health: 2020

Am I An INFP? (Monday Musings 85)

The INFP Book by Catherine Chea

I became interested in the topic of Myers-Briggs (MBTI) when I was trying to figure out what techniques fit my personality the best, the past few weeks or so, to motivate myself to not procrastinate, as I noticed I was neglecting the blog. Of course, whenever you google personality types, the notorious MBTI personality inventory came up.

I was first introduced to Myers-Briggs as a senior in high school, when I was an immature teenager (18 years old) - I'm the very definition of a late bloomer - I may even still be blooming yet.

I was extremely pleased and elated that I was solidly an INFP because they were "so cool". One of the major characteristics is that "we're often misunderstood" recalling images of James Dean in Rebel Without a Cause. James Dean is a major icon of cool. Since I was nerdy and geeky, you can only imagine how happy I was.

Another major characteristic is that INFPs are "extremely creative" and best careers are in the writing and art fields. Never mind if you give me a blank piece of paper and tell me to write a story and draw, I would look back at you with the same blank expression. I'm so impressed with people who can create, and to be called creative was a huge compliment.

I also was happy that we're supposed to be "emotional" because if anything, I'm as lethargic as my obese male cat, Fat Nyams, and often have a blank, glazed expression on my face. So it's nice that, per MBTI, I am emotional since INFPs "wear their hearts on their sleeves".

I was even more satisfied and smug because we're considered "the rarest type" (the INFJs are even rarer still) so that made me feel special - in American education, you feel the very opposite of special as you have to "fit in" with the structure and cliques.

Given my personality, I read all about INFPs and the part of having strong values rang true (of course, who doesn't have strong values), and felt that the description of INFP fit me so perfectly that it was uncanny. I was very satisfied with how I was one of the "awesome" rare fairies that are INFPs.

The MBTI came up in medical school when we all had to take personality tests as part of our "humanities" course where we learn about empathy, bedside manner and such. I came up as an INFJ and was confused, because I remembered how I was such a strong INFP back in high school, and personalities don't change. Your behaviors can change, but not your core personality.

For instance, if you're an introvert, you could never be an extrovert no matter how much effort. Eventually, forcing myself to be social exhausts me, and I have to go in hermit mode for days on end to recharge.

Being conscientious, I took the test again, and it came up as an INFJ. In medical school, we didn't have time to question and I left it at that.

Flash forward to now, when I'm stable in my career and rather fortunate to have free time, I took the online MBTI tests (not the official). The first step was to read the description between INFP and INFJ.

I was hoping I'd be an INFJ because as a mature adult, the INFP description made me cringe.

First, they're described as being so sensitive that if someone says their hair looks like they didn't comb it, they'd ball up in a corner for days. And that INFPs have extreme meltdowns on a daily basis. I don't have those wild emotional mood swings at all. In fact, I've gotten even more placid as an adult. I just don't have the energy to get into rages.

Another extremely unflattering description is that INFPs seem like they can't get anything done and have difficulties finding a career, if they ever get a job in the first place. But I'm doing quite well in my career, and the medical and residency training was grueling and not considered "flaky".

Next, I took the online tests. I already know that I'm strongly INF, that was never a doubt, so the question is the P vs. J. There were very conflicting results between INFP and INFJ and indeed a lot of mistypes exist between these two. There was a P vs J tester, and it would fall roughly 50/50.

Because of this ambiguity, I did internet search and stumbled upon Casual Cognition as that was the first video that comes up when you type in INFP vs INFJ.

I didn't seem to be either INFP (Calypso, the owner) or INFJ (in this YouTube clip, though I'm more INFP-ish if I had to force myself to compare:

I was even more confused, until two pieces of the puzzle came together. The one question was "Do you consider yourself having the wisdom of a sage (INFJ), or the heart of a child (INFP)" and the answer was heart of a child, heart of a child, heart of a child.

Then Casual Cognition's section of micro-expressions clinched it - I definitely have the body and eye movements of an Ne (INFP).

Armed with this information, I read about the cognitive functions and stacking, which made it very clear that I'm an INFP. The descriptions of the personality types are of course stereotypes as there are variants (Monster Hunter World reference), but the preferences you have in the way you interact with the world remain stable.

Armed with all the above knowledge and research, I then read two books on the INFP, the first one was helpful as it was technical and described the concepts of cognitive functions and stacking.

Before reading this book, this video was difficult to understand, but then after, it made sense once you know the jargon. The part that made me chuckle is when I see Calypso with that glazed look on her face (very much me) and her partner, Alex, being so laser-focused and determined (she was very much into the discussion) that the juxtaposition was quite amusing:

The second book I read is the one I recommend if you want to know about INFPs. It was written by an INFP author herself and was so spot-on about my personality. It made me laugh at the end when she recommended that we do something that's outside of our comfort zone such as oral presentations. I ended up doing Twitch precisely for that reason, to do something new and challenging. Shortly after, she even mentioned how she joined Toastmaster's International.

