Instacrash when searching

[elbowdonkey]

When running the latest Bit Slicer 1.7.9 (1135) on macOS 10.15.7 (19H2), Bit Slicer crashes immediately when trying to search for an unsigned 32bit integer. Protection is "all", Endianness is little.

Each time, the crash report says:

Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes:       0x0000000000000032, 0x0000000107822000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x2

I can check the behavior on another machine, but I also know I worked fine when searching the same value for the same application on that machine two days ago. The macOS version may be different, but it's also a build of Catalina at least.

[elbowdonkey]

I just noticed that when I change the protection type to "Write", Bit Slicer "survives" a bit longer. I see the progress circle in the lower right corner start to do something before it crashes. When protection type is "All", the crash is truly instant.

[zorgiepoo]

Hm. Do you have the full crash log?

Does it only occur on a specific app/game?

If you run a deep codesign verification check in Terminal on Bit Slicer, what does it output (and does it fail)? (assuming Bit Slicer is in /Applications/)

codesign -vvv --verify --deep /Applications/Bit\ Slicer.app/

If it fails, it means the application on disk was likely modified / hampered / corrupt, which may result in a bad code signature.

There is also a pre-release of version 1.7.10 here: https://github.com/zorgiepoo/Bit-Slicer/releases but other than it being compiled more recently, I haven't seen this issue before.

[elbowdonkey]

The codesign verification passes:

--prepared:/Applications/Bit Slicer.app/Contents/MacOS/yasm
--validated:/Applications/Bit Slicer.app/Contents/MacOS/yasm
--prepared:/Applications/Bit Slicer.app/Contents/Frameworks/ShortcutRecorder.framework/Versions/Current/.
--prepared:/Applications/Bit Slicer.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--prepared:/Applications/Bit Slicer.app/Contents/Frameworks/DDMathParser.framework/Versions/Current/.
--prepared:/Applications/Bit Slicer.app/Contents/Frameworks/HexFiend.framework/Versions/Current/.
--validated:/Applications/Bit Slicer.app/Contents/Frameworks/DDMathParser.framework/Versions/Current/.
--prepared:/Applications/Bit Slicer.app/Contents/Frameworks/Python.framework/Versions/Current/.
--validated:/Applications/Bit Slicer.app/Contents/Frameworks/HexFiend.framework/Versions/Current/.
--validated:/Applications/Bit Slicer.app/Contents/Frameworks/ShortcutRecorder.framework/Versions/Current/.
--validated:/Applications/Bit Slicer.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--validated:/Applications/Bit Slicer.app/Contents/Frameworks/Python.framework/Versions/Current/.
/Applications/Bit Slicer.app/: valid on disk
/Applications/Bit Slicer.app/: satisfies its Designated Requirement

Is there anything in particular from the crash report you'd want to see? I hesitate to include the entire report, given that there's potentially sensitive information in that report.

I think it's possible that there are some IT security based services that could possibly be in play here as well. The crash happens on a machine that uses SentinelOne security software, while the other machine where it doesn't crash is a standard, unmanaged machine.

For what it's worth, the recently released Cheat Engine for macOS has no issues searching for and modifying locations on memory.

I'll see if the 1.7.10 pre-release crashes as well and report back.

[elbowdonkey]

Here's a section of the crash report from the pre-release:

System Integrity Protection: enabled

Notes:                 Translocated Process

Crashed Thread:        6  Dispatch queue: com.apple.root.default-qos

Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes:       0x0000000000000032, 0x000000010f61a000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x2

I don't recall, but should SIP be disabled for Bit Slicer to work properly? I'm pretty sure on the machine where Bit Slicer works, SIP is disabled.

[zorgiepoo]

Is there anything in particular from the crash report you'd want to see? I hesitate to include the entire report, given that there's potentially sensitive information in that report.

The backtrace of the crashed thread if there is one so I can see the spot in code that triggered this violation. And the state of the registers. You can strip/replace any paths or the names that you see there that is sensitive information (some of the generated crash log may already be stripped of sensitive information.)

I think it's possible that there are some IT security based services that could possibly be in play here as well. The crash happens on a machine that uses SentinelOne security software, while the other machine where it doesn't crash is a standard, unmanaged machine.

