Tutorial Debugging apps on iOS 13 with LLDB (watchpoints supported)

[Affe2626 2.7k iPhone X 13.3.1]

Hi, I looked at the tutorials section here and saw that the only tutorial about debugging was a tutorial by Ted22 without support for watchpoints. This does support wp and is you don't need to download stuff from unofficial sources. But I do recommend reading his tutorial as it covers other stuff.

For this you need Xcode & Homebrew. (on macOS). Probably works on GNU/Linux if you get debugserver and the right iOS SDK some other way, or you could run macOS in a VM.

Run this to get ldid:

brew install ldid

Then you need to get the right debugserver. Run 

cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ (iPadOS if you're using an iPad, I guess)

Then do an ls to list all available versions. In my case "13.3" since I run iOS 13.3.1 on an iPhone X.

Run this to mount the DeveloperDiskImage of your version. 13.3 in my case.

open ./13.3/DeveloperDiskImage.dmg

Then open your mounted disk image and go to DeveloperDiskImage/usr/bin. There you'll find debugserver. Copy that to your computer somewhere. I used ~/Documents/debugserver

To thin your binary, run 

lipo -thin arm64 ./debugserver -output ./debugserverthin (if using arm64)
lipo -thin arm64e ./debugserver -output ./debugserverthin (if using arm64e, iPhone XS and above, haven't tried though, maybe arm64 will work fine aswell)

Next, sign debugserver with this xml file (save as ent.xml):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
</dict>
</plist>

Using ldid as such: 

ldid -Sent.xml ./debugserverthin

Copy it to your phone using sftp.

sftp root@yourphoneip

then 

put debugserverthin

now SSH into your phone and run

mv ./debugserverthin /usr/bin/debugserver (/usr/local/bin is more standard but /usr/bin just worked for me so I'll go with that, doesn't really matter).

 

Run this to find all running processes.  I'll use Hill Climb Racing as an example:

ps -A

Example output: 51523 ??         0:34.60 /var/containers/Bundle/Application/72FDFED4-16FB-47FE-999D-1CD53CF16B8C/Hill Climb Racing.app/Hill Climb Racing

Run debugserver to start the debugging server. To specify which process to attach on, do it like this:

debugserver 0.0.0.0:1234 -a "Hill Climb Racing"

To attach LLDB from your Mac, run this (ON MAC, not phone).

lldb
(lldb) platform select remote-ios
(lldb) process connect connect://yourphoneip:1234

To set watchpoints (got addr from iGG, gold value):

(lldb) process interrupt
Process 51523 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001b7044634 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1b7044634 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1b7044638 <+0>: mov    x16, #-0x20
    0x1b704463c <+4>: svc    #0x80
    0x1b7044640 <+8>: ret
Target 0: (Hill Climb Racing) stopped.
(lldb) w s e -s 4 -- 0x106128024
Watchpoint created: Watchpoint 1: addr = 0x106128024 size = 4 state = enabled type = w
    new value: 148742069
(lldb) c
Process 51523 resuming

When your watchpoints gets  you'll see disassembled code that ran some instruction on your data. Example (when buying from store):

Watchpoint 1 hit:
old value: 148742069
new value: 148642069
Process 51523 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000104a38a74 Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing + 276
Hill Climb Racing`___lldb_unnamed_symbol5830$$Hill Climb Racing:
->  0x104a38a74 <+276>: mov    x0, x19
    0x104a38a78 <+280>: mov    x1, x20
    0x104a38a7c <+284>: bl     0x104a38d94               ; ___lldb_unnamed_symbol5832$$Hill Climb Racing
    0x104a38a80 <+288>: add    x8, sp, #0x30             ; =0x30
Target 0: (Hill Climb Racing) stopped.

I have literally no idea how to write ARM assembly but I'd guess that you could replace the instructions at 0x104a38a74 with NOP's to get free-buy, or write a jmp to your own function for mid-function hooks. I suggest watching other tutorials for that, I'm only good at Windows hacking but I may learn some iOS soon :D.

 

For moderators who review: can I wrap everything in hide-tags without messing up everything? I don't really care but a few more likes is cool 😛

I'll make a follow-up some day when I actually create a fully featured cheat with this, iGG, Theos and a disassembler like Ghidra or Binary Ninja.

Secret:

Hidden Content

React or reply to this topic to see the hidden content & download link. 👀

Updated April 16, 2020 by Affe2626

[Rook 560k iPad Pro (2nd gen) 17.4 Donor]

Thank you for sharing this with us!

I think adding hide here will ruin the topic.

[Enoch 18.9k iPhone 11 14.7.1]

Good tutorial, I'm sure this will help a lot of people.

[1096478548 1 iPhone 8 Plus 13.4]

可以了

 

[Affe2626 2.7k iPhone X 13.3.1]

1 hour ago, Rook said:

Thank you for sharing this with us!

I think adding hide here will ruin the topic.

Yep, that's fine, I attached a hidden meme instead. I may do a video next time when I make a cheat with this. Let's see how that goes

[whysbear 0 iPhone 8 13.2]

Nice post! +rep

[K_K 167k iPhone 13 Pro Max 15.1]

So this has to done on a mac?..

[Affe2626 2.7k iPhone X 13.3.1]

On 4/16/2020 at 6:08 AM, K_K said:

So this has to done on a mac?..

I haven't tried anything else. If you get LLDB to run with an iOS SDK on another OS then probably. The remote-ios platform maybe only exists on the macOS version of LLDB (but you can always try). Search for how to set SDK path. It does that automatically if you have Xcode installed for macOS. 

[EvilDevilReX 2k iPad Pro (5th gen) 16.3]

i see

 

[1347 295 iPhone X 13]

Thx