Slice Posted April 25, 2020 Share Posted April 25, 2020 I want to propose an utility which I see no analogous. It can search byte sequence in a file with mask. Many hex editors can search byte sequence but no one search with mask. Moreover I propose to set start search with mask. Example in the Clover sources for (i = 0; i < 0x1000000; i++) { // 00 29 C7 78 XX 31 DB 8D 47 FA 83 if (bytes[i+0] == 0x00 && bytes[i+1] == 0x29 && bytes[i+2] == 0xC7 && bytes[i+3] == 0x78 && //(bytes[i+4] == 0x3F || bytes[i+4] == 0x4F) && // 3F:10.10-10.12/4F:10.13+ bytes[i+5] == 0x31 && bytes[i+6] == 0xDB && bytes[i+7] == 0x8D && bytes[i+8] == 0x47 && bytes[i+9] == 0xFA && bytes[i+10] == 0x83) { DBG_RT(Entry, "Found Lapic panic master Base (10.10 - recent macOS)\n"); for (y = i; y < 0x1000000; y++) { // Lapic panic master patch, by vit9696 // cmp cs:_debug_boot_arg, 0 // E8 XX XX FF FF 83 XX XX XX XX 00 00 if (bytes[y+0] == 0xE8 && bytes[y+3] == 0xFF && bytes[y+4] == 0xFF && bytes[y+5] == 0x83 && bytes[y+10] == 0x00 && bytes[y+11] == 0x00) { patchLocation2 = y; DBG_RT(Entry, "Found Lapic panic master (10.10 - recent macOS) at 0x%08x\n", patchLocation2); break; } } break; } } This procedure search a start location with byte sequence 00 29 C7 78 XX 31 DB 8D 47 FA 83 where XX are arbitrary and then search byte sequence E8 XX XX FF FF 83 XX XX XX XX 00 00 starting from the place. How can I check if this method is still works and unambiguous. Yes there is a break after first found. Anyway I want to check other occurrences. So I made an utility accepting such parameters Start position if string 00 29 C7 78 XX 31 DB 8D 47 FA 83 is found. Mask to check is FF FF FF FF 00 and the rest are FF. Common rule is the rest bytes in masks assumed to be FF. From the position search string E8 XX XX FF FF 83 XX XX XX XX 00 00. Mask to check is FF 00 00 FF FF FF 00 00 00 00 FF FF Go! iMac2017:Mojave sergey$ ./FindMask kernel -s 0029C7780031DB8D47FA83,FFFFFFFF00 -e 10000 -f E80000FFFF83000000000000,FF0000FFFFFF00000000 found start at 0x2e495c found pattern: 1 address: 002e4a17 bytes:e894ebffff833d35ae7b0000 found pattern: 2 address: 002e543c bytes:e8ffccffff833d6c2e770000 found pattern: 3 address: 002e58ad bytes:e83e73ffff833dfb29770000 found pattern: 4 address: 002ed3bb bytes:e80097ffff833d099a760000 iMac2017:Mojave sergey$ This is Mojave 10.14.6 kernel. CC: @Sherlocks, @PMheart, @syscl, @vit9696, and others. Look for the recent utility in next posts. 11 1 Link to comment Share on other sites More sharing options...
Slice Posted April 25, 2020 Author Share Posted April 25, 2020 Then I use this utility to check catalina kernel and guess what? iMac2017:Catalina sergey$ ./FindMask kernel -s 0029C7780031DB8D47FA83,FFFFFFFF00 -e 10000 -f E80000FFFF83000000000000,FF0000FFFFFF00000000 found start at 0x253f7c found pattern: 1 address: 00254024 bytes:e8d7ebffff833d08c5a10000 found pattern: 2 address: 00254a7e bytes:e8adccffff833d2a38800000 found pattern: 3 address: 00254edd bytes:e89e71ffff833dcb33800000 found pattern: 4 address: 00256096 bytes:e8c5fbffff833deeff7f0000 found pattern: 5 address: 0025c5eb bytes:e8f099ffff833d999a7f0000 iMac2017:Catalina sergey$ Now I disassembled the kernel and see these addresses Kernel has virtual address ffffff8000200000 See our offsets 1: ffffff8000454024 E8D7EBFFFF call _lapic_dump ffffff8000454029 833D08C5A10000 cmp dword [ds:_debug_boot_arg], 0x0 2: ffffff8000454a7e E8ADCCFFFF call _panic_i386_backtrace ffffff8000454a83 833D2A38800000 cmp dword [ds:_pmsafe_debug], 0x0 ; XREF=0xffffff800045496b Both patterns are good for the procedure shown above but there is a break after first find while we want second find? The procedure is wrong? 2 Link to comment Share on other sites More sharing options...