Coincidentally, a month ago or so, I asked my best friend how can I improve my presentation in Twitch, and he mentioned that one of his best friends joins Toastmaster's International, and she really liked it, and that I should ask her about it and check it out.

It also made me cry near the end of the book as she wrote a letter of appreciation and affirmation to INFPs, since we're so critical of ourselves. Because our profile description makes it sound like we're pathetic and useless, INFPs tend to hate their personalities, and that's why we often mistype ourselves as other personalities. We want to be the golden retrievers, the doers, the inventors, the practical caregivers of the other personalities, but we fall in this category of being an idealist, being "true to ourselves" and "creative".

This book helped me to embrace who I am instead of trying to be someone who I'm not, and the exercises in self-compassion seem to be much smoother!

TL/DR: I admit that I'm an INFP!

The How of Happiness Review

What Is SOMA's Safe Mode?

Tomorrow we will be releasing SOMA for Xbox One and along with this comes Safe Mode. This is a new way of playing the game that will also be available via Steam and GOG at the same time.

Since we announced Safe Mode there have been a lot of questions about it, so we thought this would be a good time to answer some of those and to clear up a few things. Here goes:

What is Safe Mode?
It is a version of the game where you cannot die - you are safe from harm. The game's various creatures are still there, they just won't attack you. If you've heard of the SOMA Steam mod "Wuss Mode", by steam user The Dreamer, then you should know the basic idea. The important thing to point out is that we don't simply turn off the creature's ability to attack and harm you. Instead, we've redesigned their behavior. Our goal has been for Safe Mode to not feel like a cheat, but for it to be a genuine way of experiencing the game. So we've considered what each creature should be doing, given their appearance, sound, and voice.

You can pick between Safe Mode and normal mode when starting up a new game.

Is the game still scary?
This obviously depends on what scares you, but the short answer is: yes, the game is still a horror game. However, since you can explore without a constant fear of failure, you will no longer have that type of tension. For people who aren't great at handling that aspect of horror gameplay, their journey through SOMA will be a lot easier in Safe Mode. But if it is the overall atmosphere that gets to you in a horror game - and, above all, the central themes - then game will still have plenty to be scared of.

What is the major difference in gameplay?
All of the puzzles, events, and so forth are still there. The big difference is that you'll no longer have to sneak past enemies. You don't need stealth in order to complete the game. Monsters might sound and act more threatening if they spot you, so there is still an incentive to being careful, but it's no longer mandatory to keep hidden. This will also allow you to explore some of environments more carefully.

Why release it now?
We actually considered releasing something similar at launch, but chose not to because we felt it would make the core intent of the game too unfocused. As people started to say that they really wanted to play the game and experience the philosophical sci-fi narrative, but couldn't because of the monsters, we started considering doing something about it. People liking the "Wuss Mode" mod was a good sign that we could solve this. However going back to a game you have already completed is not tempting so we put it off.

What eventually tipped the scales was the Xbox release where we wanted an extra feature to make the launch more interesting. Adding some sort of no-monster mode felt like the best option, and so Safe Mode was born! It also felt like it had been long enough since the original release, and the intended version of the game had been played and evaluated enough. Adding a new play mode wouldn't be a problem.

Will it come to PS4?
Yes! We hope to have it ready about 2 months from now. Sorry for not releasing it now, but a couple of issues have kept us from doing a simultaneous launch of Safe Mode.

I hope that clears things up! Let us know in the comments if you have any other questions!

Oceanhorn 2, Unreal And Beyond

The reveal of Oceanhorn 2's development got an amazing reception from all of you back in August. Thank you so much!

It has been five months now and we have been very busy working on the game, to fulfill our dream project one asset and feature at a time. Unfortunately, we haven't had time to give you guys any updates. Let's remedy that right here, right now!


Oceanhorn 2 looks stunning on mobile

Weighing our options

Over the years, we have learned that making a video game is a huge undertaking. For Oceanhorn 1 we did everything from ground up, from using a proprietary game engine, designing and developing our own full featured level editor to a highly laborious porting and upgrading work that had to be done for other platforms.

When we were dreaming up what Oceanhorn 2 should be like, we knew that we would have to do everything from ground up yet again if we would continue using our own tools. To meet the high expectations of the video game audience on mobile, high-end PCs and consoles, we decided to start developing Oceanhorn 2 on Unreal Engine 4.

New perspective takes you in the center of the action

Powered by Unreal Engine 4

Unreal Engine is a game engine that has proven itself in hundreds of big titles over the past 20 years. Its graphical capabilities and level editing tools are the best the industry has to offer. We have the artistic freedom, and to ensure we can achieve what we set out to do, Epic allows us developers to access the engine source code. With Unreal Engine 4, we basically have hundreds of man years of video game development backing us up, and delivering our uncompromised dream is still going to be in our own hands in the end!

