Finding Kernel Symbols for async_wake_ios
The hint is too obscure to understand.
With the help of [Hunting for ios Kernel Symbols] I can manage to get some, but for the rest of missing symbols, that article is still as obscure as the hint itself. But I don’t know how to search references to FPCR (Floating-point Control Register) for KSYMBOL_X21_JOP_GADGET.
Thanks to the author, it gives a clue that to use kernel cache and comparison directly to find symbols. So I downloaded iPhone 7’s 11.1.2 kernel cache, jump to the symbol address, and try to understand the asm code footprints. Then I can switch to 11.1.1 kernel image, and try to search for the same footprints, and it works. The asm code kept the same, except for those offsets. So here I am publishing some that are hard to search.
You can just try search the asm code like *add *x0, *x0. The idea is to first calculate the missing symbol address in 11.1.2 with the closest address of other known symbols, and do a simple math the same way in 11.1.1, and try to search the asm code that can uniquely identify the symbol address. In IDA’s searching results, you can look for the address that’s close to your calculation. It almost the right one with the closest address, and you can still compare the asm code snippet if you are not sure.
// ip7 11.1.2 (ksymbols_iphone_7_15B202)
KYSMBOL_RET: FFFFFFF0074D74D4
__text:FFFFFFF0074D74CC ; __int64 __fastcall OSArray::getMetaClass(OSArray *__hidden this)
__text:FFFFFFF0074D74CC EXPORT __ZNK7OSArray12getMetaClassEv
__text:FFFFFFF0074D74CC __ZNK7OSArray12getMetaClassEv ; DATA XREF: __const:FFFFFFF0070B3530↑o
__text:FFFFFFF0074D74CC ADRP X0, #__ZN7OSArray10gMetaClassE@PAGE ; OSArray::gMetaClass
__text:FFFFFFF0074D74D0 ADD X0, X0, #__ZN7OSArray10gMetaClassE@PAGEOFF ; OSArray::gMetaClass
__text:FFFFFFF0074D74D4 RET
__text:FFFFFFF0074D74D4 ; End of function OSArray::getMetaClass(void)
KSYMBOL_X21_JOP_GADGET: 0xfffffff0070cc1ac
__text:FFFFFFF0070CC188 MRS X20, #0, c6, c0, #0
__text:FFFFFFF0070CC18C MRS X21, #0, c5, c2, #0
__text:FFFFFFF0070CC190 STR X20, [X0,#0x118]
__text:FFFFFFF0070CC194 STR W21, [X0,#0x120]
__text:FFFFFFF0070CC198 LDR W21, [X0,#0x110]
__text:FFFFFFF0070CC19C AND X21, X21, #0xC
__text:FFFFFFF0070CC1A0 CMP X21, #0
__text:FFFFFFF0070CC1A4 B.NE loc_FFFFFFF0070CC1AC
__text:FFFFFFF0070CC1A8 MOV X30, #0
__text:FFFFFFF0070CC1AC
__text:FFFFFFF0070CC1AC loc_FFFFFFF0070CC1AC ; CODE XREF: sub_FFFFFFF0070CC0F0+B4↑j
__text:FFFFFFF0070CC1AC MOV X21, X0
__text:FFFFFFF0070CC1B0 MOV X22, X1
__text:FFFFFFF0070CC1B4 BR X22
KSYMBOL_EL1_HW_BP_INFINITE_LOOP 0xfffffff0071de074:
__text:FFFFFFF0071DE068 AND W8, W20, #0x3F ; jumptable FFFFFFF0071DDF60 case 49
__text:FFFFFFF0071DE06C CMP W8, #0x22
__text:FFFFFFF0071DE070 B.NE loc_FFFFFFF0071DE9EC
__text:FFFFFFF0071DE074
__text:FFFFFFF0071DE074 loc_FFFFFFF0071DE074 ; CODE XREF: __text:loc_FFFFFFF0071DE074↓j
__text:FFFFFFF0071DE074 B loc_FFFFFFF0071DE074
KSYMBOL_SLEH_SYNC_EPILOG 0xfffffff0071dea24
__text:FFFFFFF0071DEA20 CBNZ X8, loc_FFFFFFF0071DF074
__text:FFFFFFF0071DEA24 LDP X29, X30, [SP,#0x130]
__text:FFFFFFF0071DEA28 LDP X20, X19, [SP,#0x120]
__text:FFFFFFF0071DEA2C LDP X22, X21, [SP,#0x110]
__text:FFFFFFF0071DEA30 LDP X24, X23, [SP,#0x100]
__text:FFFFFFF0071DEA34 LDP X26, X25, [SP,#0xF0]
__text:FFFFFFF0071DEA38 LDP X28, X27, [SP,#0xE0]
__text:FFFFFFF0071DEA3C ADD SP, SP, #0x140
KSYMBOL_VALID_LINK_REGISTER 0xfffffff0070cc1d4
__text:FFFFFFF0070CC1B8 sub_FFFFFFF0070CC1B8 ; DATA XREF: sub_FFFFFFF0070CB000+64↑o
__text:FFFFFFF0070CC1B8 ; sub_FFFFFFF0070CB000+68↑o ...
__text:FFFFFFF0070CC1B8
__text:FFFFFFF0070CC1B8 var_10 = -0x10
__text:FFFFFFF0070CC1B8
__text:FFFFFFF0070CC1B8 MRS X1, #0, c5, c2, #0
__text:FFFFFFF0070CC1BC MRS X2, #0, c6, c0, #0
__text:FFFFFFF0070CC1C0 AND W3, W1, #0xFC000000
__text:FFFFFFF0070CC1C4 LSR W3, W3, #0x1A
__text:FFFFFFF0070CC1C8 MOV W4, #0x21
__text:FFFFFFF0070CC1CC CMP W3, W4
__text:FFFFFFF0070CC1D0 B.EQ loc_FFFFFFF0070CC1EC
__text:FFFFFFF0070CC1D4
__text:FFFFFFF0070CC1D4 loc_FFFFFFF0070CC1D4 ; CODE XREF: sub_FFFFFFF0070CC1B8+38↓j
__text:FFFFFFF0070CC1D4 STP X29, X30, [SP,#var_10]!
KSYMBOL_EXCEPTION_RETURN 0xfffffff0070cc474
__text:FFFFFFF0070CC474 MSR #6, #3
__text:FFFFFFF0070CC478 MRS X3, #0, c13, c0, #4
__text:FFFFFFF0070CC47C MOV SP, X21
__text:FFFFFFF0070CC480 LDR X0, [X3,#0x448]
__text:FFFFFFF0070CC484 STR X0, [SP,#arg_98]
__text:FFFFFFF0070CC488 LDR X0, [SP,#arg_108]
__text:FFFFFFF0070CC48C LDR W1, [SP,#arg_110]
__text:FFFFFFF0070CC490 LDR W2, [SP,#arg_340]
__text:FFFFFFF0070CC494 LDR W3, [SP,#arg_344]
__text:FFFFFFF0070CC498 MSR #0, c4, c0, #1, X0
__text:FFFFFFF0070CC49C MSR #0, c4, c0, #0, X1
__text:FFFFFFF0070CC4A0 MSR #3, c4, c4, #1, X2
__text:FFFFFFF0070CC4A4 MSR #3, c4, c4, #0, X3
__text:FFFFFFF0070CC4A8 MOV X0, SP
__text:FFFFFFF0070CC4AC LDP Q0, Q1, [X0,#arg_140]
__text:FFFFFFF0070CC4B0 LDP Q2, Q3, [X0,#arg_160]
__text:FFFFFFF0070CC4B4 LDP Q4, Q5, [X0,#arg_180]
__text:FFFFFFF0070CC4B8 LDP Q6, Q7, [X0,#arg_1A0]
__text:FFFFFFF0070CC4BC LDP Q8, Q9, [X0,#arg_1C0]
__text:FFFFFFF0070CC4C0 LDP Q10, Q11, [X0,#arg_1E0]
__text:FFFFFFF0070CC4C4 LDP Q12, Q13, [X0,#arg_200]
__text:FFFFFFF0070CC4C8 LDP Q14, Q15, [X0,#arg_220]
__text:FFFFFFF0070CC4CC LDP Q16, Q17, [X0,#arg_240]
__text:FFFFFFF0070CC4D0 LDP Q18, Q19, [X0,#arg_260]
__text:FFFFFFF0070CC4D4 LDP Q20, Q21, [X0,#arg_280]
__text:FFFFFFF0070CC4D8 LDP Q22, Q23, [X0,#arg_2A0]
__text:FFFFFFF0070CC4DC LDP Q24, Q25, [X0,#arg_2C0]
__text:FFFFFFF0070CC4E0 LDP Q26, Q27, [X0,#arg_2E0]
