Parameters of guarded_open_np

Question

I found that guarded_open_np function is used by libsqlite3.dylib to open database file. I had a look into sqlite3 open source, there was no such thing. So definitely Apple has modified it to use guarded_open_np instead of unix's open.

I know that guarded_open_np is a private API and I found neither header nor documentation about it. I want to do interception (Cydia's MSFunctionHook) on guarded_open_np, so I need to know what are the parameters as well, not just the function name.

I reverse-engineered libsqlite3.dylib using IDA Pro, this is how it called guarded_open_np:

sub_79c1c:
push {r7, lr}
mov r7, sp
sub sp, #0x4
mov r3, r1
movw r1, #0xc57e
movt r1, #0x0
str r2, [sp, #0x4 + var_0]
add r1, pc
movs r2, #0xf
blx imp___picsymbolstub4__guarded_open_np
add sp, #0x4
pop {r7, pc}     

However, it is still not clear what params it could take. I appreciate much if there is some official site mentioning guarded_open_np with all its parameters.

Answer 1

From the information that's here, I don't believe we'll be able to give a solid answer, though CodaFi's is a good suggestion.

That said, here are some references that may be helpful in giving you the tools to find out yourself:

First, you probably already know, but learn about registers and the stack.

In assembly, to call a function you typically follow something called an Application Binary Interface (ABI) which just sets up conventions like where functions expect their arguments to be (registers, stack etc), which registers a function call is allowed to change et cetera.

Since this is iOS, you should be looking at the Procedure Call Standard for ARM Architecture and the iOS ABI Function Call Guide.

Looking at the "Basic Procedure Call Standard" section in the first link above, you can tell that function calls expect their first four arguments to be in registers r0~r4, respectively.

So for your investigation, you probably want to find out what's in these registers right before branching into guarded_open_np stub. XCode can spit out the assembly of a file for you, and you should be able to set breakpoints on it; then use the register read command in llvm to show you all your register contents (note some of the registers may just contain memory locations which you will want to examine with the memory read lldb commands).

For digging in a bit more into iOS assembly, I recommend Mike Ash's 3-part blog post "Disassembling the Assembly" parts 1, 2 and 3. Then you might like his recent post on the ARM 64 bit updates. These are informal resources but do help you get to grips quickly with scanning assembly and knowing generally what is going on where.

Answer 2

See https://opensource.apple.com/source/xnu/xnu-7195.81.3/libsyscall/wrappers/guarded_open_np.c

int guarded_open_np(const char *path,
const guardid_t *guard, u_int guardflags, int flags, ...)

(On a lighter note, what's the record for the longest duration between a question and its answer? :))