Help/Support Ptrace and SysCtl remove help.

[DarkArrow 0 iPhone 6 Plus 10.3.3]

After i loaded a binary in IDA, i search for ptrace and sysctl in Import. I did not found any ptrace but i found sysctl.

Does this mean the binary does not have any ptrace to block me from attach with gdb but it has sysctl to block it? (when i try to debugserver host: binary, i got error segment fail 11). and i foudn this too .

 BLX             _sysctl
CBZ             R0, loc_E7B194
MOV            R0, #(aSSysctlFailedW - 0xE7B18C) ; "%s: sysctl failed while trying to get k"...
MOV            R1, #(aClsprocessdebu - 0xE7B18E) ; "CLSProcessDebuggerAttached"
ADD             R0, PC  ; "%s: sysctl failed while trying to get k"...
ADD             R1, PC  ; "CLSProcessDebuggerAttached"
BL                sub_E77FF4
MOVS          R0, #0

B                  loc_E7B19E

 

any one have any idea to how deal with this

[Rook 549.6k iPad Pro (2nd gen) 17.4 Donor]

@@DarkArrow

 

Look for the function which has memset, getpid near sysctl and then NOP if you see something like this:

 

MOVS R1, #0x1F

mov #r0,0x1F

mov r1,#0x1F

[DarkArrow 0 iPhone 6 Plus 10.3.3]

@@DarkArrow

 

Look for the function which has memset, getpid near sysctl and then NOP if you see something like this:

 

MOVS R1, #0x1F

mov #r0,0x1F

mov r1,#0x1F

i am confuse.

 

@@DarkArrow

 

Look for the function which has memset, getpid near sysctl and then NOP if you see something like this:

 

MOVS R1, #0x1F

mov #r0,0x1F

mov r1,#0x1F

i dont see any thing like

MOVS R1, #0x1F

mov #r0,0x1F

mov r1,#0x1F

Also the only function i see is sub_E77FF4 and it does not contain _menset or getpid.

i look at other sub at contain sysctl but they dont have any sub around them only loc_x

 

__text:00E7B134 sub_E7B134                              ; CODE XREF: sub_E75A2C:loc_E75C24p

__text:00E7B134

__text:00E7B134 var_214         = -0x214

__text:00E7B134 var_210         = -0x210

__text:00E7B134 var_20C         = -0x20C

__text:00E7B134 var_208         = -0x208

__text:00E7B134 var_1F8         = -0x1F8

__text:00E7B134 var_1C          = -0x1C

__text:00E7B134 var_18          = -0x18

__text:00E7B134 var_14          = -0x14

__text:00E7B134 var_10          = -0x10

__text:00E7B134 var_C           = -0xC

__text:00E7B134

__text:00E7B134                 PUSH            {R4,R5,R7,LR}

__text:00E7B136                 ADD             R7, SP, #8

__text:00E7B138                 SUB.W           SP, SP, #0x20C

__text:00E7B13C                 MOVW            R0, #(:lower16:(___stack_chk_guard_ptr - 0xE7B14C))

__text:00E7B140                 MOVS            R5, #0

__text:00E7B142                 MOVT.W          R0, #(:upper16:(___stack_chk_guard_ptr - 0xE7B14C))

__text:00E7B146                 MOVS            R1, #0xE

__text:00E7B148                 ADD             R0, PC ; ___stack_chk_guard_ptr

__text:00E7B14A                 LDR             R4, [R0] ; ___stack_chk_guard

__text:00E7B14C                 LDR             R0, [R4]

__text:00E7B14E                 STR             R0, [sP,#0x214+var_C]

__text:00E7B150                 MOVS            R0, #1

__text:00E7B152                 STR             R0, [sP,#0x214+var_1C]

__text:00E7B154                 STR             R1, [sP,#0x214+var_18]

__text:00E7B156                 STR             R5, [sP,#0x214+var_1F8]

__text:00E7B158                 STR             R0, [sP,#0x214+var_14]

__text:00E7B15A                 BLX             _getpid

__text:00E7B15E                 STR             R0, [sP,#0x214+var_10]

__text:00E7B160                 MOV.W           R0, #0x1EC

__text:00E7B164                 STR             R0, [sP,#0x214+var_20C]

__text:00E7B166                 ADD             R0, SP, #0x214+var_1C ; int *

__text:00E7B168                 ADD             R2, SP, #0x214+var_208 ; void *

__text:00E7B16A                 ADD             R3, SP, #0x214+var_20C ; size_t *

__text:00E7B16C                 MOVS            R1, #4  ; u_int

__text:00E7B16E                 STR             R5, [sP,#0x214+var_214] ; void *

__text:00E7B170                 STR             R5, [sP,#0x214+var_210] ; size_t

__text:00E7B172                 BLX             _sysctl

__text:00E7B176                 CBZ             R0, loc_E7B194

__text:00E7B178                 MOV             R0, #(aSSysctlFailedW - 0xE7B18C) ; "%s: sysctl failed while trying to get k"...

