4

I am trying to port a tool to osx which is designed to run on linux and freebsd. There is a case in the program where access to the EIP and EBP is need. This is done via the ucontext.

So i added a case for __APPLE__ to place a suitable access to the ucontext struct.

 9887 #if defined(__FreeBSD__)
 9888         *paddr = uc->uc_mcontext.mc_eip;
 9889 #elif defined(__dietlibc__)
 9890         *paddr = uc->uc_mcontext.eip;
 9891 #elif defined(__APPLE__)
 9892         *paddr = uc->uc_mcontext.ss.eip;
 9893 #else
 9894         *paddr = uc->uc_mcontext.gregs[REG_EIP];
 9895 #endif

But uc->uc_mcontext.ss.eip doesn't compile. Not sure how to access the EIP from the ucontext.

cgp
  • 41,026
  • 12
  • 101
  • 131
optixx
  • 2,110
  • 3
  • 16
  • 16

1 Answers1

6

It appears the naming scheme changed in OS X 10.5, where it should be uc->uc_mcontext->__ss.__eip. On later versions this is uc->uc_mcontext->__ss.__rip for x86_64.

Found by quick google search, refs: 1, 2

Hasturkun
  • 35,395
  • 6
  • 71
  • 104
  • Thx, also __ss is an pointer. So it has to be: uc->uc_mcontext->__ss.__eip; – optixx Apr 28 '09 at 13:08
  • It appears that it is now called "__rip", not "__eip", so it is now: uc->uc_mcontext->_ss.__rip; – Christopher Smith Dec 09 '13 at 01:33
  • it's `__eip` for 32bit processes (`i386`) and `__rip` for 64bit processes (`x86_64`). This only applies to Intel CPUs, on the iPhone/iPad/Apple Watch/Apple TV/... it'd be different. – Johannes Weiss Sep 13 '16 at 11:37