{"id":47412,"date":"2025-04-15T13:26:34","date_gmt":"2025-04-15T17:26:34","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=47412"},"modified":"2025-04-15T13:26:34","modified_gmt":"2025-04-15T17:26:34","slug":"dlsym-considered-harmful-on-ios-18-4","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/04\/15\/dlsym-considered-harmful-on-ios-18-4\/","title":{"rendered":"dlsym Considered Harmful on iOS 18.4"},"content":{"rendered":"

Fabien Perigaud<\/a> (tweet<\/a>):<\/p>\n\n

\n

This time, we will dynamically resolve and use strcmp()<\/code>.<\/p>\n

[…]<\/p>\n

Instead of a nice log indicating that the two strings are not the same, our application crashed...<\/p>\n

[…]<\/p>\n

What just happened? Why is the pointer incorrectly signed? Why do I have a kernel pointer in PC<\/code>?<\/p>\n

[…]<\/p>\n

A XPACI<\/code> instruction is clearly missing here, we can see the return value (X0<\/code>) from the BLRAAZ<\/code> being directly converted to an offset by the SUB<\/code> instruction. In iOS 18.3.2, the XPACI<\/code> instruction is present.<\/p>\n

[…]<\/p>\n

Repeated tests showed that in contrast to the specification, the\npointer was considered as a kernel one (during a signature operation) if the bit 63 is set!<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n