IOS debugserver with IDA

From Hawk Wiki
Jump to: navigation, search

Setup debugserver on ios device

1. On Mac. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/7.0 (XXXXXX)

2. 
hdiutil attach ./DeveloperDiskImage.dmg

3. Mount DeveloperDiskImage.dmg, copy everything into a folder

4. Use iFunbox or SCP tool upload all files in DeveloperDiskImage.dmg to iphone /Developer (if you use xcode to debug on device before, you can skip this step)

5. optional, extract the debugserver part you need 

lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver
lipo -thin armv7S /Developer/usr/bin/debugserver -output ~/debugserver
lipo -thin arm64 /Developer/usr/bin/debugserver -output ~/debugserver // >= iphone 6

6. next we need to sign the debugserver 

 First make a xml file entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.springboard.debugapplications</key> <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

 Then sign it

codesign -s - --entitlements entitlements.plist -f debugserver

7. copy debugserver to iphone 

scp ./debugserver root@192.168.1.106:/usr/bin/

8. iPhone root# /Developer/usr/bin/debugserver *:2008 --attach gameProcessName

Refer to [1]
Another more recent post http://bbs.pediy.com/showthread.php?t=190126

I finally got it working by following this link http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/


Setup Scripts To Auto do ASLR

create a python script 

#!/usr/bin/python
#coding:utf-8

import lldb
import commands
import optparse
import shlex
import re


# 获取ASLR偏移地址
def get_ASLR():
    # 获取'image list -o'命令的返回结果
    interpreter = lldb.debugger.GetCommandInterpreter()
    returnObject = lldb.SBCommandReturnObject()
    interpreter.HandleCommand('image list -o', returnObject)
    output = returnObject.GetOutput();
    # 正则匹配出第一个0x开头的16进制地址
    match = re.match(r'.+(0x[0-9a-fA-F]+)', output)
    if match:
        return match.group(1)
    else:
        return None

# Super breakpoint
def sbr(debugger, command, result, internal_dict):

    #用户是否输入了地址参数
    if not command:
        print >>result, 'Please input the address!'
        return

    ASLR = get_ASLR()
    if ASLR:
        #如果找到了ASLR偏移,就设置断点
        debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command))
    else:
        print >>result, 'ASLR not found!'

def readReg(debugger, register, result, internal_dict):
    interpreter = lldb.debugger.GetCommandInterpreter()
    returnObject = lldb.SBCommandReturnObject()
    debugger.HandleCommand('register read ' + register, returnObject)
    output = returnObject.GetOutput()
    match = re.match(' = 0x(.*)', output)
    if match:
        print match.group(1)
    else:
        print "error: " + output

def readMem(debugger, address, result, internal_dict):
    debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address)
    
def connLocal(debugger, address, result, internal_dict):
    debugger.HandleCommand('platform select remote-ios')
    debugger.HandleCommand('process connect connect://localhost:2008')

# And the initialization code to add your commands 
def __lldb_init_module(debugger, internal_dict):
    # 'command script add sbr' : 给lldb增加一个'sbr'命令
    # '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数
    debugger.HandleCommand('command script add sbr -f sbr.sbr')
    debugger.HandleCommand('command script add readReg -f sbr.readReg')
    debugger.HandleCommand('command script add connLocal -f sbr.connLocal')
    debugger.HandleCommand('command script add readMem -f sbr.readMem')
    print 'The "sbr" python command has been installed and is ready for use.'

Then edit ~/.lldbinit file add following 

command script import ~/sbr.py

Then we would see sbr command will be auto loaded 

Jobs: ~$ lldb
The "sbr" python command has been installed and is ready for use.
(lldb) command source -s 1 '/Users/Jobs/./.lldbinit'
The "sbr" python command has been installed and is ready for use.
(lldb) sbr 0x001111111

Debugging with lldb

When you got gdbserver working 

// ssh to iphone
// attach to a process
/usr/bin/debugserver *:2008 --attach tgame
// or start the process 
debugserver *:2008 /private/var/containers/Bundle/Application/*/*/binary_name

On Mac open a new terminal tab 

lldb

platform select remote-ios
process connect connect://192.168.1.106:2008

In lldb, to find out the app memory offset 

image list -o -f

#[  0] 0x00000000000a0000 /private/var/mobile/Containers/Bundle/Application/xxxxx-xxxxx/tgame.app/game(0x00000001000a0000)
#[  1] 0x0000000102888000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000102888000)

The 0x00000000000a0000 would be the offset

To set break point at address do 

br s -a 0x00000001014665bc
or
br s -a 0x010C29F8+0xa0000

run command c to continue


Method2

Retrieved from "http://wiki.hawkguide.com/index.php?title=IOS_debugserver_with_IDA&oldid=534"