rand() hook crashes in 64-bit apps

[radj]

I'm testing on:
iPad Air
iOS 7.1.2

Some apps crashed while using Introspy, some didn't. So I narrowed it down to the rand() hook and narrowed it down to 64-bit only. As an example, I am using Apple's SimpleURLConnections project and added this simple call NSLog(@"Calling C Rand() - %d", rand()); in -[GetController startReceive] method and it crashes when building the app for 64-bit. If built for 32-bit, it works just fine.

Went into replaced_rand() in hooks/LibCHooks.m and found that it crashes at the call to original_rand(). I logged the value of the original_rand() pointer and it isn't null.

I am not sure how to proceed here.

Here's the backtrace if it helps any.

* thread #1: tid = 0x0b0d, 0x0000000106497d38, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x106497d38)
    frame #0: 0x0000000106497d38
    frame #1: 0x0000000101a8001c
  * frame #2: 0x000000010006a180 URLConnect`-[GetController startReceive](self=0x0000000147d16120, _cmd=0x000000010009b8f6) + 20 at GetController.m:140
    frame #3: 0x000000010006bd64 URLConnect`-[GetController viewDidLoad](self=0x0000000147d16120, _cmd=0x000000018b8e3285) + 1264 at GetController.m:371
    frame #4: 0x000000018b5a6f50 UIKit`-[UINib instantiateWithOwner:options:] + 1616
    frame #5: 0x000000018b5a8b50 UIKit`-[NSBundle(UINSBundleAdditions) loadNibNamed:owner:options:] + 160
    frame #6: 0x000000018b49341c UIKit`-[UIApplication _loadMainNibFileNamed:bundle:] + 52
    frame #7: 0x000000018b2598d4 UIKit`-[UIApplication _runWithURL:payload:launchOrientation:statusBarStyle:statusBarHidden:] + 516
    frame #8: 0x000000018b1ed8b4 UIKit`-[UIApplication handleEvent:withNewEvent:] + 3316
    frame #9: 0x000000018b1ecab8 UIKit`-[UIApplication sendEvent:] + 104
    frame #10: 0x000000018b25902c UIKit`_UIApplicationHandleEvent + 672
    frame #11: 0x000000018ddc3504 GraphicsServices`_PurpleEventCallback + 676
    frame #12: 0x000000018ddc3030 GraphicsServices`PurpleEventCallback + 48
    frame #13: 0x00000001881e3040 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE1_PERFORM_FUNCTION__ + 56
    frame #14: 0x00000001881e2fa0 CoreFoundation`__CFRunLoopDoSource1 + 444
    frame #15: 0x00000001881e11c4 CoreFoundation`__CFRunLoopRun + 1620
    frame #16: 0x0000000188121dd0 CoreFoundation`CFRunLoopRunSpecific + 452
    frame #17: 0x000000018b2581b0 UIKit`-[UIApplication _run] + 784
    frame #18: 0x000000018b252fc4 UIKit`UIApplicationMain + 1156
    frame #19: 0x00000001000675d4 URLConnect`main(argc=1, argv=0x000000016fd9fc30) + 64 at main.m:61
    frame #20: 0x00000001951f3aa0 libdyld.dylib`start + 4

[radj]

I tried calling random() instead of rand() and it doesn't crash. This is specific to rand() so far.

[Grazfather]

Can you try recompiling introspy? I am guessing they don't correctly assumed the rv type.

Going into the libc hooks you could try commenting out this

        [tracer addReturnValueFromPlistObject: [NSNumber numberWithUnsignedInt:origResult]];
        [traceStorage saveTracedCall: tracer];
        [tracer release];

(Which would remove tracing, but would be a quick sanity test).