9 Example usage to regenerate traps.json:
10 - open the dyld cache in rizin like this:
11 RZ_DYLDCACHE_FILTER=libsystem_kernel rizin -e bin.usextr=false ~/Library/Developer/Xcode/iOS\ DeviceSupport/12.1.2\ \(16C101\)\ arm64e/Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64e
13 - run the script with this command:
14 #!pipe python3 /path/to/this/script.py > traps.json
28 while cursor >= min_addr:
29 op = r.cmdj(
"aoj@" +
str(cursor))[0][
"opcode"]
30 if re.search(pattern, op) !=
None:
32 if re.search(
r"^ret", op) !=
None:
34 if re.search(
r"^b ", op) !=
None:
42 saved_seek = r.cmd(
"?v $$")
43 r.cmd(
"e io.cache=true")
44 r.cmd(
"e emu.write=true")
47 min_addr =
int(r.cmd(
"?v " + flag), 0)
49 r.cmd(
"s " +
str(emu_start))
50 obj = r.cmd(
"aefa 0x%08x~[0]:0" % addr)
51 r.cmd(
"s " + saved_seek)
52 val = r.cmdj(
"pv4j @ %s+0x14" % obj.strip())[0][
"value"]
54 val = r.cmdj(
"pv4j @ %s+0x18" % obj.strip())[0][
"value"]
59 return re.sub(
r"^_",
"", name)
63 msgs = r.cmdj(
"axtj @ sym._mach_msg")
65 r.cmd(
"s sym._mach_msg")
68 msgs = r.cmdj(
"axtj @ sym._mach_msg")
70 print(
"Cannot find refs to mach_msg!")
75 if ref[
"type"] !=
"CALL" or "realname" not in ref:
77 name = ref[
"realname"]
78 if re.search(
r"^_mach_msg", name) !=
None:
81 traps[addr] = {
"name": name}
86 flag =
"sym.%s" % trap[
"name"]
89 if trap[
"num"] !=
None:
92 result.sort(key=
lambda x: x[
"num"])
97 if __name__ ==
"__main__":
99 print(json.dumps(traps, indent=4))
def carve_trap_num(addr, flag)
def walk_back_until(addr, pattern, min_addr)
1.9.1