How to debug app from AppStore on iOS 8+ using LLDB


#1

Hi everyone,

first of all I wish you an happy hacking year ! (y)
I’m very new in reverse engineering / debugging / iOS so excuse me for my newbie’s questions.

Context:
[everything was tried on iOS 9.3.2 AND iOS 8.2]
I need to understand how an application generates its tokens passed through http headers. So, I disassembled it using Hopper I dumped all .header files and I then logged a lot of informations during runtime by hooking some functions to understand the process of ‘how an authenticated http request is generated’. Now I almost know which function exactly generates which token, I need to go ahead and understand the way of a particular token is generated to be able to reproduce it. It seems that using lldb to set breakpoints and then dump the register’s value at some step of the runtime could be the best way to achieve my goals, right ?

The steps I followed in order to use lldb are :

  • decrypt the app using Clutch2 and download it on my desktop
  • install debug server and all stuff
  • thin the binary
  • set the thinned binary as lldb target
  • install the decrypted binary.ipa in the iPhone (I tried both with a decrypted version and the normal app store version)
  • set breakpoint: fail

My problem:

After having followed a lot of tutorials on it, I still don’t get it to work.
It’s impossible to set breakpoint using a method name like:
(lldb): b -[ClassName methodCalled:]
// found on this tuts : http://highaltitudehacks.com/2015/05/17/ios-application-security-part-43-fat-binaries-and-lldb-usage-continued/
// does not work for me
lldb says that the breakpoint can’t be set, exactly as I’ve not “targeted” the binary.
Plus, I don’t really understand how to set a breakpoint using the memory address. Removing ASLR, finding memory addresses offset are just notions that brainf**ked me!

What I’ve done in detail :

Desktop side

//1: thin the decypted with Clutch2 binary and set permissions :

MacBook-Pro:Desktop $ lipo -thin armv7 -output snapchat-armv7 Snapchat
MacBook-Pro:Desktop $ chmod 777 snapchat-armv7 && ls -l snapchat-armv7
-rwxrwxrwx  1 kevinpiacentini  staff  49819344  3 jan 19:03 snapchat-armv7

// 2: start lldb
(lldb) process connect connect://192.168.0.28:23
Process 564 stopped
* thread #1: tid = 0x0c9e, 0x38034474 libsystem_kernel.dylibmach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x38034474 libsystem_kernel.dylibmach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
-> 0x38034474 <+20>: pop {r4, r5, r6, r8}
0x38034478 <+24>: bx lr

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x3803447c <+0>:  mov    r12, sp
    0x38034480 <+4>:  push   {r4, r5, r6, r8}
(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 0] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/10.1.1 (14B100)"
 SDK Roots: [ 1] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/8.2 (12D508)"
 SDK Roots: [ 2] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.1 (13B143)"
 SDK Roots: [ 3] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.1 (13E238)"
 SDK Roots: [ 4] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.2 (13F69)"
 SDK Roots: [ 5] "/Users/kevinpiacentini/Library/Developer/Xcode/iOS DeviceSupport/9.3.5 (13G36)"


(lldb) target create --arch arm ~/Desktop/snapchat-armv7
Current executable set to '~/Desktop/snapchat-armv7' (armv7).

(lldb) b -[LoginV2ViewController viewDidLoad]
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.

iPhone Side

iPhone:~ root# 
./debugserver *:23 --attach=Snapchat
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process Snapchat...
Listening to port 23 for a connection from *...
Waiting for debugger instructions for process 0.

Could someone help me by sending me a precise routine and more informations about what I misunderstood ?

PS: I read a lot of article on the web and also on this forum and some of them are just impossible to understand for a beginner like me… Please try to be “clear” :slight_smile:

Thank you a lot guys ! :slight_smile:


#2

Take a look at chapter 6 of this book


#3

Dude, I already checked this book as many other tutorials. I’ll take a look again but if you see a particular mistake on my routine explained above could you please give me a precise feedback ? I’m really turning around over and over again.

Thanks for you answer.


#4

Remove the PIE Flag in the binary and just set a breakpoint by address


#5

Depends on how you dumped the binary, certain decrypt tools will break LC_SYMTAB of the binary and thus broke the breakpoint-by-function name.

Just saying


#6

Besides , do you have a precise lldb output of “lldb says that the breakpoint can’t be set, exactly as I’ve not “targeted” the binary.”


#7

Thank you for your replies,

I’m currently following again the IOSRE book line by line. I’ll give you a precise feedback after that.

Thanks you again!


#8

SSo basically lldb’s breakpoint uses the binary’ symbol table (specified by LC_SYMTAB and LC_DY_SYMTAB) in the binary’s header.

For a release build, the symbol table is usually “stripped” so lldb won’t be able to find it .

afaik br -s should be able so solve this issue but I’m not entirely sure

EDIT: there exists a tool that is able to “fix” the strip process, but you’ll gonna need break-by-address skill during your RE career anyway


#9

Hi !
Here I’m back from my decrypting journey!
I printed the book you mentioned above and I’ve read it step by step. It seems that setting breakpoint using “method name” still not works BUT I’m able to set breakpoint using the br s -a way which is enough. In reality concepts as ASLR offset or memory adresses are very well explained on this book and it’s very simple to debug binary after few reads.

Thanks you again for your help and you many answers.
[SOLVED]