Fix method name resolution #19525

Author: Mike Richter

Source/CDMachOFile.h

@@ -55,6 +55,7 @@ typedef enum : NSUInteger {
 - (CDLCSegment *)segmentWithName:(NSString *)segmentName;
 - (CDLCSegment *)segmentContainingAddress:(NSUInteger)address;
 - (NSString *)stringAtAddress:(NSUInteger)address;
+- (NSString *)stringAtAddress2:(NSUInteger)address;
 
 - (NSUInteger)dataOffsetForAddress:(NSUInteger)address;
 

Source/CDMachOFile.m

@@ -352,6 +352,67 @@ - (NSString *)stringAtAddress:(NSUInteger)address;
     if (offset == 0)
         return nil;
 
+    CDSection *section = [segment sectionContainingAddress:address];
+    if ([[section sectionName] isEqualToString:@"__objc_selrefs"]) {
+        NSLog(@"large method reference (0x%016lx) into __objc_selrefs!", address);
+    }
+
+    ptr = (uint8_t *)[self.data bytes] + offset;
+
+    return [[NSString alloc] initWithBytes:ptr length:strlen(ptr) encoding:NSASCIIStringEncoding];
+}
+
+- (NSString *)stringAtAddress2:(NSUInteger)address;
+{
+    const void *ptr;
+
+    if (address == 0)
+        return nil;
+
+    CDLCSegment *segment = [self segmentContainingAddress:address];
+    if (segment == nil) {
+        NSLog(@"Error: Cannot find offset for address 0x%08lx in stringAtAddress:", address);
+        exit(5);
+        return nil;
+    }
+
+    if ([segment isProtected]) {
+        NSData *d2 = [segment decryptedData];
+        NSUInteger d2Offset = [segment segmentOffsetForAddress:address];
+        if (d2Offset == 0)
+            return nil;
+
+        ptr = (uint8_t *)[d2 bytes] + d2Offset;
+        return [[NSString alloc] initWithBytes:ptr length:strlen(ptr) encoding:NSASCIIStringEncoding];
+    }
+
+    NSUInteger offset = [self dataOffsetForAddress:address];
+    if (offset == 0)
+        return nil;
+
+    CDSection *section = [segment sectionContainingAddress:address];
+    if ([[section sectionName] isEqualToString:@"__objc_selrefs"]) {
+//        int pointerSize = (int)[self ptrSize];
+//        int numberOfBytes = pointerSize;//([section alignment] == 8) ? 8 : 4;
+//        if ((1 << [section alignment]) != pointerSize) {
+//            NSLog(@"__objc_selrefs with alignment of %lu and pointerSize of %d!", (unsigned long)[section alignment], pointerSize);
+//        }
+//        const void * reference = [self.data bytes] + offset;
+//        uint64_t referencedAddress = 0ULL;
+//        for (int index = 0; index < numberOfBytes; index++) {
+//            referencedAddress |= ((uint64_t)bytes[index]) << (index * 8);
+//        }
+        
+        const void * reference = [self.data bytes] + offset;
+        offset = ([self ptrSize] == 8) ? *((uint64_t *)reference) : *((uint32_t *)reference);
+
+        // This is probably not the right translation: how do we know that this address is correct, does it need to go through dataOffsetForAddress?
+//        ptr = (uint8_t *)([self.data bytes] + selectorOffset);
+//    } else {
+//        NSLog(@"small method pointer into %@ section!", [section sectionName]);
+//        ptr = (uint8_t *)[self.data bytes] + offset;
+    }
+
     ptr = (uint8_t *)[self.data bytes] + offset;
 
     return [[NSString alloc] initWithBytes:ptr length:strlen(ptr) encoding:NSASCIIStringEncoding];

Source/CDMachOFileDataCursor.h

@@ -28,5 +28,6 @@
 
 // Read using the current byteOrder and ptrSize (from the machOFile)
 - (uint64_t)readPtr;
+- (uint64_t)readSmallPtr:(uint64_t)base;
 
 @end

Source/CDMachOFileDataCursor.m

@@ -110,4 +110,13 @@ - (uint64_t)readPtr;
     return 0;
 }
 
+- (uint64_t)readSmallPtr:(uint64_t)base;
+{
+    uint64_t offsetIntoFile = [self offset];
+    int32_t offset = [self readInt32];
+    return (uint64_t)((int64_t)(offsetIntoFile) + offset);
+    //    return (uint64_t)((int64_t)(base) + offset);
+    //return (uint64_t)(uint32_t)[self readInt32];
+}
+
 @end

Source/CDObjectiveC2Processor.h

@@ -5,6 +5,10 @@
 
 #import "CDObjectiveCProcessor.h"
 
+#define METHOD_LIST_T_RESERVED_BITS 0x7FFF0003
+#define METHOD_LIST_T_SMALL_METHOD_FLAG 0x80000000
+#define METHOD_LIST_T_ENTSIZE_MASK (METHOD_LIST_T_RESERVED_BITS|METHOD_LIST_T_SMALL_METHOD_FLAG)
+
 @interface CDObjectiveC2Processor : CDObjectiveCProcessor
 
 @end

Source/CDObjectiveC2Processor.m

@@ -400,79 +400,79 @@ - (NSArray *)loadMethodsAtAddress:(uint64_t)address;
 }
 
 - (NSArray *)loadMethodsAtAddress:(uint64_t)address extendedMethodTypesCursor:(CDMachOFileDataCursor *)extendedMethodTypesCursor;
+{
+    return [self loadMethodsAtAddress:address extendedMethodTypesCursor:extendedMethodTypesCursor base:0ULL];
+}
+
+- (NSArray *)loadMethodsAtAddress:(uint64_t)address extendedMethodTypesCursor:(CDMachOFileDataCursor *)extendedMethodTypesCursor base:(uint64_t)base;
 {
     NSMutableArray *methods = [NSMutableArray array];
 
     if (address != 0) {
         CDMachOFileDataCursor *cursor = [[CDMachOFileDataCursor alloc] initWithFile:self.machOFile address:address];
+        NSLog(@"initial offset 0x%016lx address 0x%016llx", [cursor offset], address);
         NSParameterAssert([cursor offset] != 0);
         //NSLog(@"method list data offset: %lu", [cursor offset]);
 
         struct cd_objc2_list_header listHeader;
 
         // See https://opensource.apple.com/source/objc4/objc4-787.1/runtime/objc-runtime-new.h
-        uint32_t mask = 0xFFFF0003;
         uint32_t value = [cursor readInt32];
-        listHeader.entsize = value & ~mask;
-        uint32_t flags = value & mask;
-        int smallMethods = (flags & 0x80000000) != 0;
-        /*
-          Tests show no leftovers were present. Consistent with comments indicating smallMethodListFlag is currently the only flag.
-        int leftOvers = flags & ~0x80000000;
-        if (leftOvers != 0) {
-            NSLog(@"Leftovers was non-zero: 0x%08x (0x%08x)", leftOvers, value);
-        }
-         */
+        listHeader.entsize = value & ~METHOD_LIST_T_ENTSIZE_MASK;
+        int smallMethodPointers = (value & METHOD_LIST_T_SMALL_METHOD_FLAG) != 0;
         listHeader.count = [cursor readInt32];
-//        NSLog(@"Info: %u == %lu?: listHeader.entsize=%u self.machOFile ptrSize=%lu (%d 0x%x)", listHeader.entsize, (3 * [self.machOFile ptrSize]), listHeader.entsize, [self.machOFile ptrSize], listHeader.entsize, listHeader.entsize);
-        if (smallMethods) {
-            NSParameterAssert(listHeader.entsize == (3 * sizeof(uint32_t)));
-        } else {
-            NSParameterAssert(listHeader.entsize == 3 * [self.machOFile ptrSize]);
-        }
+        NSParameterAssert(listHeader.entsize == 3 * (smallMethodPointers ? sizeof(int32_t) : [self.machOFile ptrSize]));
+
+        uint64_t min1 = 0xFFFFFFFFFFFFFFFFULL;
+        uint64_t max1 = 0ULL;
+        uint64_t min2 = 0xFFFFFFFFFFFFFFFFULL;
+        uint64_t max2 = 0ULL;
+        uint64_t min3 = 0xFFFFFFFFFFFFFFFFULL;
+        uint64_t max3 = 0ULL;
+        uint64_t val2;
+
         for (uint32_t index = 0; index < listHeader.count; index++) {
             struct cd_objc2_method objc2Method;
-            
-            if (smallMethods) {
-//                NSLog(@"NEW METHOD!!");
-                uint64_t offset1 = [cursor offset];
-                int value1 = [cursor readInt32];
-                objc2Method.name = (uint64_t)(((int64_t)offset1) + value1);
-                
-                uint64_t offset2 = [cursor offset];
-                int value2 = [cursor readInt32];
-                objc2Method.types = (uint64_t)(((int64_t)offset2) + value2);
-                
-                uint64_t offset3 = [cursor offset];
-                int value3 = [cursor readInt32];
-                objc2Method.imp = (uint64_t)(((int64_t)offset3) + value3);
-                
-//                NSLog(@"values12f: 0x%016llx 0x%016llx 0x%016llx", objc2Method.name, objc2Method.types, objc2Method.imp);
+            uint64_t offset = [cursor offset];
+            if (smallMethodPointers) {
+                val2 = [cursor readSmallPtr:address]; if (val2 < min1) min1 = val2; if (val2 > max1) max1 = val2;
+                objc2Method.name = val2;
+                val2 = [cursor readSmallPtr:address]; if (val2 < min2) min2 = val2; if (val2 > max2) max2 = val2;
+                objc2Method.types = val2;
+                val2 = [cursor readSmallPtr:address]; if (val2 < min3) min3 = val2; if (val2 > max3) max3 = val2;
+                objc2Method.imp = val2;
+                //                NSLog(@"values12f: 0x%016llx 0x%016llx 0x%016llx", objc2Method.name, objc2Method.types, objc2Method.imp);
 //                NSLog(@"values12: 0x%08x 0x%08x 0x%08x", value1, value2, value3);
             } else {
-                uint64_t value1 = [cursor readPtr];
-                uint64_t value2 = [cursor readPtr];
-                uint64_t value3 = [cursor readPtr];
-//                NSLog(@"values24: 0x%016llx 0x%016llx 0x%016llx", value1, value2, value3);
-                objc2Method.name = value1;
-                objc2Method.types = value2;
-                objc2Method.imp = value3;
+                objc2Method.name  = [cursor readPtr];
+                objc2Method.types = [cursor readPtr];
+                objc2Method.imp   = [cursor readPtr];
+            }
+            NSString *name;
+            if (smallMethodPointers) {
+                name = [self.machOFile stringAtAddress2:objc2Method.name];
+                NSLog(@"small name: %@", name);
+            } else {
+                name = [self.machOFile stringAtAddress:objc2Method.name];
             }
-            NSString *name    = [self.machOFile stringAtAddress:objc2Method.name];
             NSString *types   = [self.machOFile stringAtAddress:objc2Method.types];
 
             if (extendedMethodTypesCursor) {
                 uint64_t extendedMethodTypes = [extendedMethodTypesCursor readPtr];
                 types = [self.machOFile stringAtAddress:extendedMethodTypes];
             }
 
-            //NSLog(@"%3u: %016lx %016lx %016lx", index, objc2Method.name, objc2Method.types, objc2Method.imp);
-            //NSLog(@"name: %@", name);
-            //NSLog(@"types: %@", types);
+//            NSLog(@"%s%3u: 0x%016llx 0x%016llx 0x%016llx 0x%016llx 0x%016llx", (smallMethodPointers ? "small " : ""), index, objc2Method.name, objc2Method.types, objc2Method.imp, offset, address);
+//            NSLog(@"name: %@", name);
+//            NSLog(@"types: %@", types);
 
             CDOCMethod *method = [[CDOCMethod alloc] initWithName:name typeString:types address:objc2Method.imp];
             [methods addObject:method];
         }
+
+//        if (smallMethodPointers) {
+//            NSLog(@"Small method range: 0x%016llx 0x%016llx 0x%016llx 0x%016llx 0x%016llx 0x%016llx", min1, max1, min2, max2, min3, max3);
+//        }
     }
 
     return [methods reversedArray];
@@ -491,7 +491,6 @@ - (NSArray *)loadIvarsAtAddress:(uint64_t)address;
 
         listHeader.entsize = [cursor readInt32];
         listHeader.count = [cursor readInt32];
-//        NSLog(@"Info: %u == %lu?: listHeader.entsize=%u self.machOFile ptrSize=%lu", listHeader.entsize, (3 * [self.machOFile ptrSize] + 2 * sizeof(uint32_t)), listHeader.entsize, [self.machOFile ptrSize]);
         NSParameterAssert(listHeader.entsize == 3 * [self.machOFile ptrSize] + 2 * sizeof(uint32_t));
 
         for (uint32_t index = 0; index < listHeader.count; index++) {

Source/CDObjectiveCProcessor.m

@@ -139,6 +139,7 @@ - (void)addCategory:(CDOCCategory *)category;
 - (int)process;
 {
     if (self.machOFile.isEncrypted == NO && self.machOFile.canDecryptAllSegments) {
+        NSLog(@"Loading file %@", [[self machOFile] filename]);
         [self.machOFile.symbolTable loadSymbols];
         [self.machOFile.dynamicSymbolTable loadSymbols];
 

Source/CDSection.h

@@ -19,6 +19,7 @@
 
 @property (nonatomic, readonly) NSUInteger addr;
 @property (nonatomic, readonly) NSUInteger size;
+@property (nonatomic, readonly) NSUInteger alignment;
 
 - (BOOL)containsAddress:(NSUInteger)address;
 - (NSUInteger)fileOffsetForAddress:(NSUInteger)address;

Source/CDSection.m

@@ -68,6 +68,11 @@ - (NSUInteger)size;
     return _section.size;
 }
 
+- (NSUInteger)alignment;
+{
+    return _section.align;
+}
+
 - (BOOL)containsAddress:(NSUInteger)address;
 {
     return (address >= _section.addr) && (address < _section.addr + _section.size);