SIP or 3rd party kexts installed could potentially impact things.

I don't recall, but should SIP be disabled for Bit Slicer to work properly? I'm pretty sure on the machine where Bit Slicer works, SIP is disabled.

If the application is not opted into the Hardened Runtime (or similar security enforcement), then no, it should not be required to disable SIP. Increasingly, more applications are opting into Hardened Runtime and it might be required these days for developers notarizing their applications.. So the answer is generally becoming "yes".

[zorgiepoo]

The other piece of interesting information is if this issue is isolated to targeting this one app/game. If Cheat Engine works fine, it may be some specific code in Bit Slicer triggering it (or a different configuration or SIP being disabled with that test).

[zorgiepoo]

https://scrivener.tenderapp.com/help/kb/macos-troubleshooting/known-issues-2

Crash on launch with CODESIGNING error

Symptoms
Scrivener or Scapple crashes when launching the software. The crash log will contain the following information toward the top of the report:

Exception Type: EXC_BAD_ACCESS (Code Signature Invalid) 
Exception Codes: 0x0000000000000032, 0x000000010fb275c0 
Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x2
Further in the report, the appearance of the text "sentinel" will appear, followed by a string of numbers, followed by ".dylib". For example: sentinel-4581354897452564.dylib.

Cause
This crash is caused by a conflict with an older version of SentinelOne security software. Some unknown process in that software is causing Scrivener and Scapple to fail the code signing check (which is used by Apple to verify the authenticity of your software), despite our software all being correctly code signed and notarised.

Workaround
The most recent versions of SentinelOne have been patched to fix the conflict that was causing hardened software like our to crash. You should update to this version, or submit a request to your IT department to do so.

If you are working in a context where SentinelOne cannot be updated, you may download an older version of Scrivener 3.1.1 or Scapple 1.3.1, which both have a lower level of security, but should function in tandem with SentinelOne.

Please do note that this version uses an outdated activation system, tied to a company that is no longer in business. When their activation servers go down, you may have to manually cancel activation every time the software is launched. We apologise for this inconvenience.

Hah, this actually surprises me. Well I suppose that is worth checking too.

[zorgiepoo]

As Scrivener's page notes, you may want to see "sentinel" followed by ".dylib" is in the crash log somewhere (eg sentinel-4581354897452564.dylib)

[zorgiepoo]

More info here bdkjones/CodeKit#520

Please let me know if the sentinel dylib is in the crash log and you have SIP enabled. Bit Slicer opts into Hardened Runtime, so it should not normally be possible for code to be injected into Bit Slicer (when SIP is enabled), unless perhaps they also install a kernel extension (kext) of their own.

[elbowdonkey]

Sentinel is indeed in the crash log:

0x1098f2000 -        0x109911fff +sentinel.dylib (0) <BF124B80-0B07-3D96-AC17-A73211284B1D> /usr/local/lib/sentinel.dylib

SIP is enabled on the machine where Bit Slicer crashes.

At this point, I think it's fair to say that Sentinel is the cause of the crash.

And Sentinel does have their own kext:

Sentinel:
  Version:	4.3.0
  Last Modified:	10/8/18, 9:54 AM
  Bundle ID:	com.sentinelone.sentinel-kext
  Notarized:	Yes
  Loaded:	Yes
  Obtained from:	Identified Developer
  Kind:	Intel
  Architectures:	x86_64
  64-Bit (Intel):	Yes
  Location:	/Library/Extensions/Sentinel.kext
  Kext Version:	3277
  Load Address:	18446743521879093000
  Loadable:	Yes
  Dependencies:	Deprecated
  Signed by:	Developer ID Application: Sentinel Labs Inc. (4AYE5J54KN), Developer ID Certification Authority, Apple Root CA

[zorgiepoo]

Thanks for the info and confirming this. This is more problematic by the fact that Bit Slicer is code signed (as it should be), but at this point I don't think there's anything I can do here. Kernel extensions like these were deprecated if I recall correctly and future versions of macOS (maybe Big Surr or something?) may stop loading them at least when SIP is enabled. Otherwise if version 4.3.0 is out of date and a newer version does "fix" this issue you may need to get their software updated. Other software like Scrivener is also impacted.