Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS SIMBL reverse engineering (CFString)

A

Avicenna

macrumors member
Original poster
Jul 16, 2009
89
0
I have asked this on several forums and just trying my luck here incase anyone came across this. I have an application and I used class dump on it to get the header files. I found out the method that I need to swap and swap it successfully. That method is called:

Code: 
- (void)ReceiveMessageInjected:(const struct BInstantMessage *)arg1

now what is BIInstantMessage? It a struct which is defined as:

Code: 
struct BInstantMessage {
        struct CFString _field2;
	unsigned short *_field3;
	struct BChat *_field6;
	struct BUser *_field5;
};

I am interested in _field2, because I want some sort of message so I am guessing it resides in _field2, so what is CFString? It's defined as:

Code: 
struct CFString {
    void **_vptr$CFObject;
    struct __CFString *mCFRef;
    _Bool mIsMutable;
};

Now, I know that CFStringRef is defined as
Code: 
struct __CFString *const
so my guess is it is stored in mCFRef. so, this is what i do to try to access this CFStringRef called mCFRef:

Code: 
CFStringRef s = (arg1->_field2).mCFRef;

Now, whenever I do anything to s, i get an EXC BAD ACCESS. So my guess was its probably the _vptr$CFObject. So i dereferenced it, and casted it to CFStringRef and still, i get an EXC BAD ACCESS.

Any suggestions/tips are welcome. I have been at this for the past 12 hours. Thanks!
 
I was going to suggest
Code: 
CFStringRef str = (CFStringRef)arg1;
but based on that definition, it's not a pointer, and a CFStringRef should always be a pointer, so it looks like it's either the actual struct of the CFStringRef or some custom struct defined by this program (which I find odd, unless it's Apple's program).

Certainly would be easier to use gdb in this instance to try outputting what that is.

Why is it starting at field2? I would imagine it should be starting at field1. Are you using the latest version of class-dump?
 
Sorry, I didn't post the whole struct as I didn't think it was relevant. Here it is:
Code: 
struct BInstantMessage {
    void **_field1;
    struct CFString _field2;
    unsigned short *_field3;
    struct DTextStyle _field4;
    struct BUser *_field5;
    struct BChat *_field6;
};

Also, please note that BChat struct has several CFString fields and also BUser. In fact, the whole program uses CFString frequently, much more than CFStringRef or NSString.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back