objc msg_send crashes on 0.3.6 when calling KWOpenSecureSignatureComponent

[interface95]

Body

Summary

Upgrading from 0.3.4 to 0.3.6 causes the emulator to crash when invoking KWOpenSecureSignatureComponent → atlasSignPlus: / atlasSafeEncrypt:.
The same project runs without errors on 0.3.4.

Environment

• Chomper: 0.3.6 (works on 0.3.4)
• Python: 3.9
• OS: macOS 15 (Apple Silicon)
• Using iOS rootfs shipped with the repo (rootfs/ios)
• Unicorn: 2.1.4, Capstone: 5.0.6, LIEF: 0.17.0

Repro Steps

1. Install chomper 0.3.6 (python3 -m pip install chomper==0.3.6)
2. Load the target Mach-O (gifCommonFramework) with Chomper(arch=ARCH_ARM64, os_type=OS_IOS, rootfs_path="rootfs/ios")
3. Instantiate KWOpenSecurityGuardParamContext, KWOpenSecureSignatureComponent, KWOpenAtlasEncryptComponent
4. Call objc.msg_send(component, "atlasSignPlus:", context) (similar for atlasSafeEncrypt:)
5. During _objc_msgSend, the emulator crashes with UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Logs / Crash

The failing address changes slightly run‑to‑run, but the crash is always inside libobjc.A.dylib after _objc_autoreleasePoolPush/_Pop.

Additional Notes

• Wrapping Objective-C calls in autorelease_pool() and using getBytes:length: for NSData didn’t resolve the crash on 0.3.6.
• Downgrading to 0.3.4 (no other code changes) makes the same sequence succeed.
• During module loading on 0.3.6, there are repeated warnings like readClass failed: "NSATSGlyphStorage", readClass failed: "UIWebPlugInView".

Could you advise how to stabilize this call sequence on 0.3.6, or if there is a known workaround?

[sledgeh4w]

I guess you referred to that article on kanxue? I've noticed that the code in it isn't entirely correct (it just happened to not cause issues in older versions).

There are two main points:

1. The atlasSignPlus: method doesn't actually have a return value; the output needs to be retrieved from KWOpenSecurityGuardParamContext object.
2. You shouldn't directly read string from NSData's bytes; instead, read the bytes first and then convert them to a string.

Correct usage:

context = objc.msg_send("KWOpenSecurityGuardParamContext", ...)

objc.msg_send(component, "atlasSignPlus:", context)

output = objc.msg_send(context , "output")
data_bytes = objc.msg_send(output, "bytes")
data_length = objc.msg_send(output, "length")

result = emu.read_bytes(data_bytes, data_length).decode("utf-8")

[interface95]

Thank you for your reply. I have carefully read the article you provided and noticed that there are indeed some issues with the code. I will make the following two modifications as you pointed out:

1. Ensure that the return value of the atlasSignPlus: method is handled correctly, obtaining the output from the KWOpenSecurityGuardParamContext object.

2. When reading a string from the bytes of NSData, read the bytes first and then convert them to a string.

I will adjust the code according to the correct usage you provided and test it to ensure the issue is resolved. Please let me know if there are any other problems or if further assistance is needed. Thank you again for your guidance!

[sledgeh4w]

I think this should be enough. I've tested atlasSignPlus:, and it works.