Help/Support debugserver game crash after $c or $n

[syto203 211 12.1.2]

i've been trying to follow the tutorial available here

https://iosgods.com/topic/75950-arm64-ida-lldb-tutorial-noob-friendly/

and getting the debugserver from here

https://kov4l3nko.github.io/blog/2016-04-27-debugging-ios-binaries-with-lldb/#preparing-the-sandbox

also tried with apple-debugserver found in /usr/bin/

since native LLDB support was discontinued to the best of my knowledge.

attach debugserver to the process

$ debugserver *:1234 -a PID

i get the waiting for debugger notice and the process freezes on my iphone.

on Mac Terminal i enter
 

$ lldb

(lldb) platform select remote-ios

(lldb) process connect connect://ipaddress:1234

now following the tutorial refrenced above i get the ASLR value via

(lldb) image list

as for the watchpoints / breakpoints i got the addresses from DLG injector

tried first with watchpoint

(lldb) w s e -- 0x001234ED

and received

Watchpoint created: Watchpoint 1: addr = 0x10a440e10 size = 8 state = enabled type = w
    new value: 4290672328769

when i enter

(lldb) c

or

(lldb)  n

to try to get a new value from the game, the game remains frozen and doesnt allow me to do anything.

same thing with breakpoint

(lldb) br s -a 0x1234ED

Device: iPhone X

OS: 12.1.2

Jailbreak: Unc0ver 3.0.1

[syto203 211 12.1.2]

the terminal log for $ c

(lldb) c
Process 776 resuming
Process 776 stopped
* thread #1, queue = 'com.apple.UIKit.pasteboardNotificationStateQueue', stop reason = EXC_BAD_ACCESS (code=50, address=0x101c8d5a0)
    frame #0: 0x0000000101c8d5a0 cy-UhTW4c.dylib`dlsym_internal
cy-UhTW4c.dylib`dlsym_internal:
->  0x101c8d5a0 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x101c8d5a4 <+4>:  stp    x22, x21, [sp, #0x10]
    0x101c8d5a8 <+8>:  stp    x20, x19, [sp, #0x20]
    0x101c8d5ac <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (Bloody Harry) stopped.

 

[K_K 167.1k iPhone 13 Pro Max 15.1]

Doesn’t work on iOS 12.1.2 yet 

[MeSailesh7 857 iPhone 14 Pro 16.1]

Is that IDA breakpoint?

[syto203 211 12.1.2]

2 hours ago, K_K said:

Doesn’t work on iOS 12.1.2 yet 

the error i posted above meant that the process didn't have the right permissions

so i enabled "task for pid" device wide and tried again

this time watchpoints worked and resuming worked

here is the terminal output from setting the "watchpoints" to the "register read"

(lldb) w s e -- 0x1095ACE10
Watchpoint created: Watchpoint 1: addr = 0x1095ace10 size = 8 state = enabled type = w
    new value: 4290672328772
(lldb) w s e -- 0x10C7A0EF0
Watchpoint created: Watchpoint 2: addr = 0x10c7a0ef0 size = 8 state = enabled type = w
    new value: 300647710788
(lldb) w s e -- 0x2809AE750
Watchpoint created: Watchpoint 3: addr = 0x2809ae750 size = 8 state = enabled type = w
    new value: 68
(lldb) w s e -- 0x2809B11F0
Watchpoint created: Watchpoint 4: addr = 0x2809b11f0 size = 8 state = enabled type = w
    new value: 68
(lldb) c
Process 1195 resuming

