babbunatale

This tutorial does not seems to help me so much... The guy does exactly what I do

I thought it was the same thing... I'll take a look at this tutorial and give you a feedback then. Thank you dude!

I'm on a Mac.

Same as on this tuts man : http://highaltitudehacks.com/2015/05/12/ios-application-security-part-42-lldb-usage-continued/ Do you have any idea ?

OK so, here are the steps I followed : Desktop side //1: thin the decypted with Clutch2 binary and set permissions : MacBook-Pro:Desktop $ lipo -thin armv7 -output snapchat-armv7 Snapchat MacBook-Pro:Desktop $ chmod 777 snapchat-armv7 && ls -l snapchat-armv7 -rwxrwxrwx 1 kevinpiacentini staff 49819344 3 jan 19:03 snapchat-armv7 // 2: start lldb (lldb) process connect connect://192.168.0.28:23 Process 564 stopped * thread #1: tid = 0x0c9e, 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20 libsystem_kernel.dylib`mach_msg_trap: -> 0x38034474 <+20>: pop {r4, r5, r6, r8} 0x38034478 <+24>: bx lr libsystem_kernel.dylib`mach_msg_overwrite_trap: 0x3803447c <+0>: mov r12, sp 0x38034480 <+4>: push {r4, r5, r6, r8} (lldb) platform select remote-ios Platform: remote-ios Connected: no SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)" SDK Roots: [ 0] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)" SDK Roots: [ 1] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)" SDK Roots: [ 2] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.1 (13B143)" SDK Roots: [ 3] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.1 (13E238)" SDK Roots: [ 4] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.2 (13F69)" SDK Roots: [ 5] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.5 (13G36)" (lldb) target create --arch arm ~/Desktop/snapchat-armv7 Current executable set to '~/Desktop/snapchat-armv7' (armv7). (lldb) b -[LoginV2ViewController viewDidLoad] Breakpoint 1: no locations (pending). WARNING: Unable to resolve breakpoint to any actual locations. iPhone Side iPhone:~ root# ./debugserver *:23 --attach=Snapchat debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89 for armv7. Attaching to process Snapchat... Listening to port 23 for a connection from *... Waiting for debugger instructions for process 0. Here you can see all my steps... Maybe I misunderstood something ?

Yes, it is.

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer: - of course I attach the process on iPhone side when I run debug server and then I do the following commands: // iphone side debugserver *:6666 -a <processNameOrId> // desktop side $ lldb (lldb) platform select remote-ios (lldb) target create --arch arm /path/to/my/decrypted/bin (lldb) process connect connect://myIp:port --> everything is going fine here : debug server starts etc... Could you precise your idea about "permissions" ? - debug server has the good permissions - my local decrypted binaries has read permissions Any idea ?

Hi everyone, first of all I wish you an happy hacking year ! I'm very new in reverse engineering / debugging / iOS so excuse me for my newbie's questions. Context: [everything was tried on iOS 9.3.2 AND iOS 8.2] I need to understand how an application generates its tokens passed through http headers. So, I disassembled it using Hopper I dumped all .header files and I then logged a lot of informations during runtime by hooking some functions to understand the process of 'how an authenticated http request is generated'. Now I almost know which function exactly generates which token, I need to go ahead and understand the way of a particular token is generated to be able to reproduce it. It seems that using lldb to set breakpoints and then dump the register's value at some step of the runtime could be the best way to achieve my goals, right ? The steps I followed in order to use lldb are : - decrypt the app using Clutch2 and download it on my desktop - install debug server and all stuff - thin the binary - set the thinned binary as lldb target - install the decrypted binary.ipa in the iPhone (I tried both with a decrypted version and the normal app store version) - set breakpoint: fail My problem: After having followed a lot of tutorials on it, I still don't get it to work. It's impossible to set breakpoint using a method name like: (lldb): b -[ClassName methodCalled:] // found on this tuts : http://highaltitudehacks.com/2015/05/17/ios-application-security-part-43-fat-binaries-and-lldb-usage-continued/ // does not work for me lldb says that the breakpoint can't be set, exactly as I've not "targeted" the binary. Plus, I don't really understand how to set a breakpoint using the memory address. Removing ASLR, finding memory addresses offset are just notions that brainf**ked me! Could someone help me by sending me a precise routine and more informations about ASLR, memory offset or other useful stuff? PS: I read a lot of article on the web and also on this forum and some of them are just impossible to understand for a beginner like me... Please try to be "clear" Thank you a lot guys !

Hi Everyone, thanks for this forum, I hope to find / provide good support here! See you soon on many topics and of course, Merry Christmas! BN.