% python3 mte_apply_directpanic_hook_v1.py patch kcwithbinarygeckokexts.kc --output KC_WITH_MTEPANICHELPER_HOOKED Helper hook target: entry: com.binarygecko.mtepanichelper magic VA: 0xfffffe000b758000 magic loc: __TEXT_EXEC:__text+0x0 target VA: 0xfffffe000b758010 target loc: __TEXT_EXEC:__text+0x10 Found 1 candidate hook site(s). Candidate #1 string VA: 0xfffffe000706d6e3 string loc: __TEXT:__cstring+0x27d23 xref kind: ADRP+ADD xref VA: 0xfffffe000b969948 xref loc: __TEXT_EXEC:__text+0x20b948 MSG_FMT register: x22 MOV X0,MSG reg: yes patch BL VA: 0xfffffe000b969954 patch BL loc: __TEXT_EXEC:__text+0x20b954 original BL tgt: 0xfffffe000b7648d0 ; should be strlen(MSG_FMT) helper scan test: ok pattern loc: __TEXT_EXEC:__text+0x20b9d0 panic BL VA: 0xfffffe000b9699d8 panic target: 0xfffffe000c0f4c10 context around patch BL: 0xfffffe000b96993c file+0x496593c 911d3c00 __TEXT_EXEC:__text+0x20b93c 0xfffffe000b969940 file+0x4965940 941ded46 __TEXT_EXEC:__text+0x20b940 ; BL 0xfffffe000c0e4e58 0xfffffe000b969944 file+0x4965944 910083ff __TEXT_EXEC:__text+0x20b944 0xfffffe000b969948 file+0x4965948 90fdb836 __TEXT_EXEC:__text+0x20b948 0xfffffe000b96994c file+0x496594c 911b8ed6 __TEXT_EXEC:__text+0x20b94c 0xfffffe000b969950 file+0x4965950 aa1603e0 __TEXT_EXEC:__text+0x20b950 => 0xfffffe000b969954 file+0x4965954 97f7ebdf __TEXT_EXEC:__text+0x20b954 ; BL 0xfffffe000b7648d0 0xfffffe000b969958 file+0x4965958 aa0003f7 __TEXT_EXEC:__text+0x20b958 0xfffffe000b96995c file+0x496595c 90fdb820 __TEXT_EXEC:__text+0x20b95c 0xfffffe000b969960 file+0x4965960 911c7c00 __TEXT_EXEC:__text+0x20b960 0xfffffe000b969964 file+0x4965964 97f7ebdb __TEXT_EXEC:__text+0x20b964 ; BL 0xfffffe000b7648d0 0xfffffe000b969968 file+0x4965968 aa0003f8 __TEXT_EXEC:__text+0x20b968 0xfffffe000b96996c file+0x496596c 90fdb820 __TEXT_EXEC:__text+0x20b96c context around panic call pattern: 0xfffffe000b9699c0 file+0x49659c0 aa1703e0 __TEXT_EXEC:__text+0x20b9c0 0xfffffe000b9699c4 file+0x49659c4 aa1603e2 __TEXT_EXEC:__text+0x20b9c4 0xfffffe000b9699c8 file+0x49659c8 94117659 __TEXT_EXEC:__text+0x20b9c8 ; BL 0xfffffe000bdc732c 0xfffffe000b9699cc file+0x49659cc 910043ff __TEXT_EXEC:__text+0x20b9cc 0xfffffe000b9699d0 file+0x49659d0 aa1703e0 __TEXT_EXEC:__text+0x20b9d0 0xfffffe000b9699d4 file+0x49659d4 aa1303e1 __TEXT_EXEC:__text+0x20b9d4 => 0xfffffe000b9699d8 file+0x49659d8 941e2c8e __TEXT_EXEC:__text+0x20b9d8 ; BL 0xfffffe000c0f4c10 0xfffffe000b9699dc file+0x49659dc 941dea2c __TEXT_EXEC:__text+0x20b9dc ; BL 0xfffffe000c0e428c 0xfffffe000b9699e0 file+0x49659e0 f9406d09 __TEXT_EXEC:__text+0x20b9e0 0xfffffe000b9699e4 file+0x49659e4 d10083ff __TEXT_EXEC:__text+0x20b9e4 0xfffffe000b9699e8 file+0x49659e8 5281c80a __TEXT_EXEC:__text+0x20b9e8 0xfffffe000b9699ec file+0x49659ec f0fdb80b __TEXT_EXEC:__text+0x20b9ec 0xfffffe000b9699f0 file+0x49659f0 9138216b __TEXT_EXEC:__text+0x20b9f0 patch command equivalent: python3 macho_fileset_branch_v3.py patch 'kcwithbinarygeckokexts.kc' --link --patch 'com.apple.kernel __TEXT_EXEC:__text+0x20b954 com.binarygecko.mtepanichelper __TEXT_EXEC:__text+0x10' --output KC_HOOKED Wrote KC_WITH_MTEPANICHELPER_HOOKED Applied patch: source entry: com.apple.kernel source loc: __TEXT_EXEC:__text+0x20b954 source VA: 0xfffffe000b969954 source fileoff: 0x4965954 original insn: 0x97f7ebdf target entry: com.binarygecko.mtepanichelper target loc: __TEXT_EXEC:__text+0x10 target VA: 0xfffffe000b758010 new insn: 0x97f7b9af (BL) Next checks in your disassembler/debugger: 1. The patched instruction should be the first strlen(MSG_FMT) BL. 2. The new instruction should be a BL to the helper magic+0x10 target. 3. LR in the helper should equal patched_BL_address+4. 4. The helper scanner should find MOV X0,X23; MOV X1,X19; BL panic_with_thread_kernel_state. cat configure-boot.sh #!/bin/sh kmutil configure-boot -v /Volumes/Macintosh\ HD -c KC_WITH_MTEPANICHELPER_HOOKED CRASH part % ./mtetoyctl malloc 128 rc=0 size = 0x0000000000000080 addr = 0xf2fffe1e466a9080 tag = 0xf2, untagged = 0x00fffe1e466a9080 % ./mtetoyctl write 4 0xf7fffe1e466a9080 0x33445566