Jump to content

18 posts in this topic

Recommended Posts

Posted

Hi everyone,

 

first of all I wish you an happy hacking year !  (y)

I'm very new in reverse engineering / debugging / iOS so excuse me for my newbie's questions. 

 

 

Context:
[everything was tried on iOS 9.3.2 AND iOS 8.2]

I need to understand how an application generates its tokens passed through http headers. So, I disassembled it using Hopper I dumped all .header files and I then logged a lot of informations during runtime by hooking some functions to understand the process of 'how an authenticated http request is generated'. Now I almost know which function exactly generates which token, I need to go ahead and understand the way of a particular token is generated to be able to reproduce it. It seems that using lldb to set breakpoints and then dump the register's value at some step of the runtime could be the best way to achieve my goals, right ? 

The steps I followed in order to use lldb are : 

- decrypt the app using Clutch2 and download it on my desktop
- install debug server and all stuff
- thin the binary
- set the thinned binary as lldb target
- install the decrypted binary.ipa in the iPhone (I tried both with a decrypted version and the normal app store version)
- set breakpoint: fail

 

My problem:

After having followed a lot of tutorials on it, I still don't get it to work.
It's impossible to set breakpoint using a method name like: 

(lldb): b -[ClassName methodCalled:]
// found on this tuts : http://highaltitudehacks.com/2015/05/17/ios-application-security-part-43-fat-binaries-and-lldb-usage-continued/
// does not work for me

lldb says that the breakpoint can't be set, exactly as I've not "targeted" the binary.
Plus, I don't really understand how to set a breakpoint using the memory address. Removing ASLR, finding memory addresses offset are just notions that brainf**ked me!

Could someone help me by sending me a precise routine and more informations about ASLR, memory offset or other useful stuff? 

PS: I read a lot of article on the web and also on this forum and some of them are just impossible to understand for a beginner like me... Please try to be "clear" :) 

Thank you a lot guys ! :)

 

Posted (edited)

attach process?

that and have you set permissions? (chmod 777)

 

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer: 

- of course I attach the process on iPhone side when I run debug server and then I do the following commands: 

// iphone side
debugserver *:6666 -a <processNameOrId>


// desktop side
$ lldb
(lldb) platform select remote-ios
(lldb) target create --arch arm /path/to/my/decrypted/bin
(lldb) process connect connect://myIp:port

--> everything is going fine here : debug server starts etc...

 

Could you precise your idea about "permissions" ? 

- debug server has the good permissions

- my local decrypted binaries has read permissions 

 

Any idea ? 

Updated by babbunatale
Posted (edited)

Binary needs read write and execute on all 3. Thats why we use chmod 777 to give it those permissions.

 

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer:

- of course I attach the process on iPhone side when I run debug server and then I do the following commands:

 

// iphone sidedebugserver *:6666 -a <processNameOrId>// desktop side$ lldb(lldb) platform select remote-ios(lldb) target create --arch arm /path/to/my/decrypted/bin(lldb) process connect connect://myIp:port
--> everything is going fine here : debug server starts etc...

Could you precise your idea about "permissions" ?

- debug server has the good permissions

- my local decrypted binaries has read permissions

Any idea ?

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

Updated by Archangel04
Posted

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

 

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know :)

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Posted

Kay. Also when you start it, the game is running right?

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know :)

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Posted (edited)

Have you done this

 

Step 4: Open PuTTY or iFunBox and type in this command:

debugserver 127.0.0.1:23 --attach=PID or BINARYNAME
PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

 

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

Updated by Archangel04
Posted (edited)

Have you done this

 

Step 4: Open PuTTY or iFunBox and type in this command:

debugserver 127.0.0.1:23 --attach=PID or BINARYNAME
PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

 

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

 

 

 

OK so, here are the steps I followed : 

 

 

 

Desktop side

 

//1: thin the decypted with Clutch2 binary and set permissions :

 

MacBook-Pro:Desktop $ lipo -thin armv7 -output snapchat-armv7 Snapchat
MacBook-Pro:Desktop $ chmod 777 snapchat-armv7 && ls -l snapchat-armv7
-rwxrwxrwx  1 kevinpiacentini  staff  49819344  3 jan 19:03 snapchat-armv7

 

 

 

// 2: start lldb

(lldb) process connect connect://192.168.0.28:23
Process 564 stopped
* thread #1: tid = 0x0c9e, 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
->  0x38034474 <+20>: pop    {r4, r5, r6, r8}
    0x38034478 <+24>: bx     lr

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x3803447c <+0>:  mov    r12, sp
    0x38034480 <+4>:  push   {r4, r5, r6, r8}
(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 0] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 1] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)"
 SDK Roots: [ 2] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.1 (13B143)"
 SDK Roots: [ 3] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.1 (13E238)"
 SDK Roots: [ 4] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.2 (13F69)"
 SDK Roots: [ 5] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.5 (13G36)"



(lldb) target create --arch arm ~/Desktop/snapchat-armv7
Current executable set to '~/Desktop/snapchat-armv7' (armv7).

