Difference between revisions of "IOS debugserver with IDA"
(→Debugging with lldb) |
(→Setup debugserver on ios device) |
||
Line 46: | Line 46: | ||
I finally got it working by following this link | I finally got it working by following this link | ||
http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ | http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ | ||
+ | |||
+ | |||
+ | ==Setup Scripts To Auto do ASLR== | ||
+ | create a python script | ||
+ | <pre> | ||
+ | #!/usr/bin/python | ||
+ | #coding:utf-8 | ||
+ | |||
+ | import lldb | ||
+ | import commands | ||
+ | import optparse | ||
+ | import shlex | ||
+ | import re | ||
+ | |||
+ | |||
+ | # 获取ASLR偏移地址 | ||
+ | def get_ASLR(): | ||
+ | # 获取'image list -o'命令的返回结果 | ||
+ | interpreter = lldb.debugger.GetCommandInterpreter() | ||
+ | returnObject = lldb.SBCommandReturnObject() | ||
+ | interpreter.HandleCommand('image list -o', returnObject) | ||
+ | output = returnObject.GetOutput(); | ||
+ | # 正则匹配出第一个0x开头的16进制地址 | ||
+ | match = re.match(r'.+(0x[0-9a-fA-F]+)', output) | ||
+ | if match: | ||
+ | return match.group(1) | ||
+ | else: | ||
+ | return None | ||
+ | |||
+ | # Super breakpoint | ||
+ | def sbr(debugger, command, result, internal_dict): | ||
+ | |||
+ | #用户是否输入了地址参数 | ||
+ | if not command: | ||
+ | print >>result, 'Please input the address!' | ||
+ | return | ||
+ | |||
+ | ASLR = get_ASLR() | ||
+ | if ASLR: | ||
+ | #如果找到了ASLR偏移,就设置断点 | ||
+ | debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command)) | ||
+ | else: | ||
+ | print >>result, 'ASLR not found!' | ||
+ | |||
+ | def readReg(debugger, register, result, internal_dict): | ||
+ | interpreter = lldb.debugger.GetCommandInterpreter() | ||
+ | returnObject = lldb.SBCommandReturnObject() | ||
+ | debugger.HandleCommand('register read ' + register, returnObject) | ||
+ | output = returnObject.GetOutput() | ||
+ | match = re.match(' = 0x(.*)', output) | ||
+ | if match: | ||
+ | print match.group(1) | ||
+ | else: | ||
+ | print "error: " + output | ||
+ | |||
+ | def readMem(debugger, address, result, internal_dict): | ||
+ | debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address) | ||
+ | |||
+ | def connLocal(debugger, address, result, internal_dict): | ||
+ | debugger.HandleCommand('platform select remote-ios') | ||
+ | debugger.HandleCommand('process connect connect://localhost:2008') | ||
+ | |||
+ | # And the initialization code to add your commands | ||
+ | def __lldb_init_module(debugger, internal_dict): | ||
+ | # 'command script add sbr' : 给lldb增加一个'sbr'命令 | ||
+ | # '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数 | ||
+ | debugger.HandleCommand('command script add sbr -f sbr.sbr') | ||
+ | debugger.HandleCommand('command script add readReg -f sbr.readReg') | ||
+ | debugger.HandleCommand('command script add connLocal -f sbr.connLocal') | ||
+ | debugger.HandleCommand('command script add readMem -f sbr.readMem') | ||
+ | print 'The "sbr" python command has been installed and is ready for use.' | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | Then edit ~/.lldbinit file | ||
+ | add following | ||
+ | <pre> | ||
+ | command script import ~/sbr.py | ||
+ | </pre> | ||
+ | |||
+ | Then we would see sbr command will be auto loaded | ||
+ | <pre> | ||
+ | Jobs: ~$ lldb | ||
+ | The "sbr" python command has been installed and is ready for use. | ||
+ | (lldb) command source -s 1 '/Users/Jobs/./.lldbinit' | ||
+ | The "sbr" python command has been installed and is ready for use. | ||
+ | (lldb) sbr 0x001111111 | ||
+ | </pre> | ||
==Debugging with lldb== | ==Debugging with lldb== |
Latest revision as of 05:03, 21 September 2017
Setup debugserver on ios device
1. On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)
2.hdiutil attach ./DeveloperDiskImage.dmg
3. Mount DeveloperDiskImage.dmg, copy everything into a folder
4. Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer (if you use xcode to debug on device before, you can skip this step)
