-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plthook issues on MacOS #48
Comments
I think I found why this offset of 0x30 error happens, but I don't know how to fix it... There's some __got entries in the library i'm hooking that are followed by 8+8+8 (0x18) bytes more data that should be skipped, but your code doesn't skip it and that causes rest of the functions to have invalid addresses that is shifted by 8 bytes per each entry that should be skipped
Here you can see __Unwind_Resume and __ZSt9terminatev are 8 bytes structs followed by 8+8+8 more bytes which shifts all __got entries after them by 0x18+0x18=0x30 bytes, which is exactly the error I encountered and it breaks everything... |
After more digging it seems like some __got entries must be skipped, specifically those that have dyld_chained_ptr_64_rebase::bind value equal to 0, that should make things work again... And from looks of it that data is only available in file on disk, but not in memory?
|
Thanks for your report. |
@tomrus88 |
Sure, i'll check it out soon and report back. |
Tested your fixes and it seems to work fine now. No more crash and hooked functions being called correctly in my case. |
I've come across multiple issues with hooking imported functions on MacOS, resulting hook either not working at all or hooking wrong function (after "fixing" issue with hook not working at all).
So here is what I found out after many many hours of debugging:
const uint8_t *ptr
is calculated incorrectly, making that pointer off by
linkedit->vmaddr - linkedit->fileoff
bytes, which results in rest of the things to be read incorrectly and ends up with "unknown imports format 0" error message in my case. I've changed code a bit and it fixed that error for me:
Rough code I'm using:
The text was updated successfully, but these errors were encountered: