Help/Support debugserver game crash after $c or $n

syto203 · May 22, 2019

i've been trying to follow the tutorial available here

https://iosgods.com/topic/75950-arm64-ida-lldb-tutorial-noob-friendly/

and getting the debugserver from here

https://kov4l3nko.github.io/blog/2016-04-27-debugging-ios-binaries-with-lldb/#preparing-the-sandbox

also tried with apple-debugserver found in /usr/bin/

since native LLDB support was discontinued to the best of my knowledge.

attach debugserver to the process

$ debugserver *:1234 -a PID

i get the waiting for debugger notice and the process freezes on my iphone.

on Mac Terminal i enter

$ lldb

(lldb) platform select remote-ios

(lldb) process connect connect://ipaddress:1234

now following the tutorial refrenced above i get the ASLR value via

(lldb) image list

as for the watchpoints / breakpoints i got the addresses from DLG injector

tried first with watchpoint

(lldb) w s e -- 0x001234ED

and received

Watchpoint created: Watchpoint 1: addr = 0x10a440e10 size = 8 state = enabled type = w
    new value: 4290672328769

when i enter

(lldb) c

or

(lldb)  n

to try to get a new value from the game, the game remains frozen and doesnt allow me to do anything.

same thing with breakpoint

(lldb) br s -a 0x1234ED

Device: iPhone X

OS: 12.1.2

Jailbreak: Unc0ver 3.0.1

syto203 · May 22, 2019

the terminal log for $ c

(lldb) c
Process 776 resuming
Process 776 stopped
* thread #1, queue = 'com.apple.UIKit.pasteboardNotificationStateQueue', stop reason = EXC_BAD_ACCESS (code=50, address=0x101c8d5a0)
    frame #0: 0x0000000101c8d5a0 cy-UhTW4c.dylib`dlsym_internal
cy-UhTW4c.dylib`dlsym_internal:
->  0x101c8d5a0 <+0>:  stp    x24, x23, [sp, #-0x40]!
    0x101c8d5a4 <+4>:  stp    x22, x21, [sp, #0x10]
    0x101c8d5a8 <+8>:  stp    x20, x19, [sp, #0x20]
    0x101c8d5ac <+12>: stp    x29, x30, [sp, #0x30]
Target 0: (Bloody Harry) stopped.

K_K · May 23, 2019

Doesn’t work on iOS 12.1.2 yet

Updated May 23, 2019 by K_K

MeSailesh7 · May 23, 2019

Is that IDA breakpoint?

Updated May 23, 2019 by MeSailesh7

syto203 · May 23, 2019

2 hours ago, K_K said:

Doesn’t work on iOS 12.1.2 yet

the error i posted above meant that the process didn't have the right permissions

so i enabled "task for pid" device wide and tried again

this time watchpoints worked and resuming worked

here is the terminal output from setting the "watchpoints" to the "register read"

(lldb) w s e -- 0x1095ACE10
Watchpoint created: Watchpoint 1: addr = 0x1095ace10 size = 8 state = enabled type = w
    new value: 4290672328772
(lldb) w s e -- 0x10C7A0EF0
Watchpoint created: Watchpoint 2: addr = 0x10c7a0ef0 size = 8 state = enabled type = w
    new value: 300647710788
(lldb) w s e -- 0x2809AE750
Watchpoint created: Watchpoint 3: addr = 0x2809ae750 size = 8 state = enabled type = w
    new value: 68
(lldb) w s e -- 0x2809B11F0
Watchpoint created: Watchpoint 4: addr = 0x2809b11f0 size = 8 state = enabled type = w
    new value: 68
(lldb) c
Process 1195 resuming

Watchpoint 1 hit:
old value: 4290672328772
new value: 4290672328771
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103071eec BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry:
->  0x103071eec <+200>: ldr    x1, [x9, #0x180]
    0x103071ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103071ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103071ef8 <+212>: blr    x8
Target 0: (BloodyHarry) stopped.
(lldb) register 
Available completions:
	read
	write
(lldb) register read 
General Purpose Registers:
        x0 = 0x00000001095acdd0
        x1 = 0x000000010d080560
        x2 = 0x000000010d080560
        x3 = 0x000000010cb24790
        x4 = 0x0000000109520eb0
        x5 = 0x000000010cf685b0
        x6 = 0x000000016d6b8930
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000043
        x9 = 0x000000010ca57c28
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000018
       x13 = 0x0000000000000000
       x14 = 0x7feffffffffffffe
       x15 = 0x00000001095291d0
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000001
       x18 = 0x0000000000000000
       x19 = 0x00000001095acdd0
       x20 = 0x00000000ffffffff
       x21 = 0x00000001095750c0
       x22 = 0x000000010d080560
       x23 = 0x000000010cb24790
       x24 = 0x0000000109035000
       x25 = 0x00000001095acdd0
       x26 = 0x0000000115560560
       x27 = 0x000000010cebc1c0
       x28 = 0x0000000000002b80
        fp = 0x000000016d6b8bc0
        lr = 0x0000000103071ed4  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 176
        sp = 0x000000016d6b8b70
        pc = 0x0000000103071eec  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
      cpsr = 0x60000000

