SIMBL reverse engineering (CFString)

Discussion in 'Mac Programming' started by Avicenna, Mar 23, 2011.

  1. Avicenna macrumors member

    Joined:
    Jul 16, 2009
    #1
    I have asked this on several forums and just trying my luck here incase anyone came across this. I have an application and I used class dump on it to get the header files. I found out the method that I need to swap and swap it successfully. That method is called:

    Code:
    - (void)ReceiveMessageInjected:(const struct BInstantMessage *)arg1
    now what is BIInstantMessage? It a struct which is defined as:

    Code:
    struct BInstantMessage {
            struct CFString _field2;
    	unsigned short *_field3;
    	struct BChat *_field6;
    	struct BUser *_field5;
    };
    I am interested in _field2, because I want some sort of message so I am guessing it resides in _field2, so what is CFString? It's defined as:

    Code:
    struct CFString {
        void **_vptr$CFObject;
        struct __CFString *mCFRef;
        _Bool mIsMutable;
    };
    Now, I know that CFStringRef is defined as
    Code:
    struct __CFString *const
    so my guess is it is stored in mCFRef. so, this is what i do to try to access this CFStringRef called mCFRef:

    Code:
    CFStringRef s = (arg1->_field2).mCFRef;
    Now, whenever I do anything to s, i get an EXC BAD ACCESS. So my guess was its probably the _vptr$CFObject. So i dereferenced it, and casted it to CFStringRef and still, i get an EXC BAD ACCESS.

    Any suggestions/tips are welcome. I have been at this for the past 12 hours. Thanks!
     
  2. kainjow Moderator emeritus

    kainjow

    Joined:
    Jun 15, 2000
    #2
    I was going to suggest
    Code:
    CFStringRef str = (CFStringRef)arg1;
    but based on that definition, it's not a pointer, and a CFStringRef should always be a pointer, so it looks like it's either the actual struct of the CFStringRef or some custom struct defined by this program (which I find odd, unless it's Apple's program).

    Certainly would be easier to use gdb in this instance to try outputting what that is.

    Why is it starting at field2? I would imagine it should be starting at field1. Are you using the latest version of class-dump?
     
  3. Avicenna, Mar 23, 2011
    Last edited: Mar 23, 2011

    Avicenna thread starter macrumors member

    Joined:
    Jul 16, 2009
    #3
    Sorry, I didn't post the whole struct as I didn't think it was relevant. Here it is:
    Code:
    struct BInstantMessage {
        void **_field1;
        struct CFString _field2;
        unsigned short *_field3;
        struct DTextStyle _field4;
        struct BUser *_field5;
        struct BChat *_field6;
    };
    Also, please note that BChat struct has several CFString fields and also BUser. In fact, the whole program uses CFString frequently, much more than CFStringRef or NSString.
     

Share This Page