Help/Support Is it possible to UN-link, RE-link, or re-align a binary?

infernusdoleo · January 1, 2016

Been doing some reverse engineering and would love to use Spark Inspector on a 3rd party iOS app on a jailbroken iphone. Problem is, the dylib that comes with spark inspector will not load on iOS 9 - like with all jailbreak tweaks, it needs to be recompiled with -Wl,segalign,4000 for iOS9 to work with it.

Obviously, I have no access to the source code to recompile it. I tried rebasing the program in both IDA and hopper, but neither will write the binary back with the new section alignment.

Is there any way to re-link the library, or to unlink, or rebase/realign it without having the source code? It's infuriating - every tool I use or try to is incompatible in some way or another. So I buy a macbook so I can use more commonly available tools, only to find out some of THEM don't even work in iOS 9. I've considered trying to get iOS 8 on this thing somehow, but then god knows how many OTHER things that I've got working will break!

Or, alternately, anyone aware of a live debug and trace tool other than spark inspector? I tried Reveal, but that seems to be 99% geared towards UI layout and design, they posted on reddit that they dont have method swizzling and all that to keep the UI design aspect as clean and fast as possible. All other tools I've come across seem to have been abandoned around iOS 6 or 7 and also don't work in 9.

Please, save me from going bald. I've already torn out many a handful!

January 1, 2016

You need to have the original source code to recompile

infernusdoleo · January 1, 2016

Not what I asked.

I dont want to recompile it.

I want to re-link it. You don't need the source code to link object files. (Unless I'm completely brain farting - I'm almost positive I used to change a library file and re-link the original .o files without having the source code nearby).

January 1, 2016

Not what I asked.

I dont want to recompile it.

I want to re-link it. You don't need the source code to link object files. (Unless I'm completely brain farting - I'm almost positive I used to change a library file and re-link the original .o files without having the source code nearby).

Yeah, but how are you going to get an object file without it provided? Or do you have it?

infernusdoleo · January 1, 2016

Yeah, but how are you going to get an object file without it provided? Or do you have it?

But isn't a linked binary just a bunch of obj files bundled together? Part of my question was is it possible to de-link them? My disassembler can clearly see the different linked libraries inside it. It just has no functionality to save them separately.

Wait a moment, I just had an idea.

This is a dylib. Is it possible to wrap that inside another dylib? Could code be written that calls functions in the dylib, and have it hard link the library? Can you do that with a dynamic library? Can it be converted with objfile?

January 1, 2016

But isn't a linked binary just a bunch of obj files bundled together? Part of my question was is it possible to de-link them? My disassembler can clearly see the different linked libraries inside it. It just has no functionality to save them separately.

Wait a moment, I just had an idea.

This is a dylib. Is it possible to wrap that inside another dylib? Could code be written that calls functions in the dylib, and have it hard link the library? Can you do that with a dynamic library? Can it be converted with objfile?

Code can be written to call functions in a dylib, yes, that's what ioscheats does

But I don't know if you can hard-link the library and I've never used objfile before.

infernusdoleo · January 1, 2016

My original issue is this dylib was not compiled to be used on iOS9, and I don't have the source, and the devs are highly unresponsive (months to answer a question from what I've seen).

Just trying to find some way to use it. Annoying as hell that I can rebase the thing in IDA but not save the modified version. Thats all I need, I believe, from my understanding of segalign. I looked at a working dylib - it started at x5800 or someting similar. This non working one starts at 0x1680. segalign 4000 sets the segment alignment to 4000. And it's probably not THAT simple, but if I can't save it anyway, it's moot.

Back to google...