Difference between revisions of "IOS debugserver with IDA"

Revision as of 18:38, 20 August 2015

Setup debugserver on ios device

1. On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)

2.

hdiutil attach ./DeveloperDiskImage.dmg

3. Mount DeveloperDiskImage.dmg, copy everything into a folder

4. Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer (if you use xcode to debug on device before, you can skip this step)

5. optional, extract the debugserver part you need

lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver
lipo -thin armv7S /Developer/usr/bin/debugserver -output ~/debugserver
lipo -thin arm64 /Developer/usr/bin/debugserver -output ~/debugserver // >= iphone 6

6. next we need to sign the debugserver

 First make a xml file entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.springboard.debugapplications</key> <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

 Then sign it

codesign -s - --entitlements entitlements.plist -f debugserver

7. copy debugserver to iphone

scp ./debugserver root@192.168.1.106:/usr/bin/

8. iPhone root# /Developer/usr/bin/debugserver *:2008 --attach gameProcessName

Refer to [1]
Another more recent post http://bbs.pediy.com/showthread.php?t=190126

I finally got it working by following this link http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/

Debugging with lldb

When you got gdbserver working

// ssh to iphone
/usr/bin/debugserver *:2008 --attach tgame

On Mac open a new terminal tab

lldb

platform select remote-ios
process connect connect://192.168.1.106:2008

In lldb, to find out the app memory offset

image list -o -f

#[  0] 0x00000000000a0000 /private/var/mobile/Containers/Bundle/Application/xxxxx-xxxxx/tgame.app/game(0x00000001000a0000)
#[  1] 0x0000000102888000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000102888000)

The 0x00000000000a0000 would be the offset

To set break point at address do

br s -a 0x00000001014665bc

Method2

Difference between revisions of "IOS debugserver with IDA"

Revision as of 18:38, 20 August 2015

Setup debugserver on ios device

Debugging with lldb

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Hall

Tools

@@ Line 1: / Line 1: @@
-# On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)
+==Setup debugserver on ios device==
-# <pre>hdiutil attach ./DeveloperDiskImage.dmg</pre>
+. On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)
-# Mount DeveloperDiskImage.dmg, copy everything into a folder
-# Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer
+. <pre>hdiutil attach ./DeveloperDiskImage.dmg</pre>
-# iPhone root# <code>/Developer/usr/bin/debugserver port:2008 /var/mobile/Containers/Bundle/Application/xx-xxxx-xx/Scan.app/Scan</code>
+. Mount DeveloperDiskImage.dmg, copy everything into a folder
+. Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer (if you use xcode to debug on device before, you can skip this step)
+. optional, extract the debugserver part you need
+<pre>
+lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver
+lipo -thin armv7S /Developer/usr/bin/debugserver -output ~/debugserver
+lipo -thin arm64 /Developer/usr/bin/debugserver -output ~/debugserver // >= iphone 6
+</pre>
+. next we need to sign the debugserver
+  First make a xml file entitlements.plist
+<pre>
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.springboard.debugapplications</key> <true/>
+    <key>run-unsigned-code</key>
+    <true/>
+    <key>get-task-allow</key>
+    <true/>
+    <key>task_for_pid-allow</key>
+    <true/>
+</dict>
+</plist>
+</pre>
+  Then sign it
+<pre>
+codesign -s - --entitlements entitlements.plist -f debugserver
+</pre>
+. copy debugserver to iphone
+<pre>
+scp ./debugserver root@192.168.1.106:/usr/bin/
+</pre>
+. iPhone root# <code>/Developer/usr/bin/debugserver *:2008 --attach gameProcessName</code>
 Refer to [http://bbs.pediy.com/showthread.php?t=138472]<br>