Help/Support Debug iOS8.2 or iOS9.3.2 AppStore app using lldb.

babbunatale · January 5, 2017

Hi everyone,

first of all I wish you an happy hacking year !

I'm very new in reverse engineering / debugging / iOS so excuse me for my newbie's questions.

Context:
[everything was tried on iOS 9.3.2 AND iOS 8.2]

I need to understand how an application generates its tokens passed through http headers. So, I disassembled it using Hopper I dumped all .header files and I then logged a lot of informations during runtime by hooking some functions to understand the process of 'how an authenticated http request is generated'. Now I almost know which function exactly generates which token, I need to go ahead and understand the way of a particular token is generated to be able to reproduce it. It seems that using lldb to set breakpoints and then dump the register's value at some step of the runtime could be the best way to achieve my goals, right ?

The steps I followed in order to use lldb are :

- decrypt the app using Clutch2 and download it on my desktop
- install debug server and all stuff
- thin the binary
- set the thinned binary as lldb target
- install the decrypted binary.ipa in the iPhone (I tried both with a decrypted version and the normal app store version)
- set breakpoint: fail

My problem:

After having followed a lot of tutorials on it, I still don't get it to work.
It's impossible to set breakpoint using a method name like:

(lldb): b -[ClassName methodCalled:]
// found on this tuts : http://highaltitudehacks.com/2015/05/17/ios-application-security-part-43-fat-binaries-and-lldb-usage-continued/
// does not work for me

lldb says that the breakpoint can't be set, exactly as I've not "targeted" the binary.
Plus, I don't really understand how to set a breakpoint using the memory address. Removing ASLR, finding memory addresses offset are just notions that brainf**ked me!

Could someone help me by sending me a precise routine and more informations about ASLR, memory offset or other useful stuff?

PS: I read a lot of article on the web and also on this forum and some of them are just impossible to understand for a beginner like me... Please try to be "clear"

Thank you a lot guys !

Archangel04 · January 5, 2017

attach process?

that and have you set permissions? (chmod 777)

babbunatale · January 5, 2017

attach process?

that and have you set permissions? (chmod 777)

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer:

- of course I attach the process on iPhone side when I run debug server and then I do the following commands:

// iphone side
debugserver *:6666 -a <processNameOrId>


// desktop side
$ lldb
(lldb) platform select remote-ios
(lldb) target create --arch arm /path/to/my/decrypted/bin
(lldb) process connect connect://myIp:port

--> everything is going fine here : debug server starts etc...

Could you precise your idea about "permissions" ?

- debug server has the good permissions

- my local decrypted binaries has read permissions

Any idea ?

Updated January 5, 2017 by babbunatale

Archangel04 · January 5, 2017

Binary needs read write and execute on all 3. Thats why we use chmod 777 to give it those permissions.

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer:

- of course I attach the process on iPhone side when I run debug server and then I do the following commands:
// iphone sidedebugserver *:6666 -a <processNameOrId>// desktop side$ lldb(lldb) platform select remote-ios(lldb) target create --arch arm /path/to/my/decrypted/bin(lldb) process connect connect://myIp:port
--> everything is going fine here : debug server starts etc...
Could you precise your idea about "permissions" ?

- debug server has the good permissions

- my local decrypted binaries has read permissions

Any idea ?

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

Updated January 5, 2017 by Archangel04

babbunatale · January 5, 2017

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Archangel04 · January 5, 2017

Kay. Also when you start it, the game is running right?

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

babbunatale · January 5, 2017

Kay. Also when you start it, the game is running right?

Yes, it is.

Archangel04 · January 5, 2017

Have you done this

Step 4: Open PuTTY or iFunBox and type in this command:

debugserver 127.0.0.1:23 --attach=PID or BINARYNAME

PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

Updated January 5, 2017 by Archangel04

babbunatale · January 5, 2017

Have you done this

Step 4: Open PuTTY or iFunBox and type in this command:
debugserver 127.0.0.1:23 --attach=PID or BINARYNAME
PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

OK so, here are the steps I followed :

Desktop side

//1: thin the decypted with Clutch2 binary and set permissions :

MacBook-Pro:Desktop $ lipo -thin armv7 -output snapchat-armv7 Snapchat

MacBook-Pro:Desktop $ chmod 777 snapchat-armv7 && ls -l snapchat-armv7
-rwxrwxrwx  1 kevinpiacentini  staff  49819344  3 jan 19:03 snapchat-armv7

// 2: start lldb

(lldb) process connect connect://192.168.0.28:23
Process 564 stopped
* thread #1: tid = 0x0c9e, 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
->  0x38034474 <+20>: pop    {r4, r5, r6, r8}
    0x38034478 <+24>: bx     lr

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x3803447c <+0>:  mov    r12, sp
    0x38034480 <+4>:  push   {r4, r5, r6, r8}
(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 0] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 1] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)"
 SDK Roots: [ 2] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.1 (13B143)"
 SDK Roots: [ 3] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.1 (13E238)"
 SDK Roots: [ 4] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.2 (13F69)"
 SDK Roots: [ 5] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.5 (13G36)"

(lldb) target create --arch arm ~/Desktop/snapchat-armv7
Current executable set to '~/Desktop/snapchat-armv7' (armv7).

(lldb) b -[LoginV2ViewController viewDidLoad]
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.

iPhone Side

iPhone:~ root# 
./debugserver *:23 --attach=Snapchat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process Snapchat...
Listening to port 23 for a connection from *...
Waiting for debugger instructions for process 0.

Here you can see all my steps... Maybe I misunderstood something ?

Updated January 5, 2017 by babbunatale

Archangel04 · January 5, 2017

(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"

"Connected: No" ??