"With Unreal Engine 4, we have hundreds of man years of video game development backing us up"

This project has introduced a lot of new and exciting things for us, from new ways of thinking to new tools and workflows. As an artist, I had to learn everything about physically based rendering. It provides an intuitive way to express the realistic properties of the materials for the renderer. It is a relatively new way to get realistic looking materials for a modern game engine that handles realistic lighting.

Our game has an artistically stylized look, but even our style benefits from the physically based rendering. Pixar animations have used it for years, but these days we can render it in realtime, even on mobile.

Good things come to those who wait

When setting up the renderer and materials, we wanted to make sure everything will work on both PC and mobile. Minor differences can be seen in some of the screen space effects, as all of them are not yet feasible on mobile hardware. We started optimizing the project for the mobile right from the beginning, and when we started to test out our game on actual mobile hardware, our efforts paid off.

The development and discovery

In our previous announcement blog post we shed light on some of the new gameplay aspects featured in Oceanhorn 2. These were just a few examples of the features that will make Oceanhorn 2 truly special. We will be sharing more exciting news with you in the upcoming months.

A knight's weapon Caster in action

There is a certain unrevealed element in the game that makes Oceanhorn 2 different when compared to other games in the same genre. We have been experimenting with this element right from the beginning, and we are starting to see the impact it has on Oceanhorn 2.

When developing new and exciting elements to the game, our main goal is always to improve the player's experience and reinforce his or her emotional investment to the the world and story. We also aim to enrich the aspects that people loved in the original game, such as exploration.

In many ways, experimenting with features is one of the perks of being an indie company. If we come up with the best thing ever for an action RPG at any given time, we can go ahead and add it to the game.

Mobile graphics of 2017!

In our day to day development, we have reached a point where we can produce game content fast. More cutscenes and levels are being added to the game every week and the quests are starting to shape up. Still, we have a long road ahead of us to finish this game and I hope Oceanhorn fans can wait patiently.

We have received lots of questions about the platforms which Oceanhorn 2 will be released on. We can't confirm all of the platforms yet. What we can say is that Oceanhorn: Monster of Uncharted Seas sold over 1 million copies on all platforms combined, but let's remember it started out as an amazing iOS adventure game.

Oceanhorn 2 will definitely come out on iOS.

Favourite Games -V- Most Re-Played Games

I have been recently thinking about the games I usually say are my favourite, as in my "top 5 RPGs" or whatever, and thinking about how this list overlaps with the games that I have played again and again.

What I have noticed is the lists don't really overlap.

So, my favourite game and RPG is probably FFVII, but in actual fact, I actually haven't played this game through in maybe 15 years now. Is it really the game that I should say is the "greatest"? Is that really what I think, or am I really saying "the game I have the greatest nostalgia for is FFVII"?

I don't think it is all about nostalgia though, because I only played MGS through for the first time 5 years ago, and I honestly think that that game ranks right up there in my top list of games, and in fact, I have only played it through once.

Is this honest? Do we need to have played a game many times for it to be in our top list? When it comes to films, all the films I like the most will be films I have chosen to watch quite a number of times... but with games, maybe it isn't the case.

Perhaps this is down to the amount of time it takes to complete a game, the investment, compared to a film. But even with my favourite books, I have read them a number of times, though probably not all of them....

And then there is the really weird case of games that sucked hours and hours away from my life, but don't even appear on my tops lists. RPGs that I put way down the list but which I played every last bit of juice from them, and at the time must have really enjoyed them or got something from them.... FFVIII for example- I played that to death over a full year, or Age of Empires, or Street Fighter Alpha 3, or Fifa 97, or Altered Beast, all of these I played loads, more certainly than MGS yet MGS ranks above them for sure in my estimation.

Imperial Guard Armoured Company: A Painting Challenge

While I can appreciate the access 3D printers have brought to this hobby (and Epic in particular) my heart still yearns for a time when if you needed a unit that wasn't commercially available you converted it. You see conversions less and less these days, so I thought I'd try a little challenge: finish a 3k army without any 3d printing or custom casting shortcuts. We'll see how this goes, but I'd like to finish this up before NEAT this year (normally held at the end of June, but still tentative given the world right now).

For the army I went with Imperial Guard, specifically Minervans using the old SM/TL models. I thought it was fitting to use models that are pushing 25–30 years old as it adds to the nostalgia factor for me. Minervans also offer plenty of opportunities for easier conversions what with all the vehicle variants.

