- 0xdurakiPure Reverse Engineering
Some RE Tricks and Tips have been shared here. Otherwise, check references at the bottom of these notes.
Use Byteman to instrument compiled Java application and *.jar files. A sample script has been included in the notes.
MacOS and iOS Commpage
It’s not strange to see seemingly-random address being used as a call handler, instead of actual functions and methods, while reversing and debugging in iOS and MacOS environments. For example, here is a sample Hopper pseudo code disassembly of /usr/bin/log MacOS internal utility:
Expand Pseudo Disassembly
int sub_10001b3fc(int arg, int arg1, int arg2) {
rdi = argO;
rax = rdi | 0x80000000;
if (* (int32_t *) 0x7fffffe00048 >= 0x0) {
rax = rdi;
}
rbx = 0x8000000 & *(int32_t *)0x7fffffe00048;
rbx = rbx | rax;
if (os_log_type_enabled (*__os_log_default, 0x0) != 0x0) {
var 20 = 0x4000100
*(int32_t *) (&var_20 + 0×4) = rbx;
_os_log_imp1(__mh_execute_header, *__os_log_default, 0x0, "Changed system mode to Ox%X", &var_20, 0x8);
}
if (host_set_atm_diagnostic_flag (mach_host_self(), rbx) == 0x0) {
var_10 = **_
rax = *
_stack_chk_guard;
_stack_chk_guard;
rax = *rax;
if (rax != var 10) {
rax = __stack_chk_fail();
}
}
else {
rax = errx(0x4a, "Unable to set global diagnostic flag");
return rax;
}
}
Skimming through above pseudocode, you will most likely see usage of memory addresses as a system and method calls, such is use of 0x7fffffe00048. You might wonder what this is - and its normal, these addresses must be mapped to somewhere, otherwise the app. would fault.
The addresses 0x7fffffe00048 ... 0x7fffffe00048 are the addresses mapped in the commpage.
About Apple XNU Commpage
Commpage is a special memory structure that is always located at the same address in all macOS processes (tasks). The commpage on macOS serves a purpose similar to Linux vsyscall: that is, it’s a chunk of data and code that’s shared and mapped into every process at a fixed address, therefore reducing the number of roundtrips to the kernel. On macOS, this mapping is provided by the xnu kernel.
- 32-bit systems:
0xFFFF0000-0XFFFF4000 - 64-bit systems:
0x7FFFFFE00000-0X7FFFFFE00048
Commpage Address Space:
| Architecture Type | Base Address | End Address |
|---|---|---|
| 32-bit | 0xFFFF0000 | 0XFFFF4000 |
| 64-bit | 0x7FFFFFE00000 | 0X7FFFFFE00048 |
| * |
Many system functions are issued via XNU’s commpage, as an examples __commpage_gettimeofday for gettimeofday(...) via its’ wrapper.
Hopper Disassembler
In case Hopper Disassembler is Not Responding (sometimes due to large binary/analysis), you can:
- Wait a bit more, close all unused apps, especially (Chrome) tabs
- Open Activity Monitor and check Hopper Disassembler process details
- If nothing works, use the command below to purge all unused virtual memory
$ purge
# => ... wait a bit
# => hopper disas. should be unfrezzed and responding
Windows Reverse Engineering
- FindEXEC - sorting script, sorts exe/dll based on category (NET/Native/etc.)
- EasyHook - a hooking engine for DLLs and .NET (3.5|4.0) assemblies
- frida-scripts for WindowsNT - Inject JS and C# into Windows apps
Binary Data Reverse Engineering
- binkit - Binary Reverse Engineering Data Science Kit
- symbolizer - A fast execution trace symbolizer for Windows
- binocle - Graphic Tool to visualize binary data
References
- Debugging iOS binaries with lldb
- Bypass Flutter SSL Pinning (2021)
- Frida Android Function Enumerator and Dumper
- static-arm-bins - statically compiled ARM binaries for debugging