(lldb) b -[LoginV2ViewController viewDidLoad]
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.

 

iPhone Side

 

iPhone:~ root# 
./debugserver *:23 --attach=Snapchat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process Snapchat...
Listening to port 23 for a connection from *...
Waiting for debugger instructions for process 0.

Here you can see all my steps... Maybe I misunderstood something ?

Updated by babbunatale
Posted

(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"

 

"Connected: No" ??

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Our picks

    • Fortunes of Battle +5 Jailed Cheats [ Damage & Defence ]
      Modded/Hacked App: Fortunes of Battle By Short Circuit Studios AB
      Bundle ID: com.ShortCircuitStudio.FortunesOfBattle
      App Store Link: https://apps.apple.com/us/app/fortunes-of-battle/id6464591535?uo=4

       

      🤩 Hack Features

      - Damage Multiplier
      - Defence Multiplier
      - God Mode
      - Unlimited Coins -> Earn some.
      -- Full Game Unlocked
        • Agree
        • Like
      • 0 replies
    • Tiki Solitaire TriPeaks +1 Mod [ Unlimited Coins ]
      Mod APK Game Name: Tiki Solitaire TriPeaks By Scopely
      Rooted Device: Not Required.
      Google Play Store Link: 

       

      🤩 Hack Features

      - Unlimited Coins -> Earn some.
      • 1 reply
    • Tiki Solitaire TriPeaks +1 Jailed Cheat [ Unlimited Coins ]
      Modded/Hacked App: Tiki Solitaire TriPeaks By Scopely, Inc.
      Bundle ID: com.gsn.ios.tripeaks2
      iTunes Store Link: https://apps.apple.com/us/app/tiki-solitaire-tripeaks/id892521917
       

      Hack Features:
      - Unlimited Coins -> Earn some.


      Jailbreak required hack(s): https://iosgods.com/topic/171287-tiki-solitaire-tripeaks-all-versions-1-cheat-unlimited-coins/
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
        • Informative
        • Agree
        • Thanks
        • Like
      • 26 replies
    • Last Hero: Top-down Shooter +4 Jailed Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Last Hero: Top-down Shooter By ITPINI OU
      Bundle ID: com.pridegames.risenhero
      iTunes Store Link: https://apps.apple.com/us/app/last-hero-top-down-shooter/id6670430912?uo=4

       

      Mod Requirements

      - Non-Jailbroken/Jailed or Jailbroken iPhone or iPad.
      - Sideloadly or alternatives.
      - Computer running Windows/macOS/Linux with iTunes installed.

       

      Hack Features

      - Unlimited Currencies & Resources -> Will increase instead of decrease.
      - God Mode
      - One-Hit Kill
      -- No Ads


      Jailbreak required iOS hacks: [Mod Menu Hack] Last Hero: Top-down Shooter v2.0 +4 Cheats [ Unlimited Currencies ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APKs: https://iosgods.com/forum/68-android-section/
        • Agree
        • Haha
        • Thanks
        • Winner
        • Like
      • 10 replies
    • Goodwill Tiles: Match & Rescue +1 Jailed Cheat [ Debug Menu ]
      Modded/Hacked App: Goodwill Tiles: Match & Rescue By libra teknoloji anonim sirketi
      Bundle ID: com.librasoftworks.tilematch
      iTunes Store Link: https://apps.apple.com/us/app/goodwill-tiles-match-rescue/id6717585856?uo=4

       


      🤩 Hack Features

      - Debug Menu -> Head to Settings and toggle the Contact Us button. Restart the game to close the menu.
        • Like
      • 1 reply
    • Air Life: Aviation Tycoon +1++ Jailed Cheat [ Unlimited Currencies ]
      Modded/Hacked App: Air Life: Aviation Tycoon By Alphaquest Games LTDA
      Bundle ID: com.alphaquest.airlife
      iTunes Store Link: https://apps.apple.com/us/app/air-life-aviation-tycoon/id6502298994?uo=4


      Hack Features:
      - Unlimited Currencies -> Will increase instead of decrease.
      - Free In-App Purchases -> Toggle via iGMenu.


      Jailbreak required hack(s): [Mod Menu Hack] Air Life: Aviation Tycoon v1.2.2 +2++ Cheats [ Unlimited Currencies ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
        • Informative
        • Agree
        • Winner
        • Like
      • 15 replies
    • Catacomb Crawlers +3 Jailed Cheats [ Damage & Defence ]
      Modded/Hacked App: Catacomb Crawlers By Emeroth Fintech Studio SRL
      Bundle ID: com.Emeroth-Studios.Catacomb-Crawlers
      iTunes Store Link: https://apps.apple.com/us/app/catacomb-crawlers/id6502052776?uo=4


      Hack Features:
      - Damage Multiplier
      - Defence Multiplier


      Jailbreak required hack(s): [Mod Menu Hack] Catacomb Crawlers v1.023 +2 Cheats [ Damage & Defence ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
        • Informative
        • Agree
        • Thanks
        • Like
      • 15 replies
    • Pet Pal Paw +2++ Jailed Cheats [ Debug Menu ]
      Modded/Hacked App: Pet Pal Paw By Yidian Brighten Network Technology Co., Ltd.
      Bundle ID: com.widgetpet.triplematch3d
      iTunes Store Link: https://apps.apple.com/us/app/pet-pal-paw/id6474220984?uo=4

       


      🚀 Hack Features

      - Debug Menu -> Tap on Settings.


      🍏 Jailbreak iOS hacks: [Mod Menu Hack] Pet Pal Paw v4.2 +2++ Cheats [ Debug Menu ] - Free Jailbroken Cydia Cheats - iOSGods
      🤖 Modded Android APKs: https://iosgods.com/forum/68-android-section/
        • Agree
        • Like
      • 4 replies
    • Magical Girl Dungeon +3 Jailed Cheats [ Damage ]
      Modded/Hacked App: Magical Girl Dungeon By Kenjirou Uesaka
      Bundle ID: com.KCG.MahoDungeon
      iTunes Store Link: https://apps.apple.com/us/app/magical-girl-dungeon/id6741759536?uo=4

       


      🤩 Hack Features

      - God Mode
      - Damage Multiplier
      -- No Ads
        • Informative
        • Winner
        • Like
      • 2 replies
    • Hungry Hearts Restaurant +2 Jailed Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Hungry Hearts Restaurant By GAGEX Co.,Ltd.
      Bundle ID: jp.co.gagex.rigel
      iTunes Store Link: https://apps.apple.com/us/app/hungry-hearts-restaurant/id6504782640?uo=4

       
       

      🤩 Hack Features

      - Unlimited Coins -> Spend some.
      - Unlimited Hearts -> Will not decrease.


      🍏 Jailbreak iOS hacks: [Mod Menu Hack] Hungry Hearts Restaurant v1.0.7 +2 Cheats [ Unlimited Currencies ] - Free Jailbreak Cheats - iOSGods
      🤖 Modded Android APKs: https://iosgods.com/forum/68-android-section/
        • Informative
        • Like
      • 9 replies
    • Gordian Quest +6 Jailed Cheats [ Full Game Unlocked ]
      Modded/Hacked App: Gordian Quest By AETHER SKY OU
      Bundle ID: com.aethersky.com.gordianquest
      iTunes Store Link: https://apps.apple.com/us/app/gordian-quest/id6736658756?uo=4

       


      🤩 Hack Features

      - Add Currencies -> Pause the game and tap on Options.*
      - Add XP -> Pause the game and tap on Options.*
      - Add Skill Points -> Pause the game and tap on Options.*
      - Add Respec Points -> Pause the game and tap on Options.*
      - Auto Win -> Pause the game and tap on Options.*
      -- Full Game Unlocked

      * - Only 1 feature can be enabled at once.
        • Informative
        • Agree
        • Haha
        • Winner
        • Like
      • 15 replies
    • Secret Puzzle Society +4 Jailed Cheats [ Unlimited Currencies ]
      Modded/Hacked App: Secret Puzzle Society By Wildlife Studios, Inc
      Bundle ID: com.arizonags.puzzlesocietyalpha
      iTunes Store Link: https://apps.apple.com/us/app/secret-puzzle-society/id6449197556?uo=4


      Hack Features:
      - Unlimited Coins -> Earn or spend some.
      - Unlimited Clues -> Earn or spend some.
      - Unlimited Lives -> Earn or spend some.
      - Auto Win -> Use a move.


      Jailbreak required hack(s): [Mod Menu Hack] Secret Puzzle Society v1.6.3 +4 Cheats [ Unlimited Currencies ] - Free Jailbroken Cydia Cheats - iOSGods
      Modded Android APK(s): https://iosgods.com/forum/68-android-section/
      For more fun, check out the Club(s): https://iosgods.com/clubs/
        • Like
      • 18 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines