Impossible to dump register value using r2frida?

@babbu wrote:

Hey guys!
Hope you’re ~doing~ hacking well

I’m facing some trouble using r2Frida on iOS 10+, arm64.

What I’m trying to perform

I just want to set a breakpoint at a specific instruction address and then dump some registers value, but I’ve the feeling I don’t understand something about how registers work…

What I’m doing

I’m setting up a"register trace" on a specific address using the \dtr <address> <registers> command.
I also set up a “breakpoint” few instruction ahead of this trace, and then use “dump registers” command (\dr).

It results in the following output:

--------> (fig1) Here is the trace :

[0x00000000]> [TRACE] dtr	0x100af4548	(x1: 0x1022a98f4 (��) x2: 0x1022a9960 (��) x3: 0x2e1a6d94)	0x1006eed78	Snapchat	0xe6d78
	0x1022acc5c	Snapchat	0x1ca4c5c
	0x1006e686c	Snapchat	0xde86c
	0x18498aad0	CoreFoundation	__invoking___
	0x18486936c	CoreFoundation	-[NSInvocation invoke]
	0x108a3e930	snapchatauthserver.dylib	invokeVoidMethod
	0x108a3f164	snapchatauthserver.dylib	swizzled_SCAPIAuthenticateRequest
	0x1006e7988	Snapchat	0xdf988
	0x1006df5bc	Snapchat	0xd75bc
	0x1006deb4c	Snapchat	0xd6b4c
	0x1006e17a0	Snapchat	0xd97a0
	0x1006de81c	Snapchat	0xd681c
	0x1006de46c	Snapchat	0xd646c
	0x1006de304	Snapchat	0xd6304
	0x1040a512c	Snapchat	0x3a9d12c
	0x10062811c	Snapchat	0x2011c

0x100af4570
0x1006eed78 Snapchat!0xe6d78
	0x1006eed78 Snapchat!0xe6d78
	0x1022acc5c Snapchat!0x1ca4c5c
	0x1006e686c Snapchat!0xde86c
	0x18498aad0 CoreFoundation!__invoking___
	0x18486936c CoreFoundation!-[NSInvocation invoke]
	0x108a3e930 snapchatauthserver.dylib!invokeVoidMethod
	0x108a3f164 snapchatauthserver.dylib!swizzled_SCAPIAuthenticateRequest
	0x1006e7988 Snapchat!0xdf988
	0x1006df5bc Snapchat!0xd75bc
	0x1006deb4c Snapchat!0xd6b4c
	0x1006e17a0 Snapchat!0xd97a0
	0x1006de81c Snapchat!0xd681c
	0x1006de46c Snapchat!0xd646c
	0x1006de304 Snapchat!0xd6304
	0x1040a512c Snapchat!0x3a9d12c

(fig 2) Here is the registers dump, right after :

[0x00000000]> \dr
tid 1027 waiting
 fp : 0x000000016f7f6c20	 lr : 0x00000001844773e0	 pc : 0x0000000184477568
 sp : 0x000000016f7f6bd0	 x0 : 0x000000016f7f6d28	 x1 : 0x0000000007000806
 x2 : 0x0000000000000000	 x3 : 0x0000000000000c00	 x4 : 0x0000000000002e03
 x5 : 0x00000000ffffffff	 x6 : 0x0000000000000000	 x7 : 0x0000000000000000
 x8 : 0x00000000fffffbbf	 x9 : 0x0000000007000000	x10 : 0x0000000007000100
x11 : 0x0000000000000040	x12 : 0xffffffffffffffff	x13 : 0x0000000000000001
x14 : 0x01a9230001a92300	x15 : 0x0000000000000000	x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff	x18 : 0xfffffff01da9925c	x19 : 0x0000000000000000
x20 : 0x00000000ffffffff	x21 : 0x0000000000002e03	x22 : 0x0000000000000c00
x23 : 0x000000016f7f6d28	x24 : 0x0000000007000806	x25 : 0x0000000000000000
x26 : 0x0000000007000806	x27 : 0x0000000000000c00	x28 : 0x0000000000000001

tid 6403 waiting
 fp : 0x000000016f90abe0	 lr : 0x00000001843b0f70	 pc : 0x000000018449860c
 sp : 0x000000016f90abb0	 x0 : 0x0000000000000a03	 x1 : 0x0000000000000000
 x2 : 0x0000000000000001	 x3 : 0x0000000000000001	 x4 : 0x000000000000001f
 x5 : 0x0000000000000000	 x6 : 0x0000000000000000	 x7 : 0x00000001069be310
 x8 : 0x00000001b5a70ed8	 x9 : 0x000000018449a000	x10 : 0x00000000ef10086e
x11 : 0x0000000000000000	x12 : 0x00000000515132fe	x13 : 0x0000000000007eec
x14 : 0x0000000000007eec	x15 : 0x0000000010000000	x16 : 0x000000000000014e
x17 : 0x0000000183be08a0	x18 : 0xfffffff01da9925c	x19 : 0x000000016f90abf0
x20 : 0x000000016f90ac00	x21 : 0x0000000107dd4ad0	x22 : 0x0000000000000008
x23 : 0x0000000000000001	x24 : 0x000000016f90ace0	x25 : 0x00000001022b4cb4
x26 : 0x0000000106abd960	x27 : 0x00000001845b8744	x28 : 0x0000000107f4fda0

tid 10755 waiting
 fp : 0x000000016faaeae0	 lr : 0x00000001845aaeec	 pc : 0x0000000184498d80
 sp : 0x000000016faaea50	 x0 : 0x0000000000000100	 x1 : 0x000000016faaeb80
 x2 : 0x0000000000000001	 x3 : 0x0000000000000000	 x4 : 0x000000018431e7b4
 x5 : 0x0000000000000003	 x6 : 0x0000000000000000	 x7 : 0x0000000000000000
 x8 : 0x000000014f97fab0	 x9 : 0x0000000000000001	x10 : 0x000000014f97fae8
x11 : 0x0000000000000000	x12 : 0x0000000000000001	x13 : 0x0000000000000000
x14 : 0x0000003700000003	x15 : 0x0000000000000007	x16 : 0x0000000000000170
x17 : 0x0000000000000100	x18 : 0xfffffff01da9925c	x19 : 0x000000016faaf000
x20 : 0x000000014f97fab0	x21 : 0x0000000000000011	x22 : 0x0000000000000001
x23 : 0x00000001b5a72000	x24 : 0x0000000000000400	x25 : 0x0000000000080000
x26 : 0x0000000000000003	x27 : 0x00000001b5a72000	x28 : 0x0000000000000001

tid 19971 waiting
 fp : 0x000000016fbc5d80	 lr : 0x00000001844773e0	 pc : 0x0000000184477568
 sp : 0x000000016fbc5d30	 x0 : 0x000000016fbc5e88	 x1 : 0x0000000007000806
 x2 : 0x0000000000000000	 x3 : 0x0000000000000c00	 x4 : 0x0000000000003003
 x5 : 0x00000000ffffffff	 x6 : 0x0000000000000000	 x7 : 0x0000000000000000
 x8 : 0x00000000fffffbbf	 x9 : 0x0000000007000000	x10 : 0x0000000007000100
x11 : 0x0000000000000040	x12 : 0xffffffffffffffff	x13 : 0x0000000000000001
x14 : 0x0001360000013600	x15 : 0x0000000000000000	x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff	x18 : 0xfffffff01da9925c	x19 : 0x0000000000000000
x20 : 0x00000000ffffffff	x21 : 0x0000000000003003	x22 : 0x0000000000000c00
x23 : 0x000000016fbc5e88	x24 : 0x0000000007000806	x25 : 0x0000000000000000
x26 : 0x0000000007000806	x27 : 0x0000000000000c00	x28 : 0x0000000000000001

tid 37127 waiting
 fp : 0x000000016fcdeb00	 lr : 0x00000001843b0f70	 pc : 0x000000018449860c
 sp : 0x000000016fcdead0	 x0 : 0x0000000000000a03	 x1 : 0x0000000000000000
 x2 : 0x0000000000000001	 x3 : 0x0000000000000001	 x4 : 0x0000000000000000
 x5 : 0x0000000005f48434	 x6 : 0x000000014fc9cab0	 x7 : 0x0000000000000000
 x8 : 0x00000001b5a70ed8	 x9 : 0x0000000000000011	x10 : 0x00000000000003ff
x11 : 0x0000000200000003	x12 : 0x000000014fada420	x13 : 0x000001a107cab4e1
x14 : 0x0000000000007eec	x15 : 0x0000000000000002	x16 : 0x000000000000014e
x17 : 0x000000018537e220	x18 : 0xfffffff01da9925c	x19 : 0x0000000000000000
x20 : 0x000000016fcdeb30	x21 : 0x000000018ebfbd75	x22 : 0x0000000197c0e961
x23 : 0x0000000107b33000	x24 : 0x000000014fd2f7b0	x25 : 0x000000014fc23240
x26 : 0x0000000197c0e961	x27 : 0x0000000000000058	x28 : 0x000000018ebf6e84

tid 43779 waiting
 fp : 0x000000016fe805c0	 lr : 0x00000001843b0f70	 pc : 0x000000018449860c
 sp : 0x000000016fe80590	 x0 : 0x0000000000000a03	 x1 : 0x0000000000000000
 x2 : 0x0000000000000001	 x3 : 0x0000000000000001	 x4 : 0x0000000000000001
 x5 : 0x0000000000000000	 x6 : 0x0000000000000000	 x7 : 0x0000000000000001
 x8 : 0x00000001b5a70ed8	 x9 : 0x000000018449a000	x10 : 0x0000000000028800
x11 : 0x0000000000000001	x12 : 0x0002890000028900	x13 : 0x0000000000000000
x14 : 0x0008a6000008a703	x15 : 0x0000000000000000	x16 : 0x000000000000014e
x17 : 0x00000000ffffffff	x18 : 0xfffffff01da9925c	x19 : 0x000000016fe805d0
x20 : 0x000000016fe805e0	x21 : 0x000000010cc75e70	x22 : 0x0000000000000000
x23 : 0x000000010d575398	x24 : 0x000000010cc85bd3	x25 : 0x000000010bdd556c
x26 : 0x000000010cc77df8	x27 : 0x000000010d575428	x28 : 0x000000010d575420

tid 48135 waiting
 fp : 0x000000016ff0e040	 lr : 0x00000001844773e0	 pc : 0x0000000184477568
 sp : 0x000000016ff0dff0	 x0 : 0x000000016ff0e148	 x1 : 0x0000000007000806
 x2 : 0x0000000000000000	 x3 : 0x0000000000000c00	 x4 : 0x0000000000014503
 x5 : 0x00000000ffffffff	 x6 : 0x0000000000000000	 x7 : 0x00000000000001f0
 x8 : 0x00000000fffffbbf	 x9 : 0x0000000007000000	x10 : 0x0000000007000100
x11 : 0x0000000000000040	x12 : 0xffffffffffffffff	x13 : 0x0000000000000001
x14 : 0x0000060000000600	x15 : 0x0000000000000000	x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff	x18 : 0xfffffff01da9925c	x19 : 0x0000000000000000
x20 : 0x00000000ffffffff	x21 : 0x0000000000014503	x22 : 0x0000000000000c00
x23 : 0x000000016ff0e148	x24 : 0x0000000007000806	x25 : 0x0000000000000000
x26 : 0x0000000007000806	x27 : 0x0000000000000c00	x28 : 0x0000000000000001

tid 76063 waiting
 fp : 0x000000016fb3aae0	 lr : 0x00000001845aaeec	 pc : 0x0000000184498d80
 sp : 0x000000016fb3aa50	 x0 : 0x0000000000000100	 x1 : 0x000000016fb3ab80
 x2 : 0x0000000000000001	 x3 : 0x0000000000000000	 x4 : 0x000000018431e7b4
 x5 : 0x0000000000000000	 x6 : 0x0000000000000000	 x7 : 0x0000000000000000
 x8 : 0x000000014f97bee0	 x9 : 0x0000000000000001	x10 : 0x000000014f97bf18
x11 : 0x0000000000000000	x12 : 0x0000000000000001	x13 : 0x0000000000000000
x14 : 0x0000003700000003	x15 : 0x0000000000000007	x16 : 0x0000000000000170
x17 : 0x0000000000000100	x18 : 0xfffffff01da9925c	x19 : 0x000000016fb3b000
x20 : 0x000000014f97bee0	x21 : 0x0000000000000015	x22 : 0x0000000000000001
x23 : 0x00000001b5a72000	x24 : 0x0000000000000800	x25 : 0x0000000000080000
x26 : 0x0000000000000004	x27 : 0x00000001b5a72000	x28 : 0x0000000000000001

tid 21267 waiting
 fp : 0x000000016fd6af70	 lr : 0x00000001845ab080	 pc : 0x0000000184498d80
 sp : 0x000000016fd6aee0	 x0 : 0x0000000000000004	 x1 : 0x0000000000000000
 x2 : 0x0000000000000000	 x3 : 0x0000000000000000	 x4 : 0x0000000000060015
 x5 : 0x0000000000000000	 x6 : 0x0000000000000000	 x7 : 0x0000000000000000
 x8 : 0x0000000000000000	 x9 : 0x1b4151e0db200095	x10 : 0x000000010d3e0038
x11 : 0x0000000000000000	x12 : 0x0000000004000000	x13 : 0x00000000000004ff
x14 : 0x0000007700000001	x15 : 0x0020000000000000	x16 : 0x0000000000000170
x17 : 0x0000000000000000	x18 : 0xfffffff01da9925c	x19 : 0x000000016fd6b000
x20 : 0x0000000000060015	x21 : 0x0000000000000015	x22 : 0x0000000000000000
x23 : 0x00000001b5a72000	x24 : 0x0000000000000800	x25 : 0x0000000000000000
x26 : 0x0000000000000004	x27 : 0x00000001b5a72000	x28 : 0x0000000000000000

My Questions

First, could someone explain to me why sometimes the trace shows register as follow:
(x1: 0x1022a98f4 (��) << with the ( )
and sometimes not :
: x3: 0x2e1a6d94 << there is no ( )

Another question is: as we can notice the trace shows up some weird values. Is that because the tool tries to encode the value in UTF-8 or such of thing? How to deal with that?
Sometimes it produces really weird result and I’m not really sure to know how to deal with it, eg:

(fig 3: really weird output) -->

[0x00000000]> [TRACE] dtr	0x100af4548	(x1: "����o��g��_���W��O��{������" x2: "�o���g��_��W��O��{��C
                                                                                                             �����B��c!��g|� ��c��w� ��_��!��{C!��[��!���S1��W��A��JQ��S��A��k���O��7�kmA��K��G��C��?��;��!�1��7��3��/��+��'�(�� ��#������������
                                                                              ���(~� �������������((� �����������������������������������" x3: 0x578cb275)	0x

---

My last question is: what the dumped registers list corresponds to?

If you look at the trace (fig1) and you compare hex values from x1, x2, or x3, none of these values is visible on the registers dump (fig2). Do I misunderstand something? It seems the registers printed out in (fig2) are not the same as those printed by the trace (fig1).

Could someone help me understand all these things?

Thank you in advance and sorry for the complex question

Posts: 1

Participants: 1

Read full topic