Skip to content

Instantly share code, notes, and snippets.

@landonf

landonf/disassembly.txt

Last active October 3, 2019 18:18
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save landonf/4696301 to your computer and use it in GitHub Desktop.
Save landonf/4696301 to your computer and use it in GitHub Desktop.
Download ZIP
Explaining the File:/// bug. See also http://openradar.appspot.com/13128709
Raw
disassembly.txt
In DDResultCopyExtractedURL in the DataDetectorsCore.framework, file:// URLs are sanity-checked with an assert:
0xCB86 loc_CB86:
0xCB86 lea rsi, cfstr_File ; "file://"
0xCB8D mov rdi, rbx
0xCB90 call _CFStringHasPrefix ; Check if the string starts with 'file://'
; Yes, this is case sensitive, which is why the test fails
0xCB95 test al, al
0xCB97 jne short loc_CBD4 ; If CFStringHasPrefix returns true, jump past the assert
; Otherwise, the following code triggers an assert:
0xCB99 lea rdi, aCfstringhaspre ; "CFStringHasPrefix(urlVal, CFSTR(\"file:/"...
0xCBA0 lea rsi, aSourcecache_51 ; "/SourceCache/DataDetectorsCore/DataDete"...
0xCBA7 lea rdx, aDdresultcopy_1 ; "DDResultCopyExtractedURL"
0xCBAE lea r14, cfstr_WrongExtractio ; "wrong extraction: %@"
0xCBB5 mov ecx, 628h
0xCBBA mov r8, r14
0xCBBD mov r9, rbx
0xCBC0 xor al, al
0xCBC2 call _DDLogAssertionFailure
0xCBC7 mov rdi, r14
0xCBCA mov rsi, rbx
0xCBCD xor al, al
0xCBCF call _DDCrash
Raw
evil-fix.txt
Evil fix for x86_64 / 10.8.2. ____Don't actually use this____. This is just for entertainment.
We just change the 'jne' to non-conditional 'jmp':
printf '\xeb' | dd bs=1 seek=646039 count=1 conv=notrunc of=/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/Current/DataDetectorsCore
eg,
0xCB97 jne short loc_CBD4 ; If CFStringHasPrefix returns true, jump past the assert
.... becomes:
0xCB97 jmp short loc_CBD4 ; Always jump past the assert
And now you no longer crash.
@sck
Copy link

sck commented Feb 2, 2013

It works on 10.8.1 as well.

@killjoy
Copy link

killjoy commented Feb 3, 2013

I think you meant:

0xEB97 jmp short loc_DBD4

@pvaibhav
Copy link

pvaibhav commented Feb 3, 2013

Won't this fail Code Signing checks on the binary? Also, won't not restarting after patching cause problems with unified buffer cache (probably that binary is already loaded and cached)?

@macrotis
Copy link

macrotis commented Feb 3, 2013

@pvaibhav: Actually, the DataDetectorsCore bundle fails Code Signing verification out of the box, so applying this patch will have no additional adverse effects on the validity of the bundle (the error message will change but ultimately it was invalid in the first place). I've been running with this binary patch for at least 12 hours and I've noticed no problems. I'd back up the original version anyway, though, there's no telling what Software Update might do when 10.8.3 comes out.

@landonf: patch for the 32-bit version: printf '\xeb' | dd bs=1 seek=58303 count=1 conv=notrunc of=/System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/Current/DataDetectorsCore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment