Difference between revisions of "Vm map enter Patch"

From The iPhone Wiki
Jump to: navigation, search
(another page for category Patches - also from Stefan Esser's BlackHat presentation)
(No difference)

Revision as of 21:12, 25 September 2011

  • vm_map_enter disallows pages with both VM_PROT_WRITE and VM_PROT_EXECUTE
  • when found VM_PROT_EXECUTE is cleared
  • patch just NOPs out the check
__text:8004193E                 LDR             R6, [SP,#0xCC+arg_14]
__text:80041940                 STR             R3, [SP,#0xCC+arg_54]
__text:80041942                 BNE             loc_8004199E
__text:80041944                 TST.W           R6, #2
__text:80041948                 BNE             loc_800419AC <== replaced with NOP
__text:8004194A 
__text:8004194A loc_8004194A                            ; CODE XREF: _vm_map_enter+90↓j
__text:8004194A                                         ; _vm_map_enter+96↓j ...
__text:8004194A                 LSRS            R3, R4, #1
__text:8004194C                 AND.W           R5, R3, #1
__text:800419AC ; ---------------------------------------------------------------------------
__text:800419AC 
__text:800419AC loc_800419AC                            ; CODE XREF: _vm_map_enter+28↑j
__text:800419AC                 TST.W           R6, #4
__text:800419B0                 BEQ             loc_8004194A
__text:800419B2                 ANDS.W          R0, R4, #0x80000
__text:800419B6                 BNE             loc_8004194A
__text:800419B8                 LDR.W           R1, =aVm_map_enter ; "vm_map_enter"
__text:800419BC                 BL              sub_8001A9E0
__text:800419C0                 BIC.W           R6, R6, #4
__text:800419C4                 B               loc_8004194A
__text:800419C6 ; ---------------------------------------------------------------------------