The killer sequence of bytes is: "\xff\x8c\xf9\xff\xff\x9b\xf9"
You can reproduce the crash with this program:
#include <stdio.h>
#include <capstone.h>
int main() {
int i, n, ret;
csh handle;
cs_insn *insn;
ret = cs_open (CS_ARCH_X86, CS_MODE_32, &handle);
if (ret) {
printf ("Failed\n");
return 1;
}
n = cs_disasm_dyn (handle, "\xff\x8c\xf9\xff\xff\x9b\xf9", 7, 0, 0, &insn);
if (n>0)
for (i=0; i<n; i++) {
printf ("%d -> (sz=%d) : %s %s\n", i,
insn[i].size,
insn[i].mnemonic,
insn[i].op_str);
}
cs_close (handle);
return 0;
}
backtrace:
(lldb) bt
* thread #1: tid = 0x5e686, 0x00007fff908a0866 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread, stop reason = signal SIGABRT
frame #0: 0x00007fff908a0866 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff90cd235c libsystem_pthread.dylib`pthread_kill + 92
frame #2: 0x00007fff9097fbba libsystem_c.dylib`abort + 125
frame #3: 0x00007fff9097fd31 libsystem_c.dylib`abort_report_np + 181
frame #4: 0x00007fff909a38c5 libsystem_c.dylib`__chk_fail + 48
frame #5: 0x00007fff909a3895 libsystem_c.dylib`__chk_fail_overflow + 16
frame #6: 0x00007fff909a3ae4 libsystem_c.dylib`__strcpy_chk + 83
frame #7: 0x000000010000d77d a.out`X86_Intel_printInst [inlined] get_first_op(buffer=<unavailable>) + 3101 at X86IntelInstPrinter.c:178
frame #8: 0x000000010000d718 a.out`X86_Intel_printInst(MI=0x00007fff909a3895, O=<unavailable>, Info=<unavailable>) + 3000 at X86IntelInstPrinter.c:208
frame #9: 0x0000000100001f45 a.out`cs_disasm_dyn(ud=4300224704, buffer=0x0000000100049378, size=<unavailable>, offset=0, count=<unavailable>, insn=0x00007fff5fbffb60) + 725 at cs.c:270
frame #10: 0x000000010000150d a.out`main + 125
frame #11: 0x00007fff9630a5fd libdyld.dylib`start + 1
(lldb)
frame #7: 0x000000010000d77d a.out`X86_Intel_printInst [inlined] get_first_op(buffer=<unavailable>) + 3101 at X86IntelInstPrinter.c:178
175 memcpy(firstop, tab + 1, comma - tab - 1);
176 firstop[comma - tab - 1] = '\0';
177 } else
-> 178 strcpy(firstop, tab + 1);
179 } else // no op
180 firstop[0] = '\0';
181 }
The killer sequence of bytes is: "\xff\x8c\xf9\xff\xff\x9b\xf9"
You can reproduce the crash with this program:
backtrace: