I'm trying to overwrite an instruction in the rosetta executable heap of another process. mach_vm_protect() returns successful, but I get a KERN_INVALID_ADDRESS return on mach_vm_write(), even though I know it is the correct address.
This is my code:
char bytes[] = {"\x03\x68\xF6\x3C\x03\x3C\x80\x3D\x02\x38\x80\x3D"};
vm_address_t nop_addr = find_bytes_in_rosetta(task, bytes, 12);
char nop[] = {"\x1f\x20\x03\xd5"};
printf("%p\n", nop_addr);
printf("%d\n", mach_vm_protect(task, nop_addr + 4, 4, FALSE, VM_PROT_ALL|VM_PROT_COPY));
printf("%d\n", mach_vm_write(task, nop_addr + 4, (vm_address_t)nop, 4));
I tried to add VM_PROT_COPY to mach_vm_protect(), but that still didn't return successful.
Ok I fixed the problem. Turns out I had to use only VM_PROT_READ|VM_PROT_WRITE|VM_PROT_COPY for mach_vm_protect() before writing the bytes.
char bytes[] = {"\x03\x68\xF6\x3C\x03\x3C\x80\x3D\x02\x38\x80\x3D"};
vm_address_t nop_addr = find_bytes_in_rosetta(task, bytes, 12);
char nop[] = {"\x1f\x20\x03\xd5"};
printf("%p\n", nop_addr);
printf("%d\n", mach_vm_protect(task, nop_addr + 4, 4, FALSE, VM_PROT_READ|VM_PROT_WRITE|VM_PROT_COPY));
printf("%d\n", mach_vm_write(task, nop_addr + 4, (vm_address_t)nop, 4));
printf("%d\n", mach_vm_protect(task, nop_addr + 4, 4, FALSE, VM_PROT_ALL|VM_PROT_COPY));