Help/Support GDB Error: Segmentation fault: 11

TheChief · April 9, 2015

What I do after that ....

Read the tutorials in the Tutorials section. If you need help with something in it. Open a new topic in Help & Support section.

Curtain · May 13, 2015

@@DiDA

i got address "0x31b68e78" of ptrace follow your way.and i load binary to IDA,then i try to search for it.but there isnt the address which i found.any ideas ?

"Breakpoint 1 at 0x31b68e78

Pending breakpoint 1 - "ptrace" resolved

warning: Unrecognized osabi 0 in arm_set_osabi_from_host_info"

Rook · May 13, 2015

@@DiDA

i got address "0x31b68e78" of ptrace follow your way.and i load binary to IDA,then i try to search for it.but there isnt the address which i found.any ideas ?

"Breakpoint 1 at 0x31b68e78

Pending breakpoint 1 - "ptrace" resolved

warning: Unrecognized osabi 0 in arm_set_osabi_from_host_info"

Search for ptrace/syscall/sysctl and xref it to see how many there are.

If the app has sysctl, look for the one with memset, getpid near it and if you see a MOVS R1, #0x1F, NOP it.

Curtain · May 13, 2015

Search for ptrace/syscall/sysctl and xref it to see how many there are.

If the app has sysctl, look for the one with memset, getpid near it and if you see a MOVS R1, #0x1F, NOP it.

i`ve found this,but without "MOVS R1, #0x1F",

and is it must me the same as "MOVS R1, #0x1F"

ADD R7, SP, #0xC

STMFD SP!, {R8,R10}

SUB SP, SP, #0x20C

BIC SP, SP, #7

MOV R5, R1

MOV R1, #0x1EC------->is this correct one??

MOV R6, R0

STR R1, [sP,#0x220+var_28]

MOV R0, R5 ; void *

MOV R1, #0 ; int

MOV R4, R2

BL _memset

MOV R0, #1

MOV R1, #0xE

STR R0, [sP,#0x220+var_24]

MOV R8, #0

STR R1, [sP,#0x220+var_20]

MOV R1, #4 ; u_int

STR R0, [sP,#0x220+var_1C]

ADD R0, SP, #0x220+var_24 ; int *

STR R6, [sP,#0x220+var_18]

ADD R6, SP, #0x220+var_218

ADD R3, SP, #0x220+var_28 ; size_t *

STR R8, [sP,#0x220+var_220] ; void *

MOV R2, R6 ; void *

STR R8, [sP,#0x220+var_21C] ; size_t

BL _sysctl

CMP R0, #0

BLT loc_19531E4

Updated May 13, 2015 by zzmutu

Curtain · May 25, 2015

i found MOVS R1, #0x1F app crashed when i changed to whatever values or nop it .any ideas ?

__text:00F36D08 PUSH {R4-R7,LR}

__text:00F36D0A ADD R7, SP, #0xC

__text:00F36D0C PUSH.W {R8,R10}

__text:00F36D10 SUB.W SP, SP, #0x20C

__text:00F36D14 MOV R5, R0

__text:00F36D16 MOV R0, #(___stack_chk_guard_ptr - 0xF36D24)

__text:00F36D1E MOV R10, R1

__text:00F36D20 ADD R0, PC ; ___stack_chk_guard_ptr

__text:00F36D22 MOVS R4, #0

__text:00F36D24 MOVS R1, #0x1F nop or changed to any values different

__text:00F36D26 MOVS R2, #0

__text:00F36D28 LDR.W R8, [R0] ; ___stack_chk_guard

__text:00F36D2C MOVS R3, #0

__text:00F36D2E LDR.W R0, [R8]

__text:00F36D32 STR R0, [sP,#0x220+var_18]

__text:00F36D34 MOVS R0, #0x1A ; int

__text:00F36D36 STR R4, [sP,#0x220+var_220]

__text:00F36D38 BLX _syscall

__text:00F36D3C ADD R6, SP, #0x220+var_204

__text:00F36D3E MOV.W R0, #0x1EC

__text:00F36D42 STR R0, [sP,#0x220+var_218]

__text:00F36D44 MOVS R1, #0 ; int

__text:00F36D46 MOV R0, R6 ; void *

__text:00F36D48 MOV.W R2, #0x1EC ; size_t

__text:00F36D4C BLX _memset

__text:00F36D50 MOVS R0, #1

__text:00F36D52 MOVS R1, #0xE

__text:00F36D54 STR R0, [sP,#0x220+var_214]

__text:00F36D56 STR R1, [sP,#0x220+var_210]

__text:00F36D58 STR R0, [sP,#0x220+var_20C]

__text:00F36D5A BLX _getpid

__text:00F36D5E STR R0, [sP,#0x220+var_208]

__text:00F36D60 ADD R0, SP, #0x220+var_214 ; int *

__text:00F36D62 ADD R3, SP, #0x220+var_218 ; size_t *

__text:00F36D64 MOVS R1, #4 ; u_int

__text:00F36D66 MOV R2, R6 ; void *

__text:00F36D68 STR R4, [sP,#0x220+var_220] ; void *

__text:00F36D6A STR R4, [sP,#0x220+var_21C] ; size_t

__text:00F36D6C BLX _sysctl

__text:00F36D70 CMP R0, #0

3r0rfadeness · November 4, 2015

When I do this with bloons monkey city i get to the run part and it says no executable file specified

sisky_the_sheep · May 12, 2016

Hello DiDa, nice tut! I am currently trying this on my jailbroken iphone (iphone5 with iOS 8.0.2), and when i type run to start the process, my app gets killed.

photo with the error

Goran · September 14, 2017

On 11/23/2014 at 1:13 AM, DiDA said:
World At Arms has Anti-Debugging Protection (ptrace)

You need to disable ptrace in order to debug the process. Disable ptrace by doing this:

Open Terminal and type in:
gdb /User/Containers/Bundle/Application/xxxxxx-xxxx-xxx-xxx-xxxxxx/MCT.app/MCT
Then:
break ptrace
Then:
run
Terminal will show you the Offset. Go to the offset in IDA and NOP ptrace and then attach MCT again normally.

More info: http://www.coredump.gr/articles/ios-anti-debugging-protections-part-1/

Tutorial by shmoo: https://iosgods.com/topic/26721-breaking-securityhow-to-disable-syscall-anti-debugging-protection/