I didn't do anything special for the Manticores, aside from snipping off the wrecking ball on the back of their launcher. I have some 1/8" diameter adhesive fish eyes coming, they're used to make lures but I think they'll work out great as hatches. I plan to put a hatch on each one on the right hand side, as this will be useful for my Commissar characters (see below).

The Salamander Scouts and Command are the most intensive conversions in this army, the back compartment was made out of plasticard square tubing and strips, filed and cut at different angles. The autocannons are nearly done, but I'm still trying to think of something for the heavy flamers aside from a plasticard build. These will get the hatches as well.

The Exterminators just got some brass wire as autocannons, I'm going to try and put some muzzle details on the end. I doubt putty will stick to them so I'll likely try heating up and bending some thin plasticard strips. You can see my plans for Commissars here, I'm making plugs that I'll be able to move around. When a vehicle doesn't need a Commissar I'll just have some hatch plugs to put in their place.

Epic Imerial Guard Leman Russ Exterminators

Finally, the only change I made to the Shadowswords was to use Squat heavy bolters for the sponsons. Not too bad, but then I realized I had to do 12 of them for the Storm Hammers… You can also see my Supreme Commander dude there as well, I need to sculpt his arms still.

Iblessing - An iOS Security Exploiting Toolkit, It Mainly Includes Application Information Collection, Static Analysis And Dynamic Analysis

iblessing

iblessing is an iOS security exploiting toolkit, it mainly includes application information collection, static analysis and dynamic analysis.
iblessing is based on unicorn engine and capstone engine.

Features

Cross-platform: Tested on macOS and Ubuntu.
iOS App static info extract, including metadata, deeplinks, urls, etc.
Mach-O parser and dyld symbol bind simulator
Objective-C class realizing and parsing
Scanners making dynamic analysis for arm64 assembly code and find key information or attack surface
Scanners using unicorn to partially simulate Mach-O arm64 code execution and find some features
Generators that can provide secondary processing on scanner's report to start a query server, or generate script for IDA
Super objc_msgSend Xrefs Scanner
- objc method and subs (such as block) emulation to generate xrefs like flare-emu
- objc function wrapper detect and ida usercall generate
- objc_msgSend sub functions analysis
- objc block to objc_msgSend xrefs in args and capture list
- report format including json, etc.
Diagnostic logs
Tests
More flexible scanner infrastructure for new scanner plugins
Swift class and method parsing
More scanners and generators
Cross-platform

Support
unicorn may crash (segment fault or bus error) on some computers, I am trying to solve this problem. If you encounter any problems, you can contact me, thank you
In case you need support regarding iblessing or anything associated with it, you can:

create an issue and provide necessary information
contact Sou1gh0st on Twitter
send mail to xiuyutong1994#163.com
send mail to xiuyutong1994#gmail.com

Changelog

2020.08.11 - Now iblessing is a cross-platform tool, support both macOS and Linux
2020.08.08 - Improve objc_msgSend xref scanner, add sub xref supoort, including block arguments and capture list
2020.07.30 - Improve symbol-wrapper scanner, and add ida scripts for symbol wrapper rename and prototype modification
2020.07.21 - First release

Get started
Sometimes unicorn will crash on start when doing huge memory mapping, you can try to run it again, if it still can't work, please contact me or create an issue, thanks.

You can download the pre-released iblessing binary and enjoy it.
run chmod +x for the binary
For more tutorails, please check the Documentation & Help below.

How to Build

CMake

Platform: macOS, Linux

To get started compiling iblessing, please follow the steps below:

git clone --recursive -j4 https://github.com/Soulghost/iblessing
cd iblessing
./compile-cmake.sh

XcodeBuild

Platform: macOS

To get started compiling iblessing, please follow the steps below:

git clone --recursive -j4 https://github.com/Soulghost/iblessing
cd iblessing
./compile.sh

Shortcuts

If there are any errors, you can manully compile capstone and unicorn, then drag libcapstone.a and libunicorn.a to the Xcode project's vendor/libs.
If all of this run successfully, you can find the binary in build directory:

> ls ./build
iblessing

> file ./build/iblessing
./build/iblessing: Mach-O 64-bit executable x86_64

Documentation & Help

Preview

$ iblessing -h

           ☠️
           ██╗██████╗ ██╗     ███████╗███████╗███████╗██╗███╗   ██╗ ██████╗
           ██║██╔══██╗██║     ██╔════╝██╔════╝██╔════╝██║████╗  ██║██╔════╝
           ██║██████╔╝██║     █████╗  ███████╗███████╗██║██╔██╗ ██║██║  ███╗
           ██║██╔══██╗██║     ██╔══╝  ╚════██║╚════██║██║██║╚██╗██║██║   ██║
           ██║██████╔╝███████╗███████╗███████║███████║██║██║ ╚████║╚██████╔╝
           ╚═╝╚═════╝ ╚══════╝╚══════╝╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝ ╚═════╝

[***] iblessing iOS Security Exploiting Toolkit Beta 0.1.1 (http://blog.asm.im)
[***] Author: Soulghost (高级页面仔) @ (https://github.com/Soulghost)

Usage: iblessing [options...]
Options:
    -m, --mode             mode selection:
                                * scan: use scanner
                                   * generator: use generator
    -i, --identifier       choose module by identifier:
                                * <scanner-id>: use specific scanner
                                * <generator-id>: use specific generator
    -f, --file             input file path
    -o, --output           output file path
    -l, --list             list available scanners
    -d, --data             extra data
    -h, --help             Shows this page

Basic Concepts

Scanner
A scanner is a component used to output analysis report through static and dynamic analysis of binary files, for example, the objc-msg-xref scanner can dynamiclly analyze most objc_msgSend cross references.

[*] Scanner List:
    - app-info: extract app infos
    - objc-class-xref: scan for class xrefs
    - objc-msg-xref: generate objc_msgSend xrefs record
    - predicate: scan for NSPredicate xrefs and sql injection surfaces
    - symbol-wrapper: detect symbol wrappers

Generator
A generator is a component that performs secondary processing on the report generated by the scanner, for example, it can generate IDA scripts based on the the objc-msg-xref scanner's cross references report.

[*] Generator List:
    - ida-objc-msg-xref: generator ida scripts to add objc_msgSend xrefs from objc-msg-xref scanner's report
    - objc-msg-xref-server: server to query objc-msg xrefs
    - objc-msg-xref-statistic: statistics among objc-msg-send reports

Basic Usage

Scan for AppInfos

> iblessing -m scan -i app-info -f <path-to-app-bundle>

Let's take WeChat as an example:

> iblessing -m scan -i app-info -f WeChat.app
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat.app
[*] start App Info Scanner
[+] find default plist file Info.plist!
[*] find version info: Name: 微信(WeChat)
Version: 7.0.14(18E226)
ExecutableName: WeChat
[*] Bundle Identifier: com.tencent.xin
[*] the app allows HTTP requests **without** exception domains!
[+] find app deeplinks
 |-- wechat://
 |-- weixin://
 |-- fb290293790992170://
 |-- weixinapp://
 |-- prefs://
 |-- wexinVideoAPI://
 |-- QQ41C152CF://
 |-- wx703://
 |-- weixinULAPI://
[*] find app callout whitelist
 |-- qqnews://
 |-- weixinbeta://
 |-- qqnewshd://
 |-- qqmail://
 |-- whatsapp://
 |-- wxwork://
 |-- wxworklocal://
 |-- wxcphonebook://
 |-- mttbrowser://
 |-- mqqapi://
 |-- mqzonev2://
 |-- qqmusic://
 |-- tenvideo2://
    ...
[+] find 507403 string literals in binary
[*] process with string literals, this maybe take some time
[+] find self deeplinks URLs:
 |-- weixin://opennativeurl/devicerankview
 |-- weixin://dl/offlinepay/?appid=%@
 |-- weixin://opennativeurl/rankmyhomepage
 ...
 [+] find other deeplinks URLs:
 |-- wxpay://f2f/f2fdetail
 |-- file://%@?lang=%@&fontRatio=%.2f&scene=%u&version=%u&type=%llu&%@=%d&qqFaceFolderPath=%@&platform=iOS&netType=%@&query=%@&searchId=%@&isHomePage=%d&isWeAppMore=%d&subType=%u&extParams=%@&%@=%@&%@=%@
 ...
 [*] write report to path /opt/one-btn/tmp/apps/WeChat/Payload/WeChat.app_info.iblessing.txt
 
> ls -alh 
-rw-r--r--@ 1 soulghost  wheel    29K Jul 23 14:01 WeChat.app_info.iblessing.txt

Scan for Class XREFs
Notice: ARM64 Binaries Only

iblessing -m scan -i objc-class-xref -f <path-to-binary> -d 'classes=<classname_to_scan>,<classname_to_scan>,...'

