Jump to content

18 posts in this topic

Recommended Posts

Posted

Hi everyone,

 

first of all I wish you an happy hacking year !  (y)

I'm very new in reverse engineering / debugging / iOS so excuse me for my newbie's questions. 

 

 

Context:
[everything was tried on iOS 9.3.2 AND iOS 8.2]

I need to understand how an application generates its tokens passed through http headers. So, I disassembled it using Hopper I dumped all .header files and I then logged a lot of informations during runtime by hooking some functions to understand the process of 'how an authenticated http request is generated'. Now I almost know which function exactly generates which token, I need to go ahead and understand the way of a particular token is generated to be able to reproduce it. It seems that using lldb to set breakpoints and then dump the register's value at some step of the runtime could be the best way to achieve my goals, right ? 

The steps I followed in order to use lldb are : 

- decrypt the app using Clutch2 and download it on my desktop
- install debug server and all stuff
- thin the binary
- set the thinned binary as lldb target
- install the decrypted binary.ipa in the iPhone (I tried both with a decrypted version and the normal app store version)
- set breakpoint: fail

 

My problem:

After having followed a lot of tutorials on it, I still don't get it to work.
It's impossible to set breakpoint using a method name like: 

(lldb): b -[ClassName methodCalled:]
// found on this tuts : http://highaltitudehacks.com/2015/05/17/ios-application-security-part-43-fat-binaries-and-lldb-usage-continued/
// does not work for me

lldb says that the breakpoint can't be set, exactly as I've not "targeted" the binary.
Plus, I don't really understand how to set a breakpoint using the memory address. Removing ASLR, finding memory addresses offset are just notions that brainf**ked me!

Could someone help me by sending me a precise routine and more informations about ASLR, memory offset or other useful stuff? 

PS: I read a lot of article on the web and also on this forum and some of them are just impossible to understand for a beginner like me... Please try to be "clear" :) 

Thank you a lot guys ! :)

 

Posted (edited)

attach process?

that and have you set permissions? (chmod 777)

 

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer: 

- of course I attach the process on iPhone side when I run debug server and then I do the following commands: 

// iphone side
debugserver *:6666 -a <processNameOrId>


// desktop side
$ lldb
(lldb) platform select remote-ios
(lldb) target create --arch arm /path/to/my/decrypted/bin
(lldb) process connect connect://myIp:port

--> everything is going fine here : debug server starts etc...

 

Could you precise your idea about "permissions" ? 

- debug server has the good permissions

- my local decrypted binaries has read permissions 

 

Any idea ? 

Updated by babbunatale
Posted (edited)

Binary needs read write and execute on all 3. Thats why we use chmod 777 to give it those permissions.

 

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Thank you for your answer. I'm note sure about the meaning of your question but I'll try to answer:

- of course I attach the process on iPhone side when I run debug server and then I do the following commands:

 

// iphone sidedebugserver *:6666 -a <processNameOrId>// desktop side$ lldb(lldb) platform select remote-ios(lldb) target create --arch arm /path/to/my/decrypted/bin(lldb) process connect connect://myIp:port
--> everything is going fine here : debug server starts etc...

Could you precise your idea about "permissions" ?

- debug server has the good permissions

- my local decrypted binaries has read permissions

Any idea ?

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

Updated by Archangel04
Posted

Usually if its saying that it cant choose binary i think it must be some problem with attach process but cant say for sure

Did you attack the process id of the GAME on your computer?

Use this tutorial https://iosgods.com/topic/5380-working-on-ios-9-how-to-get-lldb-working-on-windows/

 

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know :)

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Posted

Kay. Also when you start it, the game is running right?

Ok, I'll give a shot with the rwx permissions as you said above. I'll let your know :)

About the tutorial, I do exactly the same thing and it works. But the problem happens when I try to set a breakpoint.

Posted (edited)

Have you done this

 

Step 4: Open PuTTY or iFunBox and type in this command:

debugserver 127.0.0.1:23 --attach=PID or BINARYNAME
PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

 

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

Updated by Archangel04
Posted (edited)

Have you done this

 

Step 4: Open PuTTY or iFunBox and type in this command:

debugserver 127.0.0.1:23 --attach=PID or BINARYNAME
PID is the Process ID of the app and Binary Name is the Binary Name of the app. You can get PID & Binary Name from iGameGuardian or Binary Name from iFile/Filza.

 

Sorry tag error the step 4 in the other one. IF the app has attached (i know that debug server did, but im asking regarding app not the server itself)

 

 

 

OK so, here are the steps I followed : 

 

 

 

Desktop side

 

//1: thin the decypted with Clutch2 binary and set permissions :

 

MacBook-Pro:Desktop $ lipo -thin armv7 -output snapchat-armv7 Snapchat
MacBook-Pro:Desktop $ chmod 777 snapchat-armv7 && ls -l snapchat-armv7
-rwxrwxrwx  1 kevinpiacentini  staff  49819344  3 jan 19:03 snapchat-armv7

 

 

 

// 2: start lldb

(lldb) process connect connect://192.168.0.28:23
Process 564 stopped
* thread #1: tid = 0x0c9e, 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x38034474 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
->  0x38034474 <+20>: pop    {r4, r5, r6, r8}
    0x38034478 <+24>: bx     lr

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x3803447c <+0>:  mov    r12, sp
    0x38034480 <+4>:  push   {r4, r5, r6, r8}
(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 0] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 1] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)"
 SDK Roots: [ 2] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.1 (13B143)"
 SDK Roots: [ 3] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.1 (13E238)"
 SDK Roots: [ 4] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.2 (13F69)"
 SDK Roots: [ 5] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.5 (13G36)"



(lldb) target create --arch arm ~/Desktop/snapchat-armv7
Current executable set to '~/Desktop/snapchat-armv7' (armv7).

(lldb) b -[LoginV2ViewController viewDidLoad]
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.

 

iPhone Side

 

iPhone:~ root# 
./debugserver *:23 --attach=Snapchat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process Snapchat...
Listening to port 23 for a connection from *...
Waiting for debugger instructions for process 0.

Here you can see all my steps... Maybe I misunderstood something ?

Updated by babbunatale
Posted

(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"

 

"Connected: No" ??

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Our picks

    • Merge Cat Cafe: Decorate v1.1.50 [ +11 Cheats ] Currency Max
      Modded/Hacked App: Merge Cat Cafe: Decorate By StandEgg Co., Ltd
      Bundle ID: com.standegg.mergecatcafe2
      App Store Link: https://apps.apple.com/us/app/merge-cat-cafe-decorate/id6670415194?uo=4

      🤩 Hack Features

      - Gems Freeze
      - Coins Freeze
      - Booster Freeze
      - Box Items Freeze
      - Energy 0 Play Unlimited
      :::: VIP ::::
      - ADS NO
      - Unlimited Gems
      - Unlimited Coins
      - Unlimited Energy
      - Unlimited Booster
      - Unlimited Box Items
      • 0 replies
    • Merge Cat Cafe: Decorate v1.1.50 [ +11 Jailed ] Currency Max
      Modded/Hacked App: Merge Cat Cafe: Decorate By StandEgg Co., Ltd
      Bundle ID: com.standegg.mergecatcafe2
      App Store Link: https://apps.apple.com/us/app/merge-cat-cafe-decorate/id6670415194?uo=4

      🤩 Hack Features

      - Gems Freeze
      - Coins Freeze
      - Booster Freeze
      - Box Items Freeze
      - Energy 0 Play Unlimited
      :::: VIP ::::
      - ADS NO
      - Unlimited Gems
      - Unlimited Coins
      - Unlimited Energy
      - Unlimited Booster
      - Unlimited Box Items
      • 0 replies
    • Crossword Master - Word Puzzle v2.1.0 [ +3 Cheats  ] Currency Max
      Modded/Hacked App: Crossword Master - Word Puzzle By Easybrain Ltd
      Bundle ID: com.easybrain.crossword.puzzles
      App Store Link: https://apps.apple.com/us/app/crossword-master-word-puzzle/id6547858927?uo=4

      🤩 Hack Features

      - Auto ADS No
      - Unlimited Coins
      - Unlimited Booster
      • 0 replies
    • Crossword Master - Word Puzzle v2.1.0 [ +3 Jailed ] Currency Max
      Modded/Hacked App: Crossword Master - Word Puzzle By Easybrain Ltd
      Bundle ID: com.easybrain.crossword.puzzles
      App Store Link: https://apps.apple.com/us/app/crossword-master-word-puzzle/id6547858927?uo=4

      🤩 Hack Features

      - Auto ADS No
      - Unlimited Coins
      - Unlimited Booster
      • 0 replies
    • ZakuzakuSlash +5 Jailed Cheats [ Damage & Defence ]
      Modded/Hacked App: ZakuzakuSlash By nekosuko
      Bundle ID: jp.nekosuko.zakuzakuslash
      App Store Link: https://apps.apple.com/us/app/zakuzakuslash/id6749934570?uo=4

