我正在用 dylib 修补 Mach-O 二进制文件(通过在加载命令末尾附加 LC_LOAD_DYLIB 命令 + 调整 mach 头的 sizeofcmds + 增加其 ncmds),我希望能够一遍又一遍地编译dylib 本身并重新运行二进制文件。
但是,由于某种原因,这样做时,第一次运行后,二进制文件会因各种原因崩溃(例如不同地址的 EXC_CRASH 或 EXC_BAD_ACCESS)
如果我重新启动机器,一切都会正常工作(lib 已修补并且 exec 运行)。我敢打赌这与一些模糊的(至少对我来说)内存映射或缓存动态链接器有关,但我在该领域的专业知识很少。你们有可能了解一些吗?
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libobjc.A.dylib 0x00007fffd43d3829 map_images_nolock + 588
1 libobjc.A.dylib 0x00007fffd43d3521 map_2_images + 43
2 dyld 0x00000001164e5d4c dyld::notifyBatchPartial(dyld_image_states, bool, char const* (*)(dyld_image_states, unsigned int, dyld_image_info const*), bool, bool) + 1124
3 dyld 0x00000001164e5f25 dyld::registerObjCNotifiers(void (*)(unsigned int, char const* const*, mach_header const* const*), void (*)(char const*, mach_header const*), void (*)(char const*, mach_header const*)) + 50
4 libdyld.dylib 0x00007fffd4cbd584 _dyld_objc_notify_register + 77
5 libobjc.A.dylib 0x00007fffd43d3074 _objc_init + 115
6 libdispatch.dylib 0x00007fffd4c84c64 _os_object_init + 13
7 libdispatch.dylib 0x00007fffd4c84c13 libdispatch_init + 295
8 libSystem.B.dylib 0x00007fffd36f1a02 libSystem_initializer + 121
9 dyld 0x00000001164f6063 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 385
10 dyld 0x00000001164f6266 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 40
11 dyld 0x00000001164f1bf0 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 338
12 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
13 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
14 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
15 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
16 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
17 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
18 dyld 0x00000001164f1b87 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 233
19 dyld 0x00000001164f0c60 ImageLoader::processInitializers(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 138
20 dyld 0x00000001164f0cf5 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 75
21 dyld 0x00000001164e32f6 dyld::initializeMainExecutable() + 195
22 dyld 0x00000001164e7459 dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**, unsigned long*) + 3789
23 dyld 0x00000001164e2249 dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*) + 470
24 dyld 0x00000001164e2036 _dyld_start + 54
在正常程序中,也许我认为这是苹果系统中的一种安全措施 例如,我尝试跳过 0x175272 <+66>:calll 0x1752b1 ; dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*) 在这种情况下看起来像是空的东西,或者它的排序头将包含什么我看到了教程可能就是这样,说要阅读它,您所要做的就是使用 d 编程语言和 dtrace 进行编程 <- and if you step INTO the actual thing it gets caught in a 4 function loop: :4 https://youtu.be/qE05Bv1e_fo?list=RD7jpMwwn4V04 1:23