infernusdoleo

Welp. Never used LLDB before. Looks like it's gonna be a late night!

Hmm. I had tried in GameGem and it crashed while searching for some values - but I just tried iGG and it found one I'm looking for. Is there any way to correlate that location to any info I have in IDA? I'm guessing not. Set a breakpoint on that memory location then start looking?

Breakpoint it where? In IDA? I'm running on Windows - is it even possible to run it like that? I've been considering getting a used macbook for debugging, but as it stands now, just windows. Is there any way to search running app memory for values and work off that? I know things like username, session keys etc that are stored in active memory - if I could find them I might be able to work with that.

I've many years experience coding, but am relatively new to iOS code and reverse engineering. I pick this stuff up extremely quickly though. I've been trying to reverse engineer an app store app. Rather keep quiet which one it is if possible - reasons I'll explain if need be, but again, it's not really relevant. I've been working with a lot of tools, from decrypting the app, class-dumping it, decompiling it in IDA, live viewing it with FLEXible, poking around in gdb, and even trying Frida, but thats so poorly documented I didn't get far. My issue is that I'm trying to track down what happens when certain buttons are pressed/in-app procedures happen. But it seems that the vast majority of that happens inside custom classes and code. There are a massive number of unnamed functions in the IDA decompile where the code I'm looking for happens - about 2/3rds of the functions listed in the function window are sub_xxxxx. After poking around for hours I havent found a single link to anything I'm looking for in any of the classes shown in class-dump-z or in the menus in FLEXible. Obviously, my problem is without a symbol table, I've no idea what any of these function names are. By snooping the HTTP traffic, I know some of the values that exist in memory - but am unaware of any way to search for them (Question 1: Can I just search app memory in cycript or gdb for a known value?). I cannot dump classes or see function names. I'm not sure where to go from here. Are there ways to find what I'm looking for? IDEALLY I could trace the application as it ran, with something like snoop-it, but it wont run on iOS 9.0.2, my jailbroken device, and I have a really old iPhone with 6.1.6 on it, but it also will not work on that either. I'd like to be able to run the app, attach to it somehow, and show whats happening as I click buttons in the app. When I try logging objc_msgSend calls in gdb, gdb crashes. Which functions are called - even if I don't have names, I can match it up in the decompile (I think?) or set breakpoints in gdb and dump the code. Anyone experience this before and have any pointers?