Setup standard IO (#162)

Author: sledgeh4w

src/chomper/core.py

@@ -26,7 +26,7 @@
 from .os import AndroidOs, IosOs
 from .os.ios.syscall import SYSCALL_MAP as IOS_SYSCALL_MAP
 from .typing import UserData, HookFuncCallable
-from .utils import aligned
+from .utils import aligned, to_signed
 
 
 class Chomper:
@@ -439,7 +439,7 @@ def _dispatch_syscall(self):
         syscall_name = None
 
         if self.os_type == const.OS_IOS:
-            syscall_no = self.uc.reg_read(arm64_const.UC_ARM64_REG_X16)
+            syscall_no = to_signed(self.uc.reg_read(arm64_const.UC_ARM64_REG_W16), 32)
             syscall_name = (
                 f"'{IOS_SYSCALL_MAP[syscall_no]}'"
                 if syscall_no in IOS_SYSCALL_MAP

src/chomper/os/file.py

@@ -52,6 +52,14 @@ def __init__(self, emu: Chomper, rootfs_path: Optional[str]):
         # used by fcntl with command F_GETPATH.
         self.fd_path_map: Dict[int, str] = {}
 
+        if sys.stdin.isatty():
+            self.stdin_fd = sys.stdin.fileno()
+        else:
+            self.stdin_fd = None
+
+        self.stdout_fd = sys.stdout.fileno()
+        self.stderr_fd = sys.stderr.fileno()
+
     def set_working_dir(self, path: str):
         """Set current working directory.
 
@@ -216,6 +224,9 @@ def check_fd(self, fd: int):
         Raises:
             BadFileDescriptor: If bad file descriptor.
         """
+        if fd in (self.stdin_fd, self.stdout_fd, self.stderr_fd):
+            return
+
         if fd not in self.fd_path_map:
             raise FileBadDescriptor(f"Bad file descriptor: {fd}")
 

src/chomper/os/ios/const.py

@@ -72,14 +72,14 @@
 SYS_GETENTROPY = 0x1F4
 SYS_ULOCK_WAIT = 0x203
 
-MACH_ABSOLUTE_TIME_TRAP = 0xFFFFFFFD
-MACH_TIMEBASE_INFO_TRAP = 0xFFFFFFFFFFFFFFA7
-MACH_MSG_TRAP = 0xFFFFFFFFFFFFFFE1
-HOST_SELF_TRAP = 0xFFFFFFFFFFFFFFE3
-TASK_SELF_TRAP = 0xFFFFFFFFFFFFFFE4
-MACH_REPLY_PORT_TRAP = 0xFFFFFFFFFFFFFFE6
-
-KERNELRPC_MACH_VM_MAP_TRAP = 0xFFFFFFFFFFFFFFF1
+MACH_ABSOLUTE_TIME_TRAP = -0x3
+KERNELRPC_MACH_VM_MAP_TRAP = -0xF
+MACH_REPLY_PORT_TRAP = -0x1A
+HOST_SELF_TRAP = -0x1D
+TASK_SELF_TRAP = -0x1C
+MACH_MSG_TRAP = -0x1F
+KERNELRPC_MACH_PORT_TYPE_TRAP = -0x4C
+MACH_TIMEBASE_INFO_TRAP = -0x59
 
 # CTL Types
 
@@ -137,11 +137,21 @@
 
 # Command values for fcntl
 
+F_GETFL = 3
 F_GETPATH = 50
 
-
 # Error codes
 
 ENOENT = 2
 EBADF = 9
 EACCES = 13
+
+# mach/port.h
+
+MACH_PORT_TYPE_NONE = 0
+MACH_PORT_TYPE_SEND = 1 << (0 + 16)
+MACH_PORT_TYPE_RECEIVE = 1 << (1 + 16)
+MACH_PORT_TYPE_SEND_ONCE = 1 << (2 + 16)
+MACH_PORT_TYPE_PORT_SET = 1 << (3 + 16)
+MACH_PORT_TYPE_DEAD_NAME = 1 << (4 + 16)
+MACH_PORT_TYPE_LABELH = 1 << (5 + 16)

src/chomper/os/ios/hooks.py

@@ -108,11 +108,6 @@ def hook_closedir(uc: Uc, address: int, size: int, user_data: UserData):
     return emu.os.file_system.closedir(dirp)
 
 
-@register_hook("___srefill")
-def hook_srefill(uc: Uc, address: int, size: int, user_data: UserData):
-    return 1
-
-
 @register_hook("_pthread_self")
 def hook_pthread_self(uc: Uc, address: int, size: int, user_data: UserData):
     emu = user_data["emu"]

src/chomper/os/ios/os.py

@@ -294,16 +294,6 @@ def init_objc(self, module: Module):
         if not self.emu.find_module("libobjc.A.dylib"):
             return
 
-        initialized = self.emu.find_symbol("__ZZ10_objc_initE11initialized")
-        if not self.emu.read_u8(initialized.address):
-            # As the initialization timing before program execution
-            self._init_magic_vars()
-            self._init_program_vars()
-            self._init_dyld_vars()
-            self._init_lib_system_kernel()
-            self._init_lib_system_pthread()
-            self._init_objc_vars()
-
         text_segment = module.binary.get_segment("__TEXT")
 
         mach_header_ptr = module.base - module.image_base + text_segment.virtual_address
@@ -319,8 +309,6 @@ def init_objc(self, module: Module):
             self.emu.call_symbol("_load_images", 0, mach_header_ptr)
         except EmulatorCrashed:
             self.emu.logger.warning("Initialize Objective-C failed.")
-        finally:
-            module.binary = None
 
     def search_module_binary(self, module_name: str) -> str:
         """Search system module binary in rootfs directory.
@@ -365,10 +353,25 @@ def resolve_modules(self, module_names: List[str]):
             # Fixup must be executed before initializing Objective-C.
             fixup.install(module)
 
-            # TODO: `__pthread_init` in `libsystem_pthread.dylib`
+            self._after_module_loaded(module_name)
 
             self.init_objc(module)
 
+            module.binary = None
+
+    def _after_module_loaded(self, module_name: str):
+        """Perform initialization after module loaded."""
+        if module_name == "libsystem_kernel.dylib":
+            self._init_lib_system_kernel()
+        elif module_name == "libsystem_c.dylib":
+            self._init_program_vars()
+        elif module_name == "libdyld.dylib":
+            self._init_dyld_vars()
+        elif module_name == "libsystem_pthread.dylib":
+            self._init_lib_system_pthread()
+        elif module_name == "libobjc.A.dylib":
+            self._init_objc_vars()
+
     def _enable_objc(self):
         """Enable Objective-C support."""
         self.resolve_modules(OBJC_DEPENDENCIES)
@@ -488,6 +491,37 @@ def fix_method_signature_rom_table(self):
             self.emu.write_pointer(offset + 8, str_ptr)
             self.emu.write_u64(offset + 16, item[2])
 
+    def _fd_open(self, fd: int, mode: str, unbuffered: bool = False) -> int:
+        mode_p = self.emu.create_string(mode)
+
+        try:
+            fp = self.emu.call_symbol("_fdopen", fd, mode_p)
+            flags = self.emu.read_u32(fp + 16)
+
+            if unbuffered:
+                flags |= 0x2
+
+            self.emu.write_u32(fp + 16, flags)
+            return fp
+        finally:
+            self.emu.free(mode_p)
+
+    def _setup_standard_io(self):
+        """Setup standard IO: `stdin`, `stdout`, `stderr`."""
+        stdin_p = self.emu.find_symbol("___stdinp")
+        stdout_p = self.emu.find_symbol("___stdoutp")
+        stderr_p = self.emu.find_symbol("___stderrp")
+
+        if isinstance(self.file_system.stdin_fd, int):
+            stdin_fp = self._fd_open(self.file_system.stdin_fd, "r")
+            self.emu.write_pointer(stdin_p.address, stdin_fp)
+
+        stdout_fp = self._fd_open(self.file_system.stdout_fd, "w", unbuffered=True)
+        self.emu.write_pointer(stdout_p.address, stdout_fp)
+
+        stderr_fp = self._fd_open(self.file_system.stderr_fd, "w", unbuffered=True)
+        self.emu.write_pointer(stderr_p.address, stderr_fp)
+
     def initialize(self):
         """Initialize environment."""
         self._setup_hooks()
@@ -497,8 +531,12 @@ def initialize(self):
         self._setup_symbolic_links()
         self._setup_bundle_dir()
 
+        self._init_magic_vars()
+
         if self.emu.enable_objc:
             self._enable_objc()
 
         if self.emu.enable_ui_kit:
             self._enable_ui_kit()
+
+        self._setup_standard_io()

src/chomper/os/ios/syscall.py

@@ -459,9 +459,15 @@ def handle_sys_fcntl(emu: Chomper):
     cmd = emu.get_arg(1)
     arg = emu.get_arg(2)
 
-    if cmd == const.F_GETPATH:
+    if cmd == const.F_GETFL:
+        if fd in (emu.os.file_system.stdin_fd,):
+            return os.O_RDONLY
+        elif fd in (emu.os.file_system.stdout_fd, emu.os.file_system.stderr_fd):
+            return os.O_WRONLY
+    elif cmd == const.F_GETPATH:
         path = emu.os.file_system.dir_fds.get(fd)
-        if not path:
+
+        if path is None:
             path = emu.os.file_system.fd_path_map.get(fd)
 
         if path:
@@ -764,16 +770,32 @@ def handle_mach_absolute_time_trap(emu: Chomper):
     return int(time.time_ns() % (3600 * 10**9))
 
 
-@register_syscall_handler(const.MACH_TIMEBASE_INFO_TRAP)
-def handle_mach_timebase_info_trap(emu: Chomper):
-    info = emu.get_arg(0)
+@register_syscall_handler(const.KERNELRPC_MACH_VM_MAP_TRAP)
+def handle_kernelrpc_mach_vm_map_trap(emu: Chomper):
+    address = emu.get_arg(1)
+    size = emu.get_arg(2)
 
-    emu.write_u32(info, 1)
-    emu.write_u32(info + 4, 1)
+    mem = emu.memory_manager.alloc(size)
+    emu.write_pointer(address, mem)
 
     return 0
 
 
+@register_syscall_handler(const.MACH_REPLY_PORT_TRAP)
+def handle_mach_reply_port_trap(emu: Chomper):
+    return 0
+
+
+@register_syscall_handler(const.HOST_SELF_TRAP)
+def handle_host_self_trap(emu: Chomper):
+    return 2563
+
+
+@register_syscall_handler(const.TASK_SELF_TRAP)
+def handle_task_self_trap(emu: Chomper):
+    return 0
+
+
 @register_syscall_handler(const.MACH_MSG_TRAP)
 def handle_mach_msg_trap(emu: Chomper):
     # msg = emu.get_arg(0)
@@ -790,27 +812,24 @@ def handle_mach_msg_trap(emu: Chomper):
     return 6
 
 
-@register_syscall_handler(const.HOST_SELF_TRAP)
-def handle_host_self_trap(emu: Chomper):
-    return 2563
-
+@register_syscall_handler(const.KERNELRPC_MACH_PORT_TYPE_TRAP)
+def handle_kernelrpc_mach_port_type_trap(emu: Chomper):
+    ptype = emu.get_arg(2)
 
-@register_syscall_handler(const.TASK_SELF_TRAP)
-def handle_task_self_trap(emu: Chomper):
-    return 0
+    value = 0
+    value |= const.MACH_PORT_TYPE_SEND
+    value |= const.MACH_PORT_TYPE_RECEIVE
 
+    emu.write_u32(ptype, value)
 
-@register_syscall_handler(const.MACH_REPLY_PORT_TRAP)
-def handle_mach_reply_port_trap(emu: Chomper):
     return 0
 
 
-@register_syscall_handler(const.KERNELRPC_MACH_VM_MAP_TRAP)
-def handle_kernelrpc_mach_vm_map_trap(emu: Chomper):
-    address = emu.get_arg(1)
-    size = emu.get_arg(2)
+@register_syscall_handler(const.MACH_TIMEBASE_INFO_TRAP)
+def handle_mach_timebase_info_trap(emu: Chomper):
+    info = emu.get_arg(0)
 
-    mem = emu.memory_manager.alloc(size)
-    emu.write_pointer(address, mem)
+    emu.write_u32(info, 1)
+    emu.write_u32(info + 4, 1)
 
     return 0

src/chomper/utils.py

@@ -19,6 +19,13 @@ def aligned(x: int, n: int) -> int:
     return ((x - 1) // n + 1) * n
 
 
+def to_signed(value: int, nbits: int = 64) -> int:
+    """Convert an unsigned integer to signed."""
+    if value >= (1 << (nbits - 1)):
+        return value - (1 << nbits)
+    return value
+
+
 def struct2bytes(st: Structure) -> bytes:
     """Convert struct to bytes."""
     buffer = create_string_buffer(sizeof(st))

tests/test_libc.py

@@ -224,7 +224,7 @@ def test_sscanf(request, emu_name):
 
 
 @pytest.mark.usefixtures("libc_arm", "libc_arm64")
-@pytest.mark.parametrize("emu_name", ["emu_arm", "emu_arm64"])
+@pytest.mark.parametrize("emu_name", ["emu_arm", "emu_arm64", "emu_ios"])
 def test_printf(request, emu_name):
     emu = request.getfixturevalue(emu_name)