Difference between revisions of "IOS debugserver with IDA"
From Hawk Wiki
(→Debugging with lldb) |
(→Setup debugserver on ios device) |
||
| Line 46: | Line 46: | ||
I finally got it working by following this link | I finally got it working by following this link | ||
http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ | http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ | ||
| + | |||
| + | |||
| + | ==Setup Scripts To Auto do ASLR== | ||
| + | create a python script | ||
| + | <pre> | ||
| + | #!/usr/bin/python | ||
| + | #coding:utf-8 | ||
| + | |||
| + | import lldb | ||
| + | import commands | ||
| + | import optparse | ||
| + | import shlex | ||
| + | import re | ||
| + | |||
| + | |||
| + | # 获取ASLR偏移地址 | ||
| + | def get_ASLR(): | ||
| + | # 获取'image list -o'命令的返回结果 | ||
| + | interpreter = lldb.debugger.GetCommandInterpreter() | ||
| + | returnObject = lldb.SBCommandReturnObject() | ||
| + | interpreter.HandleCommand('image list -o', returnObject) | ||
| + | output = returnObject.GetOutput(); | ||
| + | # 正则匹配出第一个0x开头的16进制地址 | ||
| + | match = re.match(r'.+(0x[0-9a-fA-F]+)', output) | ||
| + | if match: | ||
| + | return match.group(1) | ||
| + | else: | ||
| + | return None | ||
| + | |||
| + | # Super breakpoint | ||
| + | def sbr(debugger, command, result, internal_dict): | ||
| + | |||
| + | #用户是否输入了地址参数 | ||
| + | if not command: | ||
| + | print >>result, 'Please input the address!' | ||
| + | return | ||
| + | |||
| + | ASLR = get_ASLR() | ||
| + | if ASLR: | ||
| + | #如果找到了ASLR偏移,就设置断点 | ||
| + | debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command)) | ||
| + | else: | ||
| + | print >>result, 'ASLR not found!' | ||
| + | |||
| + | def readReg(debugger, register, result, internal_dict): | ||
| + | interpreter = lldb.debugger.GetCommandInterpreter() | ||
| + | returnObject = lldb.SBCommandReturnObject() | ||
| + | debugger.HandleCommand('register read ' + register, returnObject) | ||
| + | output = returnObject.GetOutput() | ||
| + | match = re.match(' = 0x(.*)', output) | ||
| + | if match: | ||
| + | print match.group(1) | ||
| + | else: | ||
| + | print "error: " + output | ||
| + | |||
| + | def readMem(debugger, address, result, internal_dict): | ||
| + | debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address) | ||
| + | |||
| + | def connLocal(debugger, address, result, internal_dict): | ||
| + | debugger.HandleCommand('platform select remote-ios') | ||
| + | debugger.HandleCommand('process connect connect://localhost:2008') | ||
| + | |||
| + | # And the initialization code to add your commands | ||
| + | def __lldb_init_module(debugger, internal_dict): | ||
| + | # 'command script add sbr' : 给lldb增加一个'sbr'命令 | ||
| + | # '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数 | ||
| + | debugger.HandleCommand('command script add sbr -f sbr.sbr') | ||
| + | debugger.HandleCommand('command script add readReg -f sbr.readReg') | ||
| + | debugger.HandleCommand('command script add connLocal -f sbr.connLocal') | ||
| + | debugger.HandleCommand('command script add readMem -f sbr.readMem') | ||
| + | print 'The "sbr" python command has been installed and is ready for use.' | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | Then edit ~/.lldbinit file | ||
| + | add following | ||
| + | <pre> | ||
| + | command script import ~/sbr.py | ||
| + | </pre> | ||
| + | |||
| + | Then we would see sbr command will be auto loaded | ||
| + | <pre> | ||
| + | Jobs: ~$ lldb | ||
| + | The "sbr" python command has been installed and is ready for use. | ||
| + | (lldb) command source -s 1 '/Users/Jobs/./.lldbinit' | ||
| + | The "sbr" python command has been installed and is ready for use. | ||
| + | (lldb) sbr 0x001111111 | ||
| + | </pre> | ||
==Debugging with lldb== | ==Debugging with lldb== | ||
Latest revision as of 05:03, 21 September 2017
Setup debugserver on ios device
1. On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)
2.hdiutil attach ./DeveloperDiskImage.dmg
3. Mount DeveloperDiskImage.dmg, copy everything into a folder
4. Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer (if you use xcode to debug on device before, you can skip this step)
5. optional, extract the debugserver part you need
lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver lipo -thin armv7S /Developer/usr/bin/debugserver -output ~/debugserver lipo -thin arm64 /Developer/usr/bin/debugserver -output ~/debugserver // >= iphone 6
6. next we need to sign the debugserver
First make a xml file entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key> <true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
Then sign it
codesign -s - --entitlements entitlements.plist -f debugserver
7. copy debugserver to iphone
scp ./debugserver root@192.168.1.106:/usr/bin/
8. iPhone root# /Developer/usr/bin/debugserver *:2008 --attach gameProcessName
Refer to [1]
Another more recent post http://bbs.pediy.com/showthread.php?t=190126
I finally got it working by following this link http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/
Setup Scripts To Auto do ASLR
create a python script
#!/usr/bin/python
#coding:utf-8
import lldb
import commands
import optparse
import shlex
import re
# 获取ASLR偏移地址
def get_ASLR():
# 获取'image list -o'命令的返回结果
interpreter = lldb.debugger.GetCommandInterpreter()
returnObject = lldb.SBCommandReturnObject()
interpreter.HandleCommand('image list -o', returnObject)
output = returnObject.GetOutput();
# 正则匹配出第一个0x开头的16进制地址
match = re.match(r'.+(0x[0-9a-fA-F]+)', output)
if match:
return match.group(1)
else:
return None
# Super breakpoint
def sbr(debugger, command, result, internal_dict):
#用户是否输入了地址参数
if not command:
print >>result, 'Please input the address!'
return
ASLR = get_ASLR()
if ASLR:
#如果找到了ASLR偏移,就设置断点
debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command))
else:
print >>result, 'ASLR not found!'
def readReg(debugger, register, result, internal_dict):
interpreter = lldb.debugger.GetCommandInterpreter()
returnObject = lldb.SBCommandReturnObject()
debugger.HandleCommand('register read ' + register, returnObject)
output = returnObject.GetOutput()
match = re.match(' = 0x(.*)', output)
if match:
print match.group(1)
else:
print "error: " + output
def readMem(debugger, address, result, internal_dict):
debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address)
def connLocal(debugger, address, result, internal_dict):
debugger.HandleCommand('platform select remote-ios')
debugger.HandleCommand('process connect connect://localhost:2008')
# And the initialization code to add your commands
def __lldb_init_module(debugger, internal_dict):
# 'command script add sbr' : 给lldb增加一个'sbr'命令
# '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数
debugger.HandleCommand('command script add sbr -f sbr.sbr')
debugger.HandleCommand('command script add readReg -f sbr.readReg')
debugger.HandleCommand('command script add connLocal -f sbr.connLocal')
debugger.HandleCommand('command script add readMem -f sbr.readMem')
print 'The "sbr" python command has been installed and is ready for use.'
Then edit ~/.lldbinit file add following
command script import ~/sbr.py
Then we would see sbr command will be auto loaded
Jobs: ~$ lldb The "sbr" python command has been installed and is ready for use. (lldb) command source -s 1 '/Users/Jobs/./.lldbinit' The "sbr" python command has been installed and is ready for use. (lldb) sbr 0x001111111
Debugging with lldb
When you got gdbserver working
// ssh to iphone // attach to a process /usr/bin/debugserver *:2008 --attach tgame // or start the process debugserver *:2008 /private/var/containers/Bundle/Application/*/*/binary_name
On Mac open a new terminal tab
lldb platform select remote-ios process connect connect://192.168.1.106:2008
In lldb, to find out the app memory offset
image list -o -f #[ 0] 0x00000000000a0000 /private/var/mobile/Containers/Bundle/Application/xxxxx-xxxxx/tgame.app/game(0x00000001000a0000) #[ 1] 0x0000000102888000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000102888000)
The 0x00000000000a0000 would be the offset
To set break point at address do
br s -a 0x00000001014665bc or br s -a 0x010C29F8+0xa0000
run command c to continue