Watchpoint 1 hit:
old value: 4290672328772
new value: 4290672328771
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103071eec BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry:
->  0x103071eec <+200>: ldr    x1, [x9, #0x180]
    0x103071ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103071ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103071ef8 <+212>: blr    x8
Target 0: (BloodyHarry) stopped.
(lldb) register 
Available completions:
	read
	write
(lldb) register read 
General Purpose Registers:
        x0 = 0x00000001095acdd0
        x1 = 0x000000010d080560
        x2 = 0x000000010d080560
        x3 = 0x000000010cb24790
        x4 = 0x0000000109520eb0
        x5 = 0x000000010cf685b0
        x6 = 0x000000016d6b8930
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000043
        x9 = 0x000000010ca57c28
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000018
       x13 = 0x0000000000000000
       x14 = 0x7feffffffffffffe
       x15 = 0x00000001095291d0
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000001
       x18 = 0x0000000000000000
       x19 = 0x00000001095acdd0
       x20 = 0x00000000ffffffff
       x21 = 0x00000001095750c0
       x22 = 0x000000010d080560
       x23 = 0x000000010cb24790
       x24 = 0x0000000109035000
       x25 = 0x00000001095acdd0
       x26 = 0x0000000115560560
       x27 = 0x000000010cebc1c0
       x28 = 0x0000000000002b80
        fp = 0x000000016d6b8bc0
        lr = 0x0000000103071ed4  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 176
        sp = 0x000000016d6b8b70
        pc = 0x0000000103071eec  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
      cpsr = 0x60000000

(lldb) c
Process 1195 resuming

Watchpoint 2 hit:
old value: 300647710788
new value: 300647710788
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 2
    frame #0: 0x0000000103168c28 BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 124
BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry:
->  0x103168c28 <+124>: str    w24, [x19, #0x120]
    0x103168c2c <+128>: ldr    x8, [x20, #0x18]
    0x103168c30 <+132>: ldr    x8, [x8, #0x10]
    0x103168c34 <+136>: ldr    x0, [x8, #0x30]
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x000000010c7a0dd0
        x1 = 0x0000000000000043
        x2 = 0x0000000000000046
        x3 = 0x00000001097c40b0
        x4 = 0x0000000000000000
        x5 = 0x0000000000000000
        x6 = 0x0000000000000030
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000000
        x9 = 0x000000016d6b8b88
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000030
       x13 = 0x0000000000000030
       x14 = 0x0000000000000000
       x15 = 0x0000000000000031
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000000
       x18 = 0x0000000000000000
       x19 = 0x000000010c7a0dd0
       x20 = 0x00000001097c40b0
       x21 = 0x00000001095750c0
       x22 = 0x0000000000000043
       x23 = 0x0000000000000046
       x24 = 0x0000000000000043
       x25 = 0x0000000109035000
       x26 = 0x0000000109542918
       x27 = 0x000000010930bfe0
       x28 = 0x0000000000000000
        fp = 0x000000016d6b8c30
        lr = 0x0000000103125844  BloodyHarry`___lldb_unnamed_symbol50564$$BloodyHarry + 1200
        sp = 0x000000016d6b8bc0
        pc = 0x0000000103168c28  BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 124
      cpsr = 0x20000000

(lldb) c
Process 1195 resuming

Watchpoint 2 hit:
old value: 300647710788
new value: 300647710787
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 2
    frame #0: 0x0000000103168c2c BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 128
BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry:
->  0x103168c2c <+128>: ldr    x8, [x20, #0x18]
    0x103168c30 <+132>: ldr    x8, [x8, #0x10]
    0x103168c34 <+136>: ldr    x0, [x8, #0x30]
    0x103168c38 <+140>: ldr    x8, [x0, #0xa0]!
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x000000010c7a0dd0
        x1 = 0x0000000000000043
        x2 = 0x0000000000000046
        x3 = 0x00000001097c40b0
        x4 = 0x0000000000000000
        x5 = 0x0000000000000000
        x6 = 0x0000000000000030
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000000
        x9 = 0x000000016d6b8b88
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000030
       x13 = 0x0000000000000030
       x14 = 0x0000000000000000
       x15 = 0x0000000000000031
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000000
       x18 = 0x0000000000000000
       x19 = 0x000000010c7a0dd0
       x20 = 0x00000001097c40b0
       x21 = 0x00000001095750c0
       x22 = 0x0000000000000043
       x23 = 0x0000000000000046
       x24 = 0x0000000000000043
       x25 = 0x0000000109035000
       x26 = 0x0000000109542918
       x27 = 0x000000010930bfe0
       x28 = 0x0000000000000000
        fp = 0x000000016d6b8c30
        lr = 0x0000000103125844  BloodyHarry`___lldb_unnamed_symbol50564$$BloodyHarry + 1200
        sp = 0x000000016d6b8bc0
        pc = 0x0000000103168c2c  BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 128
      cpsr = 0x20000000