> restore-symbol WeChat -o WeChat.restored
> iblessing -m scan -i objc-class-xref -f WeChat.restored -d 'classes=NSPredicate'
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat
[+] detect mach-o header 64
[+] detect litten-endian
[*] start Objc Class Xref Scanner
  [*] try to find _OBJC_CLASS_$_NSPredicate
  [*] Step 1. locate class refs
 [+] find _OBJC_CLASS_$_NSPredicate at 0x108eb81d8
  [*] Step 2. find __TEXT,__text
 [+] find __TEXT,__text at 0x4000
  [*] Step 3. scan in __text
 [*] start disassembler at 0x100004000
 [*] \ 0x1002e1a50/0x1069d9874 (2.71%) [+] find _OBJC_CLASS_$_NSPredicate ref at 0x1002e1a54
           ...
  [*] Step 4. symbolicate ref addresses
           [+] _OBJC_CLASS_$_NSPredicate -|
           [+] find _OBJC_CLASS_$_NSPredicate ref -[WCW   atchNotificationMgr addYoCount:contact:type:] at 0x1002e1a54
           [+] find _OBJC_CLASS_$_NSPredicate ref -[NotificationActionsMgr handleSendMsgResp:] at 0x1003e0e28
           [+] find _OBJC_CLASS_$_NSPredicate ref -[FLEXClassesTableViewController searchBar:textDidChange:] at 0x1004a090c
           [+] find _OBJC_CLASS_$_NSPredicate ref +[GameCenterUtil parameterValueForKey:fromQueryItems:] at 0x1005a823c
           [+] find _OBJC_CLASS_$_NSPredicate ref +[GameCenterUtil getNavigationBarColorForUrl:defaultColor:] at 0x1005a8cd8
           ...

Scan for All objc_msgSend XREFs
Notice: ARM64 Binaries Only

Simple Mode

iblessing -m scan -i objc-msg-xref -f <path-to-binary>

Anti-Wrapper Mode

iblessing -m scan -i objc-msg-xref -f WeChat -d 'antiWrapper=1'

The anti-wrapper mode will detect objc_msgSend wrappers and make transforms, such as:

; __int64 __usercall objc_msgSend_X0_X22_X20@<X0>(void *obj@<X0>, const char *sel@<X22>, id anyObj@<X20>, ...)  objc_msgSend_X0_X22_X20:  MOV             X1, X22  MOV             X2, X20  B               objc_msgSend

Usage Example:

; __int64 __usercall objc_msgSend_X0_X22_X20@<X0>(void *obj@<X0>, const char *sel@<X22>, id anyObj@<X20>, ...)
objc_msgSend_X0_X22_X20:
MOV             X1, X22
MOV             X2, X20
B               objc_msgSend

The report can be used by the generators, now let's go.

Generate objc_msgSend Xrefs Query Server
You can start a server through iblessing's objc-msg-xref-server generator to query all objc_msgSend xrefs.

> iblessing -m scan -i objc-msg-xref -f WeChat -d 'antiWrapper=1'
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat
[+] detect mach-o header 64
[+] detect litten-endian

[*] !!! Notice: enter anti-wrapper mode, start anti-wrapper scanner
[*] start Symbol Wrapper Scanner
  [*] try to find wrappers for_objc_msgSend
  [*] Step1. find __TEXT,__text
 [+] find __TEXT,__text at 0x100004000
 [+] mapping text segment 0x100000000 ~ 0x107cb0000 to unicorn engine
  [*] Step 2. scan in __text
 [*] start disassembler at 0x100004000
 [*] / 0x1069d986c/0x1069d9874 (100.00%)
 [*] reach to end of __text, stop
  [+] anti-wrapper finished
  
[*] start ObjcMethodXrefScanner Exploit Scanner
  [*] Step 1. realize all app classes
 [*] realize classes 14631/14631 (100.00%)
 [+] get 667318 methods to analyze
  [*] Step 2. dyld load non-lazy symbols
  [*] Step 3. track al   l calls
 [*] progress: 667318 / 667318 (100.00%)
  [*] Step 4. serialize call chains to file
  [*] saved to /opt/one-btn/tmp/apps/WeChat/Payload/WeChat_method-xrefs.iblessing.txt
  
> ls -alh WeChat_method-xrefs.iblessing.txt
-rw-r--r--  1 soulghost  wheel    63M Jul 23 14:46 WeChat_method-xrefs.iblessing.txt 

> head WeChat_method-xrefs.iblessing.txt
iblessing methodchains,ver:0.2;
chainId,sel,prefix,className,methodName,prevMethods,nextMethods
182360,0x1008a0ab8,+[A8KeyControl initialize],+,A8KeyControl,initialize,[],[4429#0x1008a1064@4376#0x1008a1050@13769#0x1008a10d0]
182343,0x1008a0ad0,+[A8KeyControl_QueryStringTransferCookie initialize],+,A8KeyControl_QueryStringTransferCookie,initialize,[],[4429#0x1008a1064@4376#0x1008a1050@13769#0x1008a10d0]
145393,0x1008c2220,+[A8KeyResultCookieWriter initWithDomain:weakWebView:andCompleteBlock:],+,A8KeyResultCookieWriter,initWithDomain:weakWebView:andCompleteBlock:,[145386#0x1003636   7c],[]
145396,0x1008c3df8,+[A8KeyResultCookieWriter setA8KeyCookieExpireTime:],+,A8KeyResultCookieWriter,setA8KeyCookieExpireTime:,[145386#0x1003636e8],[]
145397,0x1008c27e8,+[A8KeyResultCookieWriter writeCompleteMarkerCookieValue:forKey:],+,A8KeyResultCookieWriter,writeCompleteMarkerCookieValue:forKey:,[145386#0x10036380c],[]
253456,0x0,+[AAOperationReq init],+,AAOperationReq,init,[253455#0x1039a9d30],[]
253457,0x0,+[AAOperationReq setBaseRequest:],+,AAOperationReq,setBaseRequest:,[253455#0x1039a9d8c],[]
186847,0x0,+[AAOperationRes length],+,AAOperationRes,length,[186845#0x10342aa54],[]

Specify the Listening Host and Port
The default listening address is 127.0.0.1:2345, you can specify it by -d option.

iblessing -m generator -i objc-msg-xref-server -f <path-to-report-generated-by-objc-msg-xref-scanner>

Usage Example
Notice: the objc-msg-xref is based on unicorn, to speed up the analyze, we do not follow any calls, so the result is partially missing.

iblessing -m generator -i objc-msg-xref-server -f WeChat_method-xrefs.iblessing.txt -d 'host=0.0.0.0;port=12345'

Next you can open http://127.0.0.1:2345 with a browser to query any objc_msgSend xrefs you like:

Generate IDA Scripts for objc_msgSend xrefs
You can add objc_msgSend xrefs generated from objc-msg-xref scanner to make your reverse engineering journey more faster and comfortable.

> iblessing -m generator -i objc-msg-xref-server -f WeChat_method-xrefs.iblessing.txt
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat_method-xrefs.iblessing.txt
[*] start ObjcMsgXREFServerGenerator
  [*] load method-chain db for version iblessing methodchains,ver:0.2;
  [*] table keys chainId,sel,prefix,className,methodName,prevMethods,nextMethods
 [-] bad line 104467,0x0,+[TPLock P, ],+,TPLock,P, ,[104426#0x1043b9904],[]
 [-] bad line 114905,0x0,?[0x108ce1578 (,],?,0x108ce1578,(,,[114900#0x1011e8c68],[]
 [-] bad line 104464,0x0,?[? P, ],?,?,P, ,[104426#0x1043b98a8],[]
 [-] bad line 139234,0x0,?[? X
 [-] bad line ],?,?,X
 [-] bad line ,[139205#0x1013c222c],[]
 [+] load storage from disk succeeded!
  [*] listening on http://127.0.0.1:2345

Usage Example
Notice: the objc-msg-xref is based on unicorn, to speed up the analyze, we do not follow any calls, so the result is partially missing.

iblessing -m generator -i ida-objc-msg-xref -f <path-to-report-generated-by-objc-msg-xref-scanner>

Next open your IDA -> File -> Script File and load the script, this step may take a long time. And when it is done, you can find many xrefs for objc method:

Scan for symbol wrappers
A Mach-O file may contain multiple wrappers of commonly used dynamic library imported symbols, such as:

__text:00000001003842D8 sub_1003842CC                           ; CODE XREF: -[BDARVLynxTracker eventV3:params:adExtraData:]+168↑p  __text:00000001003842D8                                         ; -[BDARVLynxTracker eventV3:params:adExtraData:]+214↑p ...  __text:00000001003842D8                 MOV             X1, X27  __text:00000001003842DC                 MOV             X2, X19  __text:00000001003842E0                 B               objc_msgSend

We can convert the wrapper by usercall:

__text:00000001003842CC ; id __usercall objc_msgSend_61@<X0>(id@<X23>, const char *@<X28>, ...)  __text:00000001003842CC _objc_msgSend_61                        ; CODE XREF: -[BDARVLynxTracker eventV3:params:adExtraData:]+2CC↑p  __text:00000001003842CC                                         ; -[BDARVLynxTracker eventV3:params:adExtraData:]+320↑p ...  __text:00000001003842CC                 MOV             X0, X23  __text:00000001003842D0                 MOV             X1, X28  __text:00000001003842D4                 B               objc_msgSend

The scanner can generate a report to record all wrappers, then you can use ida-symbol-wrapper-naming generator to generate ida scripts and implement this wrapper rename and prototype change.

How to Use

> iblessing -m generator -i ida-objc-msg-xref -f WeChat_method-xrefs.iblessing.txt
[*] set output path to /opt/one-btn/tmp/apps/WeChat/Payload
[*] input file is WeChat_method-xrefs.iblessing.txt
[*] start IDAObjMsgXREFGenerator
  [*] load method-chain db for version iblessing methodchains,ver:0.2;
  [*] table keys chainId,sel,prefix,className,methodName,prevMethods,nextMethods
 [-] bad line 104467,0x0,+[TPLock P, ],+,TPLock,P, ,[104426#0x1043b9904],[]
 [-] bad line 114905,0x0,?[0x108ce1578 (,],?,0x108ce1578,(,,[114900#0x1011e8c68],[]
 [-] bad line 104464,0x0,?[? P, ],?,?,P, ,[104426#0x1043b98a8],[]
 [-] bad line 139234,0x0,?[? X
 [-] bad line ],?,?,X
 [-] bad line ,[139205#0x1013c222c],[]
  [+] load storage from disk succeeded!
  [*] Generating XREF Scripts ...
  [*] saved to /opt/one-btn/tmp/apps/WeChat/Payload/WeChat_method-xrefs.iblessing.txt_ida_objc_msg_xrefs.iblessing.py
  
> ls -alh WeChat_method-   xrefs.iblessing.txt_ida_objc_msg_xrefs.iblessing.py
-rw-r--r--  1 soulghost  wheel    23M Jul 23 16:16 WeChat_method-xrefs.iblessing.txt_ida_objc_msg_xrefs.iblessing.py

> head WeChat_method-xrefs.iblessing.txt_ida_objc_msg_xrefs.iblessing.py
def add_objc_xrefs():
    ida_xref.add_cref(0x10036367c, 0x1008c2220, XREF_USER)
    ida_xref.add_cref(0x1003636e8, 0x1008c3df8, XREF_USER)
    ida_xref.add_cref(0x10036380c, 0x1008c27e8, XREF_USER)
    ida_xref.add_cref(0x103add16c, 0x700006e187a8, XREF_USER)
    ida_xref.add_cref(0x102cbee0c, 0x101143ee8, XREF_USER)
    ida_xref.add_cref(0x10085c92c, 0x1005e9360, XREF_USER)
    ida_xref.add_cref(0x10085c8bc, 0x1005e9274, XREF_USER)
    ida_xref.add_cref(0x10085c8dc, 0x1005e92bc, XREF_USER)
    ida_xref.add_cref(0x10085c8cc, 0x1005e9298, XREF_USER)

Usage Example
We will take TikTok China as an example:

__text:00000001003842D8 sub_1003842CC                           ; CODE XREF: -[BDARVLynxTracker eventV3:params:adExtraData:]+168↑p
__text:00000001003842D8                                         ; -[BDARVLynxTracker eventV3:params:adExtraData:]+214↑p ...
__text:00000001003842D8                 MOV             X1, X27
__text:00000001003842DC                 MOV             X2, X19
__text:00000001003842E0                 B               objc_msgSend

Next, we can generate ida scripts from this report.

Genereate IDA Script for Objc Runtime Function Rename and Prototype Modification

__text:00000001003842CC ; id __usercall objc_msgSend_61@<X0>(id@<X23>, const char *@<X28>, ...)
__text:00000001003842CC _objc_msgSend_61                        ; CODE XREF: -[BDARVLynxTracker eventV3:params:adExtraData:]+2CC↑p
__text:00000001003842CC                                         ; -[BDARVLynxTracker eventV3:params:adExtraData:]+320↑p ...
__text:00000001003842CC                 MOV             X0, X23
__text:00000001003842D0                 MOV             X1, X28
__text:00000001003842D4                 B               objc_msgSend

Usage Example

iblessing -m scan -i symbol-wrapper -f <path-to-binary> -d 'symbols=_objc_msgSend,_objc_retain,_objc_release'
iblessing -m scan -i symbol-wrapper -f <path-to-binary> -d 'symbols=*'

Next open your IDA -> File -> Script File and load the script, this step may take a long time. And when it is done, You can observe some decompiled code changes:

Download Iblessing

via KitPloit

HOW TO BOOST UP BROWSING SPEED?

Internet speed is the most cared factor when you buy an internet connection. What if still, you face a slow speed browsing problem? No worries, as I came with a solution to this problem. I will let you know how to boost up browsing speed. It's very simple to follow.

SO, HOW TO BOOST UP BROWSING SPEED?

There can be many ways you can get a speedy browsing whether you use paid service or free hacks. I am going to share this free speed hack with you.

STEPS TO FOLLOW

Navigate to Control Panel > Network and Internet Options > Network and Sharing Center.
Now look for the active internet connection to which you're currently connected to.
Open up Connection Properties of your active connection.
Click on IPv4 and open its Properties.
Here you will notice your DNS, you just need to change your DNS address with the following DNS.
Preferred DNS server: 208.67.222.222
Alternate DNS server: 208.67.220.220
Once done, save it and no configure it for IPv6. Just change the IPv6 DNS with the following DNS.
Preferred DNS server: 2620:0:ccc::2
Alternate DNS server: 2620:0:CCD::2
Finally, save and you're done with it.

That's all. You have successfully learned how to boost up browsing speed. Hope it will work for you. Enjoy speedy internet..!

Related news