macosrustreverse-engineeringarm64ghidra

Patched Rust binary in Ghidra on MacOS (AARCH64) results in process killed


I've written a simple Rust program to learn reverse engineering on with a simple loop that breaks when you enter the "correct" password, this is the program:

use std::io;
fn main() {
    println!("Enter password:");
    let mut pass = String::new();
    loop {
        io::stdin()
            .read_line(&mut pass)
            .expect("Failed to read line");

        match pass.as_str().trim() {
            "reddit" => break,
            _ => println!("Wrong password"),
        }
    }
    println!("You've guessed it!");
}

I've located the code in Ghidra responsible for the jump i.e.:

                     LAB_100002ce4                         XREF[1]:     100002ce0(j)  
       100002ce4 e8 0f 40 b9     ldr        w8,[sp, #local_124]
       100002ce8 28 01 00 37     tbnz       w8,#0x0,LAB_100002d0c
       100002cec 0f 00 00 14     b          LAB_100002d28

I looked up the tbnz instruction in ARM64 instruction set manual and and based on that "patched the instruction" in the following way:

tbnz       w8,#0x0,LAB_100002d0c --> tbnz       w8,#0x1,LAB_100002d0c

The decompiler window showed exactly what I would expect:

if ((uVar1 & 1) != 0) break; --> if ((uVar1 >> 1 & 1) != 0) break;

I exported the binary in two ways:

I've then chmod +x the resulting binaries and try to run them. It gets killed (SIGKILL (9)).

What I've tried:

Did anyone encounter a similar problem and could help? I've attached the changes as well just in case the issue might be two fold.


Solution

  • I've resolved the issue.

    For anyone who will encounter a similar problem it's due to an invalid certificate and the binary needs to be signed again.

    To do this without an Apple Developer ID you need to:

    Open 'Keychain Access' -> (Toolbar) Keychain Access -> Certificate Assistant -> Create a Certificate
    

    And create a code signing certificate.

    Then to codesign the binary:

    codesign -fs name-of-certificate path/to/binary-to-be-signed