(lldb) c
Process 1195 resuming

Watchpoint 1 hit:
old value: 4290672328771
new value: 4290672328770
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103071eec BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry:
->  0x103071eec <+200>: ldr    x1, [x9, #0x180]
    0x103071ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103071ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103071ef8 <+212>: blr    x8
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x00000001095acdd0
        x1 = 0x000000010d080560
        x2 = 0x000000010d080560
        x3 = 0x000000010cb24790
        x4 = 0x0000000109520eb0
        x5 = 0x000000010cf685b0
        x6 = 0x000000016d6b8930
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000042
        x9 = 0x000000010ca57c28
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x00000000016e3600
       x13 = 0x000000000001e8ec
       x14 = 0x7feffffffffffffe
       x15 = 0x00000001095291d0
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x00000001167256c8
       x18 = 0x0000000000000000
       x19 = 0x00000001095acdd0
       x20 = 0x00000000ffffffff
       x21 = 0x00000001095750c0
       x22 = 0x000000010d080560
       x23 = 0x000000010cb24790
       x24 = 0x0000000109035000
       x25 = 0x00000001095acdd0
       x26 = 0x0000000115560560
       x27 = 0x000000010cebc1c0
       x28 = 0x0000000000002b80
        fp = 0x000000016d6b8bc0
        lr = 0x0000000103071ed4  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 176
        sp = 0x000000016d6b8b70
        pc = 0x0000000103071eec  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
      cpsr = 0x60000000

 

 

now however, the offsets i found after removing the ASLR value i cant find them in IDA.

i'm running IDA Pro 7 x64. without any custom settings.

i started IDA, chose new, chose the dycrypted binary and loaded as a Mach-O file with ARM as a processor

it then said it detected Obj-C structures and wishes to parse and rename them, i chose yes.

 

[K_K 167.1k iPhone 13 Pro Max 15.1]

Show me what the aslr slide is I’ll tell you the address.

103071eec

[syto203 211 12.1.2]

5 minutes ago, MeSailesh7 said:

Is that IDA breakpoint?

no. watchpoint

1 minute ago, K_K said:

Show me what the aslr slide is I’ll tell you the address.

103071eec

the aslr slide is 44000

[K_K 167.1k iPhone 13 Pro Max 15.1]

What is the name of the binary ?

type i li binaryname 

then show me the address 

[syto203 211 12.1.2]

19 minutes ago, K_K said:

What is the name of the binary ?

type i li binaryname 

then show me the address 

ran it again

offset: 
Watchpoint 1 hit:
old value: 4290672328768
new value: 4290672328767
Process 1539 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103859eec Bloody Harry`___lldb_unnamed_symbol48543$$Bloody Harry + 200
Bloody Harry`___lldb_unnamed_symbol48543$$Bloody Harry:
->  0x103859eec <+200>: ldr    x1, [x9, #0x180]
    0x103859ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103859ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103859ef8 <+212>: blr    x8
Target 0: (Bloody Harry) stopped.

(lldb) image list 'Bloody Harry'
[  0] A0825C08-EAE4-3748-ADB5-042D675A380A 0x0000000102f2c000 /var/containers/Bundle/Application/4003E224-E24E-4FEE-92EB-34BC95E77BC3/Bloody Harry.app/Bloody Harry (0x0000000102f2c000)

 

[syto203 211 12.1.2]

!solved

the problem was with a wrong ASLR value. according to the guide it seemed like it was the 5th bit from the right as in

0x0000000102f2c000 i thought it was "2c000" which is wrong. The correct value is "2f2c000" or it's the value after the first "1" bit from the left.

ex:

0x000000010102D456 the ASLR would be "102D456".

thanks @K_K for helping out.

 

btw, debugserver works fine on iOS 12.1.2 w/ Unc0ver JB didn't try chimera.

on Unc0ver you need to enable "allow task" from it's options before jailbreaking

on chimera if i remember correctly uses jailbreakd to grant "task for pid" to processes

so sth like ".path/to/jailbreakd binary-name" might work.