Undetected classes and other erratum in some Ventura libraries.

[flagersgit]

Ventura libraries sometimes have DYLD_CHAINED_FIXUP binds in various Obj-C metadata sections.

Whenever Parser::decode_ptr() is called on one of these binds, iCDump continues its scan with the wrong address causing unintended behavior. This can range from classes not being detected to large logging spam.

I have attached some libraries where this behavior is apparent.
Broken Libraries - Ventura 22G5038d.zip

[romainthomas]

Thank you I'll check that!

[flagersgit]

For my immediate needs, I've solved the problem by patching decode_ptr() with this:

dyld_chained_ptr_64_bind bind;
bind.combined = ptr;
if (bind.bind.bind == 1) {
  auto linkEditSegment = bin_->get_segment("__LINKEDIT");
  size_t linkEditOffset = linkEditSegment->virtual_address() - linkEditSegment->file_offset();
  if (bin_->has_dyld_chained_fixups()) {
    size_t fixupsHeaderOffset = bin_->dyld_chained_fixups()->data_offset() + linkEditOffset;
    auto fixupsHeader = *(stream().peek<dyld_chained_fixups_header>(fixupsHeaderOffset));
    dyld_chained_import fixupImport = *(stream().peek<dyld_chained_import>(fixupsHeaderOffset + fixupsHeader.imports_offset 
                                                                           + (sizeof(dyld_chained_import) * bind.bind.ordinal)));
    auto bind_symbol_str = stream().peek_string_at(fixupsHeaderOffset + fixupsHeader.symbols_offset + fixupImport.name_offset);
    ICDUMP_DEBUG("DECODE(0x{:010x}): bind symbol: {}", ptr, *bind_symbol_str);
    auto bind_lief_symbol = bin_->get_symbol(*bind_symbol_str);
    if (bind_lief_symbol) {
      decoded = bind_lief_symbol->value();
      ICDUMP_DEBUG("FIXED DECODE(0x{:010x}): 0x{:010x}", ptr, decoded);
      return decoded;
    }
  }
}

Looking forward to your fix in an upcoming version. Thanks!

[GinkREAL]

@flagersgit did you reverse engineer that implementation or is there a reference somewhere?