__text:00E7B180                 MOV             R1, #(aClsprocessdebu - 0xE7B18E) ; "CLSProcessDebuggerAttached"

__text:00E7B188                 ADD             R0, PC  ; "%s: sysctl failed while trying to get k"...

__text:00E7B18A                 ADD             R1, PC  ; "CLSProcessDebuggerAttached"

__text:00E7B18C                 BL              sub_E77FF4

__text:00E7B190                 MOVS            R0, #0

__text:00E7B192                 B               loc_E7B19E

__text:00E7B194 ; ---------------------------------------------------------------------------

__text:00E7B194

__text:00E7B194 loc_E7B194                              ; CODE XREF: sub_E7B134+42j

__text:00E7B194                 LDRB.W          R0, [sP,#0x214+var_1F8+1]

__text:00E7B198                 AND.W           R0, R0, #8

__text:00E7B19C                 LSRS            R0, R0, #3

__text:00E7B19E

__text:00E7B19E loc_E7B19E                              ; CODE XREF: sub_E7B134+5Ej

__text:00E7B19E                 LDR             R1, [sP,#0x214+var_C]

__text:00E7B1A0                 LDR             R2, [R4]

__text:00E7B1A2                 SUBS            R1, R2, R1

__text:00E7B1A4                 ITT EQ

__text:00E7B1A6                 ADDEQ.W         SP, SP, #0x20C

__text:00E7B1AA                 POPEQ           {R4,R5,R7,PC}

__text:00E7B1AC                 BLX             ___stack_chk_fail

__text:00E7B1AC ; End of function sub_E7B134

__text:00E7B1AC

 

PS this sub is being by another that have this

text:00E75C24 loc_E75C24                              ; CODE XREF: sub_E75A2C+1DCj

__text:00E75C24                 BL              sub_E7B134

__text:00E75C28                 LDR             R1, [R5]

__text:00E75C2A                 STRB            R0, [R1,#1]

__text:00E75C2C                 LDR             R0, [R5]

__text:00E75C2E                 LDR.W           R1, [R8,#4]

__text:00E75C32                 STR             R1, [R0,#0x10]

__text:00E75C34                 LDR.W           R1, [R8,#0xC]

__text:00E75C38                 STR             R1, [R0,#0x14]

__text:00E75C3A                 LDRB.W          R1, [R8,#8]

__text:00E75C3E                 STRB            R1, [R0,#0x18]

__text:00E75C40                 ADDS            R0, #0x34

__text:00E75C42                 BL              sub_E762C8

__text:00E75C46                 LDRD.W          R0, R1, [R5]

__text:00E75C4A                 MOVW            R2, #0x3008

__text:00E75C4E                 ADD             R1, R2

__text:00E75C50                 ADD.W           R0, R0, #0x184

__text:00E75C54                 BL              sub_E7E22C

__text:00E75C58                 LDRD.W          R0, R1, [R5]

__text:00E75C5C                 ADDS            R1, #8

__text:00E75C5E                 ADDS            R0, #0x1C

__text:00E75C60                 BL              sub_E5FB3C

__text:00E75C64                 LDR             R0, [R5]

__text:00E75C66                 LDRB            R1, [R0,#1]

__text:00E75C68                 CMP             R1, #0

__text:00E75C6A                 BEQ             loc_E75C86

__text:00E75C6C                 MOV             R0, #(aSDebuggerPrese - 0xE75C80) ; "%s: Debugger present - not installing h"...

__text:00E75C74                 MOV             R1, #(aClscontextinit - 0xE75C82) ; "CLSContextInitialize"

__text:00E75C7C                 ADD             R0, PC  ; "%s: Debugger present - not installing h"...

__text:00E75C7E                 ADD             R1, PC  ; "CLSContextInitialize"

__text:00E75C80                 BL              sub_E77FF4

__text:00E75C84                 B               loc_E75CAC

Updated August 14, 2015 by DarkArrow