I'm trying to reverse engineering one of apps built with release configuration.
My thread info looks like this.
* thread #21: tid = 0x876cb, 0x000000010133856c SomeLibSwift`SomeLibSwift.Auth.auth (Swift.Array<Swift.UInt8>) throws -> Swift.Array<Swift.UInt8>, queue = 'com.apple.root.utility-qos', stop reason = breakpoint 1.6
* frame #0: 0x000000010133856c SomeLibSwift`SomeLibSwift.Auth.auth (Swift.Array<Swift.UInt8>) throws -> Swift.Array<Swift.UInt8>
Register x0 (address 0x181ba4174) contains the needed argument
memory read shows something like(I've tried different formats)
memory read -s1 -fC -c1000 --force 0x181ba4174
0x181ba4174: ...??._?.......??._?0......??._?
0x181ba4194: P......??._?p......??._?.......?
0x181ba41b4: ?._ְ......??._??......??._?....
0x181ba41d4: ...??._?0......??._?P......??._?
0x181ba41f4: p......??._?.......??._ְ......?
0x181ba4214: ?._??......??._?.......??._?P...
0x181ba4234: ...??._?p......??._?.......??._?
....
I found that auth func has such definition
func auth(_ bytes: Array<UInt8>) throws -> Array<UInt8>
So basically all I want is to get 'bytes' variable stored by address 0x181ba4174.
Also I know that 'auth' method is called with argument like this:
let key = "somekey".utf8
let result = auth(key)
Ideally I want to get back key.
Finally I was able to get this done.
expr -l Swift -- String(unsafeBitCast(0x181ba4174, to: Array<UInt8>.self))
It gives output like:
(String) $R0 = "[10, 11, 118, 105, 19, 1]"
Then using Xcode I was able to get the key:
var arr: [UInt8] = [10, 11, 118, 105, 19, 1]
let data = Data(bytes: arr)
let key = String(data: data, encoding: .ascii)
Also I wrote a command in case someone needs it.
command regex ptrInt8Array 's/(.+)/expr -l Swift -- String(describing: unsafeBitCast(%1, to: Array<UInt8>.self))/'
Execute it by:
ptrInt8Array 0x181ba4174