOperation.removeReason: <stripped>
0x1001f91f0 @objc SDDeferrableOperation.pushPreventionDateForReason:newDate: <stripped>
0x1001f97e0 @objc SDDeferrableOperation.scheduleOperation <stripped>
0x1001fb5d0 @objc SDDeferrableOperation.returnPreventUntilDate <stripped>
0x1001fb680 @objc SDDeferrableOperation.returnHasActiveTimer <stripped>
0x1001fb6a0 @objc SDDeferrableOperation.init <stripped>
0x1001fb700 @objc SDDeferrableOperation..cxx_destruct <stripped>
// Swift methods
0x1001f7820 func <stripped> // method
0x1001f7d20 func <stripped> // method
0x1001f83e0 func <stripped> // method
0x1001f92d0 func <stripped> // method
0x1001f9810 func <stripped> // method
0x1001f9f00 func <stripped> // method
0x1001face0 func <stripped> // method
0x1001fb010 func <stripped> // method
}
enum sharingd.SDAirDropHashError {
// Properties
case hashesAreIncorrect
case storeNotLoaded
case storeDestroyed
case contactIDDecodeFailed
case contactFieldDecodeFailed
case rateLimited
}
class sharingd.SDAirDropContactHashManager : NSObject /usr/lib/libobjc.A.dylib {
// Properties
let context : SDAirDropContactHashManagerContext // +0x8 (0x60)
let contactUpdateCoalescer : CUCoalescer // +0x68 (0x8)
let meCardUpdateCoalescer : CUCoalescer // +0x70 (0x8)
let systemMonitor : SDCUSystemMonitorInterface // +0x78 (0x8)
let hashManagerQ : OS_dispatch_queue // +0x80 (0x8)
let bucket : SFTokenBucketWithDups // +0x88 (0x8)
let contactStore : SDContactStoreInterface // +0x90 (0x28)
var hashDB : SDAirDropHashStore // +0xb8 (0x10)
let notificationCenter : NSNotificationCenter // +0xc8 (0x8)
let distributedNotificationCenter : NSNotificationCenter // +0xd0 (0x8)
var activated : Bool // +0xd8 (0x1)
var meCardInfo : SDAirDropHashStoreEntry // +0xe0 (0x10)
var hashesUpdatedSuccessfully : Bool // +0xf0 (0x1)
// ObjC -> Swift bridged methods
0x1001ff880 @objc SDAirDropContactHashManager.init <stripped>
0x100201730 @objc SDAirDropContactHashManager.cmfSyncAgentBlockListDidChange <stripped>
0x1002017b0 @objc SDAirDropContactHashManager.contactStoreDidChange <stripped>
0x100201ac0 @objc SDAirDropContactHashManager.meCardDidChange <stripped>
0x100209100 @objc SDAirDropContactHashManager..cxx_destruct <stripped>
// Swift methods
}
but fails for -a arm64e
dsdump -sc /usr/libexec/sharingd -a arm64e
[1] 93873 segmentation fault dsdump -sc /usr/libexec/sharingd -a arm64e
figured adding details from the crash log might help!
Translated Report (Full Report Below)
-------------------------------------
Process: dsdump [93873]
Path: /Users/USER/*/dsdump
Identifier: dsdump
Version: ???
Code Type: ARM-64 (Native)
Parent Process: zsh [85399]
Responsible: iTerm2 [68109]
User ID: 501
Date/Time: 2021-12-02 00:17:51.5711 +0800
OS Version: macOS 12.0.1 (21A559)
Report Version: 12
Anonymous UUID: BB59D4CE-08F2-006C-360E-EEAD995E580A
Sleep/Wake UUID: 4097F3DD-96B7-4D54-9F2A-E450B888E5DC
Time Awake Since Boot: 150000 seconds
Time Since Wake: 3078 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000000000002c
Exception Codes: 0x0000000000000001, 0x000000000000002c
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [93873]
VM Region Info: 0x2c is not in any region. Bytes before following region: 4332765140
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
UNUSED SPACE AT START
--->
__TEXT 10240c000-1027e0000 [ 3920K] r-x/r-x SM=COW ...USER/*/dsdump
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 dsdump 0x102446a64 -[XRMachOLibrary(Opcode) parseDYLDExports] + 36 (XRMachOLibrary+Opcode.mm:362)
1 dsdump 0x102446a64 -[XRMachOLibrary(Opcode) parseDYLDExports] + 36 (XRMachOLibrary+Opcode.mm:362)
2 dsdump 0x10242a01c -[XRMachOLibrary initWithPath:] + 7296 (XRMachOLibrary.mm:380)
3 dsdump 0x10244f4c4 main + 396 (main.m:59)
4 dyld 0x102bfd0f4 start + 520
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000000 x1: 0x00000001025956fd x2: 0x000000000000000d x3: 0x0000000000000029
x4: 0x0000000000000078 x5: 0x000000000000004f x6: 0x0000000000000074 x7: 0x0000000000000660
x8: 0x000000013f804080 x9: 0x4036311255e20031 x10: 0x000000013f8050a0 x11: 0x0000000000db9a45
x12: 0x000000000000001d x13: 0x0000000000000000 x14: 0x0000000100000000 x15: 0x0000000102594d39
x16: 0x000000010282ccba x17: 0x000000010242d290 x18: 0x0000000000000000 x19: 0x0000000102ca4060
x20: 0x000000010244f338 x21: 0x0000000102c58070 x22: 0x0000000000000000 x23: 0x0000000000000000
x24: 0x0000000000000000 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000000000000000
x28: 0x0000000000000000 fp: 0x000000016d9f2510 lr: 0x0000000102446a64
sp: 0x000000016d9f2470 pc: 0x0000000102446a64 cpsr: 0x60000000
far: 0x000000000000002c esr: 0x92000006 (Data Abort) byte read Translation fault
Binary Images:
0x10240c000 - 0x1027dffff dsdump (*) <52ee2ef6-2c2d-399c-88cc-50166185a29f> /Users/USER/*/dsdump
0x102bf8000 - 0x102c57fff dyld (*) <86a8ba48-8bb4-3b30-9cda-051f73c74f44> /usr/lib/dyld
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 23
thread_create: 0
thread_set_state: 1460
VM Region Summary:
ReadOnly portion of Libraries: Total=653.7M resident=0K(0%) swapped_out_or_unallocated=653.7M(100%)
Writable regions: Total=668.4M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=668.4M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Activity Tracing 256K 1
Kernel Alloc Once 32K 1
MALLOC 155.2M 15
MALLOC guard page 96K 5
MALLOC_MEDIUM (reserved) 120.0M 1 reserved VM address space (unallocated)
MALLOC_NANO (reserved) 384.0M 1 reserved VM address space (unallocated)
STACK GUARD 56.0M 1
Stack 8176K 1
__AUTH 221K 47
__AUTH_CONST 2871K 124
__DATA 2652K 118
__DATA_CONST 3575K 125
__DATA_DIRTY 232K 50
__LINKEDIT 572.4M 3
__OBJC_CONST 259K 29
__OBJC_RO 81.8M 1
__OBJC_RW 3088K 1
__TEXT 81.3M 132
__UNICODE 588K 1
dyld private memory 1024K 1
mapped file 4704K 1
shared memory 32K 2
=========== ======= =======
TOTAL 1.4G 661
TOTAL, minus reserved VM space 973.9M 661
-----------
Full Report
-----------
{"app_name":"dsdump","timestamp":"2021-12-02 00:17:51.00 +0800","app_version":"","slice_uuid":"52ee2ef6-2c2d-399c-88cc-50166185a29f","build_version":"","platform":1,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 12.0.1 (21A559)","incident_id":"634C16A5-45FD-4569-8C0A-57028A085718","name":"dsdump"}
{
"uptime" : 150000,
"procLaunch" : "2021-12-02 00:17:51.5507 +0800",
"procRole" : "Unspecified",
"version" : 2,
"userID" : 501,
"deployVersion" : 210,
"modelCode" : "MacBookPro17,1",
"procStartAbsTime" : 3658611329111,
"coalitionID" : 737,
"osVersion" : {
"train" : "macOS 12.0.1",
"build" : "21A559",
"releaseType" : "User"
},
"captureTime" : "2021-12-02 00:17:51.5711 +0800",
"incident" : "634C16A5-45FD-4569-8C0A-57028A085718",
"bug_type" : "309",
"pid" : 93873,
"procExitAbsTime" : 3658611811387,
"translated" : false,
"cpuType" : "ARM-64",
"procName" : "dsdump",
"procPath" : "\/Users\/USER\/*\/dsdump",
"parentProc" : "zsh",
"parentPid" : 85399,
"coalitionName" : "com.googlecode.iterm2
Failing to load mach-o correctly may lead to segment fault
Hi all,
While trying your tool I came across some segment fault like the issue posted here.
I spent some time to debug the root cause of mentioned bug, I find dsdump doesn't load mach-o into memory correctly. The author naively mapped mach-o file into memory through mmap(. You can find the following code in XRMachOLibrary.mm
void* buff = ::mmap((void*)0x0000000400000000UL, fsize, PROT_READ, MAP_PRIVATE, self.fd, 0);
payload::data = (uint8_t *)buff; // self.data;
payload::size = fsize;
In fact you'd better parse all segments carefully.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.