Sherlocks Posted April 25, 2020 Share Posted April 25, 2020 hi slice. it is correct.clover don't have feature find symbolic base.some patch need to base part. because there are many e8 patterns. after find base hex part, find to need patch part that is first find hex place.seems your utility files is correct.나의 SM-N960N 의 Tapatalk에서 보냄 1 Link to comment Share on other sites More sharing options...
Slice Posted April 25, 2020 Author Share Posted April 25, 2020 I will add the feature in Clover soon. 1 Link to comment Share on other sites More sharing options...
Slice Posted April 27, 2020 Author Share Posted April 27, 2020 Next step is symbolic patcher. We can define procedure name for patch. Example iMac2017:Catalina sergey$ ./FindMask kernel -p _lapic_init -e 100 -f 488D3DFDA46D,FFFF0F procedure at 252810, len = ffffffffffffeaa0 found start at 0x252810 found pattern: 1 address: 00252845 bytes:488d3dfda46d found pattern: 2 address: 0025284c bytes:488d0dfda46d iMac2017:Catalina sergey$ So we get a kernel (it is file name), search procedure "_lapic_init" length of 0x100 and find inside the byte array 488D3DFDA46D masked by FFFF0F. Because of this mask we have two hits 488d3dfda46d and 488d0dfda46d. And yes, address is coincident to the procedure _lapic_init. New utility attached. PS. Will be implemented in Clover soon. Look for the utility in next posts. Link to comment Share on other sites More sharing options...
Slice Posted April 27, 2020 Author Share Posted April 27, 2020 On 4/25/2020 at 2:56 PM, Slice said: Then I use this utility to check catalina kernel and guess what? iMac2017:Catalina sergey$ ./FindMask kernel -s 0029C7780031DB8D47FA83,FFFFFFFF00 -e 10000 -f E80000FFFF83000000000000,FF0000FFFFFF00000000 found start at 0x253f7c found pattern: 1 address: 00254024 bytes:e8d7ebffff833d08c5a10000 found pattern: 2 address: 00254a7e bytes:e8adccffff833d2a38800000 found pattern: 3 address: 00254edd bytes:e89e71ffff833dcb33800000 found pattern: 4 address: 00256096 bytes:e8c5fbffff833deeff7f0000 found pattern: 5 address: 0025c5eb bytes:e8f099ffff833d999a7f0000 iMac2017:Catalina sergey$ Now I do the same but instead of StartPattern I define the procedure name "_lapic_interrupt". iMac2017:Catalina sergey$ ./FindMask kernel -p _lapic_interrupt -e 200 -f E80000FFFF83000000000000,FF0000FFFFFF00000000 procedure at 253f70, len = 1760 found start at 0x253f70 found pattern: 1 address: 00254024 bytes:e8d7ebffff833d08c5a10000 iMac2017:Catalina sergey$ Same result! But easier to define. Link to comment Share on other sites More sharing options...
Slice Posted April 28, 2020 Author Share Posted April 28, 2020 Advance the utility for more complex cases 1 Link to comment Share on other sites More sharing options...
Slice Posted April 29, 2020 Author Share Posted April 29, 2020 Next ability fixes. FindMask.zip 1 Link to comment Share on other sites More sharing options...
Slice Posted July 18, 2020 Author Share Posted July 18, 2020 BigSur adapted utility FindMask.zip 3 Link to comment Share on other sites More sharing options...
Slice Posted April 1, 2023 Author Share Posted April 1, 2023 For hackers want to do some research I will upload the sources. FindMaskF.zip 4 Link to comment Share on other sites More sharing options...
Recommended Posts