Down the Rabbit Hole - Reverse Engineering Mac OS X

More documents

Recommendations

Info

Single-Instruction Overwritingbl and bla go away since they stomp on the linkregister — that houses the caller’s return address!b and ba embed a 4-byte-aligned, 24-bit address.For b, that’s ±32MB relative to the current programcounter. We really can’t guarantee our override willbe within 32MB of the original function.For ba, that’s the lowermost and uppermost 32MB ofthe current address space. The lowermost 32MBtends to be busy with loaded code and data.That leaves ba’s uppermost 32MB of address space.Monday, February 9, 2009
The Branch IslandWe can allocate a single page at the end of theaddress space to hold our branch island.(Mach’s sparse memory model works nicely here.)The branch island acts as a level of indirection,allowing the address-limited ba to effectively targetany address.Two uses for branch islands: escape and reentry.Monday, February 9, 2009
Page 1 and 2: Dynamically Overriding Mac OS XDown
Page 3: What Happened toHow to Hack Mac OS
Page 7 and 8: Function OverridingIdeally, overrid
Page 9 and 10: CFM vs MachExporter-Owned Vector Ta
Page 11 and 12: Function OverridingWhat will work:
Page 13: Single-Instruction OverwritingRepla
Page 17: Inside the Branch IslandC definitio
Page 21 and 22: Lame Override Animation! Reentry Is
Page 23 and 24: Function Overriding DetailsDiscover
Page 25 and 26: Code Injection OverviewFunction ove
Page 27 and 28: Code Injection DetailsAllocate a re
Page 29 and 30: Code & Doc AvailabilityTwo packages

Down the Rabbit Hole - Reverse Engineering Mac OS X

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?