       


      🤩 Hack Features

      - Damage Multiplier
      - Defence Multiplier
      - God Mode
      - XP Multiplier
      - Unlimited Gold -> Will increase instead of decrease.
      • 2 replies
    • Piggy Land 3D v1.2.2 [ +4 Jailed ] Currency Max
      Modded/Hacked App: Piggy Land 3D By PIXON PTE. LTD.
      Bundle ID: farm.piggy.animal.jam.away
      App Store Link: https://apps.apple.com/us/app/piggy-land-3d/id6762121301?uo=4

      🤩 Hack Features

      - Auto ADS No
      - Unlimited Coin
      - Unlimited Booster
      - Custom Level
      • 1 reply
    • Piggy Land 3D v1.2.2 [ +4 Cheats ] Currency Max
      Modded/Hacked App: Piggy Land 3D By PIXON PTE. LTD.
      Bundle ID: farm.piggy.animal.jam.away
      App Store Link: https://apps.apple.com/us/app/piggy-land-3d/id6762121301?uo=4

      🤩 Hack Features

      - Auto ADS No
      - Unlimited Coin
      - Unlimited Booster
      - Custom Level
      • 0 replies
    • Dwarfs Diggers: Idle Master v0.7.4 [ +4 Jailed ] Currency Freeze
      Modded/Hacked App: Dwarfs Diggers: Idle Master By BLACK BOX DIGITAL LLP
      Bundle ID: com.bbdigital.idle.dwarfs.master
      App Store Link: https://apps.apple.com/us/app/dwarfs-diggers-idle-master/id6769121279?uo=4

      🤩 Hack Features

      - Currency Freeze
      - Resources Freeze
      - Energy Freeze
      - Troop Drop Unlimited
      • 3 replies
    • Dwarfs Diggers: Idle Master v0.7.4 [ +4 Cheats ] Currency Freeze
      Modded/Hacked App: Dwarfs Diggers: Idle Master By BLACK BOX DIGITAL LLP
      Bundle ID: com.bbdigital.idle.dwarfs.master
      App Store Link: https://apps.apple.com/us/app/dwarfs-diggers-idle-master/id6769121279?uo=4

      🤩 Hack Features

      - Currency Freeze
      - Resources Freeze
      - Energy Freeze
      - Troop Drop Unlimited
      • 1 reply
    • Metal Slug Rush v1.0.0 [ +9 APK MOD ] Currency Max
      Mod APK Game Name: Metal Slug Rush
      Rooted Device: Not Required.
      Google Play Store Link: https://play.google.com/store/apps/details?id=com.ringgames.msm

      🤩 Hack Features

      - Unlimited Gold
      - Unlimited Gems
      - Unlimited Energy
      - Unlimited Silver keys
      - Unlimited Golden Keys
      - Unlimited Special Keys
      - Unlimited Blueprint
      - Unlimited Token
      - Unlimited Ticket +3
      • 1 reply
    • Metal Slug Rush v1.0.0 [ +9 Cheats ] Currency Max
      Modded/Hacked App: Metal Slug Rush By REVIVECONTENTS CO.,LTD.
      Bundle ID: com.ringgames.msm
      App Store Link: https://apps.apple.com/us/app/metal-slug-rush/id6775727338?uo=4

      🤩 Hack Features

      - Unlimited Gold
      - Unlimited Gems
      - Unlimited Energy
      - Unlimited Silver keys
      - Unlimited Golden Keys
      - Unlimited Special Keys
      - Unlimited Blueprint
      - Unlimited Token
      - Unlimited Ticket +3
      • 3 replies
    • Metal Slug Rush v1.0.0 [ +9 jailed ] Currency Max
      Modded/Hacked App: Metal Slug Rush By REVIVECONTENTS CO.,LTD.
      Bundle ID: com.ringgames.msm
      App Store Link: https://apps.apple.com/us/app/metal-slug-rush/id6775727338?uo=4

      🤩 Hack Features

      - Unlimited Gold
      - Unlimited Gems
      - Unlimited Energy
      - Unlimited Silver keys
      - Unlimited Golden Keys
      - Unlimited Special Keys
      - Unlimited Blueprint
      - Unlimited Token
      - Unlimited Ticket +3
      • 3 replies
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines