mach_override on Intel Macs

I was disappointed last month when after a hour or two of hacking I couldn’t get mach_override (evil, I know) to work on my new MacBook Pro even though it had been ported to intel macs. I added myself to the

procmod

group and tried everything that google could come up with, but I could only get it to succesfully override local functions, it wouldn’t override any library/system functions no-matter what i did.

Today I’ve found the solution on the ExtendAMac mailing list hosted on sourceforge: this simple post contains a small patch that seems to fix all the issues I’ve been having. There doesn’t seem to be any replies to the post on the mailing list, and the post wont come up on any google searched related to mach_override on intel macs – pretty frusterating when you don’t know about the ExtendAMac mailing list. The solution is very simple, replace this block of code:

static AsmInstructionMatch possibleInstructions[] = {
    { 0x1, {0xFF}, {0x90} },                    // nop
    { 0x1, {0xFF}, {0x55} },                    // push %esp
    { 0x2, {0xFF, 0xFF}, {0x89, 0xE5} },            // mov %esp,%ebp
    { 0x1, {0xFF}, {0x53} },                    // push %ebx
    { 0x3, {0xFF, 0xFF, 0x00}, {0x83, 0xEC, 0x00} }, // sub 0x??, %esp
    { 0x0 }
};

with this:

static AsmInstructionMatch possibleInstructions[] = {
    { 0x1, {0xFF}, {0x90} },    // nop
    { 0x1, {0xF8}, {0x50} },     // push %eax | %ebx | %ecx | %edx | %ebp | %esp | %esi | %edi
    { 0x2, {0xFF, 0xFF}, {0x89, 0xE5} },        // mov %esp,%ebp
    { 0x3, {0xFF, 0xFF, 0x00}, {0x83, 0xEC, 0x00} }, // sub 0x??, %esp
    { 0x0 }
};

Hopefully this helps someone who was banging their head against the wall trying to figure this out like I was!

2 Responses to “mach_override on Intel Macs”


  • THANKS MAN! it worked <3 and yesh I've been banging my head to the wall

  • Had to leave a note here, I ran into a VERY similar problem where some functions were hooked, and others weren’t. So I simply had to add:
    { 0×5, {0xFF, 0×00, 0×00, 0×00, 0×00}, {0xA1, 0×00, 0×00, 0×00, 0×00} }, // mov %eax, dword_

    Basically it would be when you’re executing a line such as:
    mov eax, ds:dowrd_DE4532

Leave a Reply