https://www.theiphonewiki.com/w/index.php?action=history&feed=atom&title=Stack_CookiesStack Cookies - Revision history2026-05-17T05:12:28ZRevision history for this page on the wikiMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Stack_Cookies&diff=27208&oldid=prevHttp: initial page with some infos from mdowd's presentation2012-10-16T23:06:59Z<p>initial page with some infos from mdowd's presentation</p>
<p><b>New page</b></p><div>Since iOS6 a generated stack cookie is placed directly after the saved registers at the bottom of the stack frame. A pointer to the cookie is saved at the top of the stack frame or in a register if it is convenient. The space above the stack pointer is used for called functions if necessary.<br />
<br />
In the function epilog the saved stack cookie is verified. The generated value is found by following the saved pointer. A verification failure results in a kernel panic.<br />
<br />
800051FC __epilog ; CODE XREF: sub_80004F98+2B4vj<br />
800051FC ; sub_80004F98+486vj<br />
800051FC LDR R0, [SP,#0x2CC+stack_cookie_ptr]<br />
800051FE LDR R0, [R0]<br />
80005200 LDR R1, [SP,#0x2CC+stack_cookie]<br />
80005202 CMP R0, R1 ; check stack cookie validity<br />
80005204 ITTTT EQ<br />
80005206 MOVEQ R0, R4<br />
80005208 ADDEQ.W SP, SP, #0x2B4<br />
8000520C POPEQ.W {R8,R10,R11}<br />
80005210 POPEQ {R4-R7,PC}<br />
80005212 BL ___stack_chk_fail<br />
<br />
==References==<br />
*[http://conference.hackinthebox.org/hitbsecconf2012kul/materials/D1T2%20-%20Mark%20Dowd%20&amp;%20Tarjei%20Mandt%20-%20iOS6%20Security.pdf Mark Dowd & Tarjei Mandt's iOS6 presentation at HITB 2012 KUL D1T2]</div>Http