Nat! bio photo

Nat!

Senior Mull

Twitter Github Twitch

Mulle kybernetiK

mulle-objc

Mulle kybernetiK TV

The plot thickens in the fight vs. the bug elves

The VPN is up again and I rearranged the code a little, and now I get a EXC_BAD_ACCESS in a completely different place:

0x35204e9f  <+0042>  mov    (%eax),%eax
0x35204ea1  <+0044>  mov    %eax,0x4(%esp)
0x35204ea5  <+0048>  mov    %edx,(%esp)
0x35204ea8  <+0051>  call   0x35236170 <dyld_stub_objc_msgSendSuper>
0x35204ead  <+0056>  lea    0x2c2a1(%ebx),%eax
0x35204eb3  <+0062>  mov    (%eax),%eax
0x35204eb5  <+0064>  cmp    %eax,0x14(%ebp)

compared to the original troublesome code

0x35204ea6  <+0000>  push   %ebp
0x35204ea7  <+0001>  mov    %esp,%ebp
0x35204ea9  <+0003>  sub    $0x8,%esp
0x35204eac  <+0006>  mov    0x8(%ebp),%eax
0x35204eaf  <+0009>  mov    0x8(%eax),%eax
0x35204eb2  <+0012>  leave  
0x35204eb3  <+0013>  ret

Is it really a different place ? Actually in terms of adresses it's almost but not quite identical. Yes that still makes no sense whatsoever to me.

More fishing around

Dump of the shared library binary at the appropriate place. (I have put in four nops 0x90, so I can easily identify it. (It stlll EXC_BAD_ACCESS crashes with the four nops)

00004ea0: 0489 1424 e8c7 1203 0090 9090 908d 83a5  ...$............
00004eb0: c202 008b 0039 4514 7411 8d83 a1c2 0200  .....9E.t.......
00004ec0: 8b00 3945 140f 85ff 0000 0083 7d18 000f  ..9E........}...

It's interesting to note, that the offset into the linker file, is the same as the offset into a virtual memory page. And here's the same memory seen by gdb post EXC_BAD_ACCESS crash:

0x35204ea0: 0x8904 0x2414 0xc7e8 0x0312 0x9000 0x9090 0x8d90 0xa583
0x35204eb0: 0x02c2 0x8b00 0x3900 0x1445 0x1174 0x838d 0xc2a1 0x0002
0x35204ec0: 0x008b 0x4539 0x0f14 0xff85 0x0000 0x8300 0x187d 0x0f00

One dump was made by emacs and the other with gdb and the endianness is different, but the instructions are identical.

One more nop and the crash is gone

So this is currently the code that gives the EXC_BAD_ACCESS at 0x35204eb3

0x35204ea9  <+0056>  nop    
0x35204eaa  <+0057>  nop    
0x35204eab  <+0058>  nop    
0x35204eac  <+0059>  nop    
0x35204ead  <+0060>  lea    0x2c2a5(%ebx),%eax
0x35204eb3  <+0066>  mov    (%eax),%eax
0x35204eb5  <+0068>  cmp    %eax,0x14(%ebp)

but if I put another nop there the crash is gone. Unfortunately as you can see, there is also a subtle shift of the code involved, which is due to the linker, which is out of my control (see: previous entry).

0x35204ea5  <+0056>  nop    
0x35204ea6  <+0057>  nop    
0x35204ea7  <+0058>  nop    
0x35204ea8  <+0059>  nop    
0x35204ea9  <+0060>  nop    
0x35204eaa  <+0061>  lea    0x2c2a9(%ebx),%eax
0x35204eb0  <+0067>  mov    (%eax),%eax
0x35204eb2  <+0069>  cmp    %eax,0x14(%ebp)