(lldb) c
Process 1195 resuming

Watchpoint 2 hit:
old value: 300647710788
new value: 300647710788
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 2
    frame #0: 0x0000000103168c28 BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 124
BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry:
->  0x103168c28 <+124>: str    w24, [x19, #0x120]
    0x103168c2c <+128>: ldr    x8, [x20, #0x18]
    0x103168c30 <+132>: ldr    x8, [x8, #0x10]
    0x103168c34 <+136>: ldr    x0, [x8, #0x30]
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x000000010c7a0dd0
        x1 = 0x0000000000000043
        x2 = 0x0000000000000046
        x3 = 0x00000001097c40b0
        x4 = 0x0000000000000000
        x5 = 0x0000000000000000
        x6 = 0x0000000000000030
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000000
        x9 = 0x000000016d6b8b88
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000030
       x13 = 0x0000000000000030
       x14 = 0x0000000000000000
       x15 = 0x0000000000000031
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000000
       x18 = 0x0000000000000000
       x19 = 0x000000010c7a0dd0
       x20 = 0x00000001097c40b0
       x21 = 0x00000001095750c0
       x22 = 0x0000000000000043
       x23 = 0x0000000000000046
       x24 = 0x0000000000000043
       x25 = 0x0000000109035000
       x26 = 0x0000000109542918
       x27 = 0x000000010930bfe0
       x28 = 0x0000000000000000
        fp = 0x000000016d6b8c30
        lr = 0x0000000103125844  BloodyHarry`___lldb_unnamed_symbol50564$$BloodyHarry + 1200
        sp = 0x000000016d6b8bc0
        pc = 0x0000000103168c28  BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 124
      cpsr = 0x20000000

(lldb) c
Process 1195 resuming

Watchpoint 2 hit:
old value: 300647710788
new value: 300647710787
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 2
    frame #0: 0x0000000103168c2c BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 128
BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry:
->  0x103168c2c <+128>: ldr    x8, [x20, #0x18]
    0x103168c30 <+132>: ldr    x8, [x8, #0x10]
    0x103168c34 <+136>: ldr    x0, [x8, #0x30]
    0x103168c38 <+140>: ldr    x8, [x0, #0xa0]!
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x000000010c7a0dd0
        x1 = 0x0000000000000043
        x2 = 0x0000000000000046
        x3 = 0x00000001097c40b0
        x4 = 0x0000000000000000
        x5 = 0x0000000000000000
        x6 = 0x0000000000000030
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000000
        x9 = 0x000000016d6b8b88
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x0000000000000030
       x13 = 0x0000000000000030
       x14 = 0x0000000000000000
       x15 = 0x0000000000000031
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x0000000000000000
       x18 = 0x0000000000000000
       x19 = 0x000000010c7a0dd0
       x20 = 0x00000001097c40b0
       x21 = 0x00000001095750c0
       x22 = 0x0000000000000043
       x23 = 0x0000000000000046
       x24 = 0x0000000000000043
       x25 = 0x0000000109035000
       x26 = 0x0000000109542918
       x27 = 0x000000010930bfe0
       x28 = 0x0000000000000000
        fp = 0x000000016d6b8c30
        lr = 0x0000000103125844  BloodyHarry`___lldb_unnamed_symbol50564$$BloodyHarry + 1200
        sp = 0x000000016d6b8bc0
        pc = 0x0000000103168c2c  BloodyHarry`___lldb_unnamed_symbol51036$$BloodyHarry + 128
      cpsr = 0x20000000

(lldb) c
Process 1195 resuming

Watchpoint 1 hit:
old value: 4290672328771
new value: 4290672328770
Process 1195 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103071eec BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry:
->  0x103071eec <+200>: ldr    x1, [x9, #0x180]
    0x103071ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103071ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103071ef8 <+212>: blr    x8
Target 0: (BloodyHarry) stopped.
(lldb) register read
General Purpose Registers:
        x0 = 0x00000001095acdd0
        x1 = 0x000000010d080560
        x2 = 0x000000010d080560
        x3 = 0x000000010cb24790
        x4 = 0x0000000109520eb0
        x5 = 0x000000010cf685b0
        x6 = 0x000000016d6b8930
        x7 = 0x0000000102cda484  BloodyHarry`___lldb_unnamed_symbol31876$$BloodyHarry + 48
        x8 = 0x0000000000000042
        x9 = 0x000000010ca57c28
       x10 = 0x0000000000002fa0
       x11 = 0x0000000000000003
       x12 = 0x00000000016e3600
       x13 = 0x000000000001e8ec
       x14 = 0x7feffffffffffffe
       x15 = 0x00000001095291d0
       x16 = 0x000000019ca17270  libsystem_pthread.dylib`pthread_getspecific
       x17 = 0x00000001167256c8
       x18 = 0x0000000000000000
       x19 = 0x00000001095acdd0
       x20 = 0x00000000ffffffff
       x21 = 0x00000001095750c0
       x22 = 0x000000010d080560
       x23 = 0x000000010cb24790
       x24 = 0x0000000109035000
       x25 = 0x00000001095acdd0
       x26 = 0x0000000115560560
       x27 = 0x000000010cebc1c0
       x28 = 0x0000000000002b80
        fp = 0x000000016d6b8bc0
        lr = 0x0000000103071ed4  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 176
        sp = 0x000000016d6b8b70
        pc = 0x0000000103071eec  BloodyHarry`___lldb_unnamed_symbol48543$$BloodyHarry + 200
      cpsr = 0x60000000

now however, the offsets i found after removing the ASLR value i cant find them in IDA.

i'm running IDA Pro 7 x64. without any custom settings.

i started IDA, chose new, chose the dycrypted binary and loaded as a Mach-O file with ARM as a processor

it then said it detected Obj-C structures and wishes to parse and rename them, i chose yes.

Updated May 23, 2019 by syto203

K_K · May 23, 2019

Show me what the aslr slide is I’ll tell you the address.

103071eec

syto203 · May 23, 2019

5 minutes ago, MeSailesh7 said:

Is that IDA breakpoint?

no. watchpoint

1 minute ago, K_K said:

Show me what the aslr slide is I’ll tell you the address.

103071eec

the aslr slide is 44000

Updated May 23, 2019 by syto203

K_K · May 23, 2019

What is the name of the binary ?

type i li binaryname

then show me the address

syto203 · May 23, 2019

19 minutes ago, K_K said:

What is the name of the binary ?

type i li binaryname

then show me the address

ran it again

offset: 
Watchpoint 1 hit:
old value: 4290672328768
new value: 4290672328767
Process 1539 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = watchpoint 1
    frame #0: 0x0000000103859eec Bloody Harry`___lldb_unnamed_symbol48543$$Bloody Harry + 200
Bloody Harry`___lldb_unnamed_symbol48543$$Bloody Harry:
->  0x103859eec <+200>: ldr    x1, [x9, #0x180]
    0x103859ef0 <+204>: ldr    x8, [x1, #0x10]
    0x103859ef4 <+208>: ldr    x8, [x8, #0x50]
    0x103859ef8 <+212>: blr    x8
Target 0: (Bloody Harry) stopped.

(lldb) image list 'Bloody Harry'
[  0] A0825C08-EAE4-3748-ADB5-042D675A380A 0x0000000102f2c000 /var/containers/Bundle/Application/4003E224-E24E-4FEE-92EB-34BC95E77BC3/Bloody Harry.app/Bloody Harry (0x0000000102f2c000)

syto203 · May 23, 2019

!solved

the problem was with a wrong ASLR value. according to the guide it seemed like it was the 5th bit from the right as in

0x0000000102f2c000 i thought it was "2c000" which is wrong. The correct value is "2f2c000" or it's the value after the first "1" bit from the left.

ex:

0x000000010102D456 the ASLR would be "102D456".

thanks @K_K for helping out.

btw, debugserver works fine on iOS 12.1.2 w/ Unc0ver JB didn't try chimera.

on Unc0ver you need to enable "allow task" from it's options before jailbreaking

on chimera if i remember correctly uses jailbreakd to grant "task for pid" to processes

so sth like ".path/to/jailbreakd binary-name" might work.

Sign In

Help/Support debugserver game crash after $c or $n

16 posts in this topic

Recommended Posts

syto203 204 12.1.2

Link to comment

Share on other sites

syto203 204 12.1.2

Link to comment

Share on other sites

K_K 165.2k iPhone 13 Pro Max 15.1

Link to comment

Share on other sites

MeSailesh7 816 iPhone 14 Pro 16.1

Link to comment

Share on other sites

syto203 204 12.1.2

Link to comment

Share on other sites

K_K 165.2k iPhone 13 Pro Max 15.1

Link to comment

Share on other sites

syto203 204 12.1.2

Link to comment

Share on other sites

K_K 165.2k iPhone 13 Pro Max 15.1

Link to comment

Share on other sites

syto203 204 12.1.2

Link to comment

Share on other sites

syto203 204 12.1.2

Link to comment

Share on other sites

Join the conversation

Our picks

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Picked By

Important Information

syto203 204

12.1.2

syto203 204

12.1.2

K_K 165.2k
iPhone 13 Pro Max

15.1

MeSailesh7 816
iPhone 14 Pro

16.1

syto203 204

12.1.2

K_K 165.2k
iPhone 13 Pro Max

15.1

syto203 204

12.1.2

K_K 165.2k
iPhone 13 Pro Max

15.1

syto203 204

12.1.2

syto203 204

12.1.2