5. optional, extract the debugserver part you need
lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver lipo -thin armv7S /Developer/usr/bin/debugserver -output ~/debugserver lipo -thin arm64 /Developer/usr/bin/debugserver -output ~/debugserver // >= iphone 6
6. next we need to sign the debugserver
First make a xml file entitlements.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>run-unsigned-code</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist>
Then sign it
codesign -s - --entitlements entitlements.plist -f debugserver
7. copy debugserver to iphone
scp ./debugserver root@192.168.1.106:/usr/bin/
8. iPhone root# /Developer/usr/bin/debugserver *:2008 --attach gameProcessName
Refer to [1]
Another more recent post http://bbs.pediy.com/showthread.php?t=190126
I finally got it working by following this link http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/
Setup Scripts To Auto do ASLR
create a python script
#!/usr/bin/python #coding:utf-8 import lldb import commands import optparse import shlex import re # 获取ASLR偏移地址 def get_ASLR(): # 获取'image list -o'命令的返回结果 interpreter = lldb.debugger.GetCommandInterpreter() returnObject = lldb.SBCommandReturnObject() interpreter.HandleCommand('image list -o', returnObject) output = returnObject.GetOutput(); # 正则匹配出第一个0x开头的16进制地址 match = re.match(r'.+(0x[0-9a-fA-F]+)', output) if match: return match.group(1) else: return None # Super breakpoint def sbr(debugger, command, result, internal_dict): #用户是否输入了地址参数 if not command: print >>result, 'Please input the address!' return ASLR = get_ASLR() if ASLR: #如果找到了ASLR偏移,就设置断点 debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command)) else: print >>result, 'ASLR not found!' def readReg(debugger, register, result, internal_dict): interpreter = lldb.debugger.GetCommandInterpreter() returnObject = lldb.SBCommandReturnObject() debugger.HandleCommand('register read ' + register, returnObject) output = returnObject.GetOutput() match = re.match(' = 0x(.*)', output) if match: print match.group(1) else: print "error: " + output def readMem(debugger, address, result, internal_dict): debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address) def connLocal(debugger, address, result, internal_dict): debugger.HandleCommand('platform select remote-ios') debugger.HandleCommand('process connect connect://localhost:2008') # And the initialization code to add your commands def __lldb_init_module(debugger, internal_dict): # 'command script add sbr' : 给lldb增加一个'sbr'命令 # '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数 debugger.HandleCommand('command script add sbr -f sbr.sbr') debugger.HandleCommand('command script add readReg -f sbr.readReg') debugger.HandleCommand('command script add connLocal -f sbr.connLocal') debugger.HandleCommand('command script add readMem -f sbr.readMem') print 'The "sbr" python command has been installed and is ready for use.'
Then edit ~/.lldbinit file add following
command script import ~/sbr.py
Then we would see sbr command will be auto loaded
Jobs: ~$ lldb The "sbr" python command has been installed and is ready for use. (lldb) command source -s 1 '/Users/Jobs/./.lldbinit' The "sbr" python command has been installed and is ready for use. (lldb) sbr 0x001111111
Debugging with lldb
When you got gdbserver working
// ssh to iphone // attach to a process /usr/bin/debugserver *:2008 --attach tgame // or start the process debugserver *:2008 /private/var/containers/Bundle/Application/*/*/binary_name
On Mac open a new terminal tab
lldb platform select remote-ios process connect connect://192.168.1.106:2008
In lldb, to find out the app memory offset
image list -o -f #[ 0] 0x00000000000a0000 /private/var/mobile/Containers/Bundle/Application/xxxxx-xxxxx/tgame.app/game(0x00000001000a0000) #[ 1] 0x0000000102888000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000102888000)
The 0x00000000000a0000 would be the offset
To set break point at address do
br s -a 0x00000001014665bc or br s -a 0x010C29F8+0xa0000
run command c to continue