Help/Support App crashes with Thinned+ASLR Removed binary

KillerAE · December 11, 2017

2 minutes ago, TheArmKing said:

if you are on ios 9 do try the previous link i mentioned

I will try it

KillerAE · December 11, 2017

1 hour ago, TheArmKing said:

if you are on ios 9 do try the previous link i mentioned

doesn't work.....I have removed the jailbreak then rejailbroken and still the same issue....

Rook · December 11, 2017

If you're removing ASLR on a ARMv7 binary, it should work. ARM64 it will just crash.

If it still crashes after signing, then you will just have to bypass it manually as ARMKing linked above.

KillerAE · December 11, 2017

40 minutes ago, DiDA said:

If you're removing ASLR on a ARMv7 binary, it should work. ARM64 it will just crash.

If it still crashes after signing, then you will just have to bypass it manually as ARMKing linked above.

I am not sure which method to use because I am using the IDA 7.0 IOS debugger and I don't know if it is related to GDB or LLDB

Rook · December 11, 2017

1 minute ago, steelabood said:

I am not sure which method to use because I am using the IDA 7.0 IOS debugger and I don't know if it is related to GDB or LLDB

I think you should use LLDB first since there are more tutorials on that than the new IDA debugger.

TheArmKing · December 11, 2017

1 hour ago, DiDA said:

ARMKing

emphAsis on ARM i lik it

41 minutes ago, steelabood said:

I am not sure which method to use because I am using the IDA 7.0 IOS debugger and I don't know if it is related to GDB or LLDB

its not related , but it needs ASLR removed , so just use lldb isntead

like both need the aslr gone , but lldb is less painful than IDA

Archangel04 · December 12, 2017

Also, try this (if ARMv7. If it's 64 then don't bother, you should use image list to defeat ASLR)

1) Open the binary in a hex editor.

2) Go to 1A. The code should be "20" or "21" or so. Change the 2 to 0.

3) sign with ldid. Set perm as 755/777. Put binary in app

4) ???

5) Profit.

KillerAE · December 12, 2017

12 hours ago, Archangel04 said:

Also, try this (if ARMv7. If it's 64 then don't bother, you should use image list to defeat ASLR)

1) Open the binary in a hex editor.

2) Go to 1A. The code should be "20" or "21" or so. Change the 2 to 0.

3) sign with ldid. Set perm as 755/777. Put binary in app

4) ???

5) Profit.

should I do it with the binary that is "thinned and aslr removed" or just "thinned"?

Nevermind I just saw that it just needs to be thinned

Updated December 12, 2017 by steelabood

KillerAE · December 12, 2017

12 hours ago, Archangel04 said:

Also, try this (if ARMv7. If it's 64 then don't bother, you should use image list to defeat ASLR)

1) Open the binary in a hex editor.

2) Go to 1A. The code should be "20" or "21" or so. Change the 2 to 0.

3) sign with ldid. Set perm as 755/777. Put binary in app

4) ???

5) Profit.

Unfortunately doesn't work....

Archangel04 · December 12, 2017

1 hour ago, steelabood said:

Unfortunately doesn't work....

Only other way is to use gdb and use the command "info address _mh_execute_header" then subtract 0x4000 from it. Thats your ASLR and you need to add/subtract that depending on usage. For ex, if you get offset from IDA, you add. If offset from gdb, then subtract