rand() hook crashes in 64-bit apps
radj opened this issue · 2 comments
I'm testing on:
iPad Air
iOS 7.1.2
Some apps crashed while using Introspy, some didn't. So I narrowed it down to the rand() hook and narrowed it down to 64-bit only. As an example, I am using Apple's SimpleURLConnections project and added this simple call NSLog(@"Calling C Rand() - %d", rand());
in -[GetController startReceive]
method and it crashes when building the app for 64-bit. If built for 32-bit, it works just fine.
Went into replaced_rand()
in hooks/LibCHooks.m
and found that it crashes at the call to original_rand()
. I logged the value of the original_rand()
pointer and it isn't null.
I am not sure how to proceed here.
Here's the backtrace if it helps any.
* thread #1: tid = 0x0b0d, 0x0000000106497d38, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x106497d38)
frame #0: 0x0000000106497d38
frame #1: 0x0000000101a8001c
* frame #2: 0x000000010006a180 URLConnect`-[GetController startReceive](self=0x0000000147d16120, _cmd=0x000000010009b8f6) + 20 at GetController.m:140
frame #3: 0x000000010006bd64 URLConnect`-[GetController viewDidLoad](self=0x0000000147d16120, _cmd=0x000000018b8e3285) + 1264 at GetController.m:371
frame #4: 0x000000018b5a6f50 UIKit`-[UINib instantiateWithOwner:options:] + 1616
frame #5: 0x000000018b5a8b50 UIKit`-[NSBundle(UINSBundleAdditions) loadNibNamed:owner:options:] + 160
frame #6: 0x000000018b49341c UIKit`-[UIApplication _loadMainNibFileNamed:bundle:] + 52
frame #7: 0x000000018b2598d4 UIKit`-[UIApplication _runWithURL:payload:launchOrientation:statusBarStyle:statusBarHidden:] + 516
frame #8: 0x000000018b1ed8b4 UIKit`-[UIApplication handleEvent:withNewEvent:] + 3316
frame #9: 0x000000018b1ecab8 UIKit`-[UIApplication sendEvent:] + 104
frame #10: 0x000000018b25902c UIKit`_UIApplicationHandleEvent + 672
frame #11: 0x000000018ddc3504 GraphicsServices`_PurpleEventCallback + 676
frame #12: 0x000000018ddc3030 GraphicsServices`PurpleEventCallback + 48
frame #13: 0x00000001881e3040 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 56
frame #14: 0x00000001881e2fa0 CoreFoundation`__CFRunLoopDoSource1 + 444
frame #15: 0x00000001881e11c4 CoreFoundation`__CFRunLoopRun + 1620
frame #16: 0x0000000188121dd0 CoreFoundation`CFRunLoopRunSpecific + 452
frame #17: 0x000000018b2581b0 UIKit`-[UIApplication _run] + 784
frame #18: 0x000000018b252fc4 UIKit`UIApplicationMain + 1156
frame #19: 0x00000001000675d4 URLConnect`main(argc=1, argv=0x000000016fd9fc30) + 64 at main.m:61
frame #20: 0x00000001951f3aa0 libdyld.dylib`start + 4
I tried calling random()
instead of rand()
and it doesn't crash. This is specific to rand()
so far.
Can you try recompiling introspy? I am guessing they don't correctly assumed the rv type.
Going into the libc hooks you could try commenting out this
[tracer addReturnValueFromPlistObject: [NSNumber numberWithUnsignedInt:origResult]];
[traceStorage saveTracedCall: tracer];
[tracer release];
(Which would remove tracing, but would be a quick sanity test).