__text:FFFFFFF0070CC4E4 LDP Q28, Q29, [X0,#arg_300]
__text:FFFFFFF0070CC4E8 LDP Q30, Q31, [X0,#arg_320]
__text:FFFFFFF0070CC4EC LDP X2, X3, [X0,#arg_18]
__text:FFFFFFF0070CC4F0 LDP X4, X5, [X0,#arg_28]
__text:FFFFFFF0070CC4F4 LDP X6, X7, [X0,#arg_38]
__text:FFFFFFF0070CC4F8 LDP X8, X9, [X0,#arg_48]
__text:FFFFFFF0070CC4FC LDP X10, X11, [X0,#arg_58]
__text:FFFFFFF0070CC500 LDP X12, X13, [X0,#arg_68]
__text:FFFFFFF0070CC504 LDP X14, X15, [X0,#arg_78]
__text:FFFFFFF0070CC508 LDP X16, X17, [X0,#arg_88]
__text:FFFFFFF0070CC50C LDP X18, X19, [X0,#arg_98]
__text:FFFFFFF0070CC510 LDP X20, X21, [X0,#arg_A8]
__text:FFFFFFF0070CC514 LDP X22, X23, [X0,#arg_B8]
__text:FFFFFFF0070CC518 LDP X24, X25, [X0,#arg_C8]
__text:FFFFFFF0070CC51C LDP X26, X27, [X0,#arg_D8]
__text:FFFFFFF0070CC520 LDR X28, [X0,#arg_E8]
__text:FFFFFFF0070CC524 LDP X29, X30, [X0,#arg_F0]
__text:FFFFFFF0070CC528 LDR X1, [X0,#arg_100]
__text:FFFFFFF0070CC52C MOV SP, X1
__text:FFFFFFF0070CC530 LDP X0, X1, [X0,#8]
__text:FFFFFFF0070CC534 ERET
__text:FFFFFFF0070CC534 ; End of function sub_FFFFFFF0070CC474
KSYMBOL_THREAD_EXCEPTION_RETURN 0xfffffff0070cc42c
__text:FFFFFFF0070CC42C ; =============== S U B R O U T I N E =======================================
__text:FFFFFFF0070CC42C
__text:FFFFFFF0070CC42C
__text:FFFFFFF0070CC42C sub_FFFFFFF0070CC42C ; CODE XREF: sub_FFFFFFF0070CC428↑j
__text:FFFFFFF0070CC42C ; sub_FFFFFFF0070F6248+8↓p ...
__text:FFFFFFF0070CC42C MRS X0, #0, c13, c0, #4
__text:FFFFFFF0070CC430 ADD X21, X0, #0x408
__text:FFFFFFF0070CC434 LDR X21, [X21]
__text:FFFFFFF0070CC434 ; End of function sub_FFFFFFF0070CC42C
KSYMBOL_SET_MDSCR_EL1_GADGET 0xfffffff0071e1998
__text:FFFFFFF0071E1978 loc_FFFFFFF0071E1978 ; CODE XREF: sub_FFFFFFF0071E1668:loc_FFFFFFF0071E1958↑j
__text:FFFFFFF0071E1978 LDR X9, [X19,#0x208]
__text:FFFFFFF0071E197C MRS X8, #0, c0, c2, #2
__text:FFFFFFF0071E1980 STUR X8, [X29,#var_28]
__text:FFFFFFF0071E1984 LDUR X8, [X29,#var_28]
__text:FFFFFFF0071E1988 TBNZ W9, #0, loc_FFFFFFF0071E19A4
__text:FFFFFFF0071E198C AND X8, X8, #0xFFFFFFFFFFFFFFFE
__text:FFFFFFF0071E1990 STUR X8, [X29,#var_28]
__text:FFFFFFF0071E1994 LDUR X8, [X29,#var_28]
__text:FFFFFFF0071E1998 MSR #0, c0, c2, #2, X8
__text:FFFFFFF0071E199C ISB
__text:FFFFFFF0071E19A0 B loc_FFFFFFF0071E19F8
KSYMBOL_WRITE_SYSCALL_ENTRYPOINT 0xfffffff007439b20
__text:FFFFFFF007439B1C sub_FFFFFFF007439B1C ; DATA XREF: __const:FFFFFFF0070AE7D8↑o
__text:FFFFFFF007439B1C
__text:FFFFFFF007439B1C var_10 = -0x10
__text:FFFFFFF007439B1C
__text:FFFFFFF007439B1C MRS X8, #0, c13, c0, #4
__text:FFFFFFF007439B20 LDR X8, [X8,#0x388]
__text:FFFFFFF007439B24 LDR W9, [X8,#0x140]
__text:FFFFFFF007439B28 AND W10, W9, #0xFFFFFFFB
__text:FFFFFFF007439B2C STR W10, [X8,#0x140]
__text:FFFFFFF007439B30 AND W8, W9, #0x38
__text:FFFFFFF007439B34 CMP W8, #8
__text:FFFFFFF007439B38 B.EQ loc_FFFFFFF007439B40
__text:FFFFFFF007439B3C B sub_FFFFFFF007439B50