-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Instacrash when searching #70
Comments
I just noticed that when I change the protection type to "Write", Bit Slicer "survives" a bit longer. I see the progress circle in the lower right corner start to do something before it crashes. When protection type is "All", the crash is truly instant. |
Hm. Do you have the full crash log? Does it only occur on a specific app/game? If you run a deep codesign verification check in Terminal on Bit Slicer, what does it output (and does it fail)? (assuming Bit Slicer is in /Applications/)
If it fails, it means the application on disk was likely modified / hampered / corrupt, which may result in a bad code signature. There is also a pre-release of version 1.7.10 here: https://github.com/zorgiepoo/Bit-Slicer/releases but other than it being compiled more recently, I haven't seen this issue before. |
The codesign verification passes:
Is there anything in particular from the crash report you'd want to see? I hesitate to include the entire report, given that there's potentially sensitive information in that report. I think it's possible that there are some IT security based services that could possibly be in play here as well. The crash happens on a machine that uses SentinelOne security software, while the other machine where it doesn't crash is a standard, unmanaged machine. For what it's worth, the recently released Cheat Engine for macOS has no issues searching for and modifying locations on memory. I'll see if the 1.7.10 pre-release crashes as well and report back. |
Here's a section of the crash report from the pre-release:
I don't recall, but should SIP be disabled for Bit Slicer to work properly? I'm pretty sure on the machine where Bit Slicer works, SIP is disabled. |
The backtrace of the crashed thread if there is one so I can see the spot in code that triggered this violation. And the state of the registers. You can strip/replace any paths or the names that you see there that is sensitive information (some of the generated crash log may already be stripped of sensitive information.)
SIP or 3rd party kexts installed could potentially impact things.
If the application is not opted into the Hardened Runtime (or similar security enforcement), then no, it should not be required to disable SIP. Increasingly, more applications are opting into Hardened Runtime and it might be required these days for developers notarizing their applications.. So the answer is generally becoming "yes". |
The other piece of interesting information is if this issue is isolated to targeting this one app/game. If Cheat Engine works fine, it may be some specific code in Bit Slicer triggering it (or a different configuration or SIP being disabled with that test). |
https://scrivener.tenderapp.com/help/kb/macos-troubleshooting/known-issues-2
Hah, this actually surprises me. Well I suppose that is worth checking too. |
As Scrivener's page notes, you may want to see "sentinel" followed by ".dylib" is in the crash log somewhere (eg sentinel-4581354897452564.dylib) |
More info here bdkjones/CodeKit#520 Please let me know if the sentinel dylib is in the crash log and you have SIP enabled. Bit Slicer opts into Hardened Runtime, so it should not normally be possible for code to be injected into Bit Slicer (when SIP is enabled), unless perhaps they also install a kernel extension (kext) of their own. |
Sentinel is indeed in the crash log:
SIP is enabled on the machine where Bit Slicer crashes. At this point, I think it's fair to say that Sentinel is the cause of the crash. And Sentinel does have their own kext:
|
Thanks for the info and confirming this. This is more problematic by the fact that Bit Slicer is code signed (as it should be), but at this point I don't think there's anything I can do here. Kernel extensions like these were deprecated if I recall correctly and future versions of macOS (maybe Big Surr or something?) may stop loading them at least when SIP is enabled. Otherwise if version 4.3.0 is out of date and a newer version does "fix" this issue you may need to get their software updated. Other software like Scrivener is also impacted. |
When running the latest Bit Slicer 1.7.9 (1135) on macOS 10.15.7 (19H2), Bit Slicer crashes immediately when trying to search for an unsigned 32bit integer. Protection is "all", Endianness is little.
Each time, the crash report says:
I can check the behavior on another machine, but I also know I worked fine when searching the same value for the same application on that machine two days ago. The macOS version may be different, but it's also a build of Catalina at least.
The text was updated successfully, but these errors were encountered: