Hey guys!
Hope you’re ~doing~ hacking well 
I’m facing some trouble using r2Frida on iOS 10+, arm64.
What I’m trying to perform
I just want to set a breakpoint at a specific instruction address and then dump some registers value, but I’ve the feeling I don’t understand something about how registers work…
What I’m doing
I’m setting up a"register trace" on a specific address using the \dtr <address> <registers> command.
I also set up a “breakpoint” few instruction ahead of this trace, and then use “dump registers” command (\dr).
It results in the following output:
--------> (fig1) Here is the trace :
[0x00000000]> [TRACE] dtr 0x100af4548 (x1: 0x1022a98f4 (��) x2: 0x1022a9960 (��) x3: 0x2e1a6d94) 0x1006eed78 Snapchat 0xe6d78
0x1022acc5c Snapchat 0x1ca4c5c
0x1006e686c Snapchat 0xde86c
0x18498aad0 CoreFoundation __invoking___
0x18486936c CoreFoundation -[NSInvocation invoke]
0x108a3e930 snapchatauthserver.dylib invokeVoidMethod
0x108a3f164 snapchatauthserver.dylib swizzled_SCAPIAuthenticateRequest
0x1006e7988 Snapchat 0xdf988
0x1006df5bc Snapchat 0xd75bc
0x1006deb4c Snapchat 0xd6b4c
0x1006e17a0 Snapchat 0xd97a0
0x1006de81c Snapchat 0xd681c
0x1006de46c Snapchat 0xd646c
0x1006de304 Snapchat 0xd6304
0x1040a512c Snapchat 0x3a9d12c
0x10062811c Snapchat 0x2011c
0x100af4570
0x1006eed78 Snapchat!0xe6d78
0x1006eed78 Snapchat!0xe6d78
0x1022acc5c Snapchat!0x1ca4c5c
0x1006e686c Snapchat!0xde86c
0x18498aad0 CoreFoundation!__invoking___
0x18486936c CoreFoundation!-[NSInvocation invoke]
0x108a3e930 snapchatauthserver.dylib!invokeVoidMethod
0x108a3f164 snapchatauthserver.dylib!swizzled_SCAPIAuthenticateRequest
0x1006e7988 Snapchat!0xdf988
0x1006df5bc Snapchat!0xd75bc
0x1006deb4c Snapchat!0xd6b4c
0x1006e17a0 Snapchat!0xd97a0
0x1006de81c Snapchat!0xd681c
0x1006de46c Snapchat!0xd646c
0x1006de304 Snapchat!0xd6304
0x1040a512c Snapchat!0x3a9d12c
(fig 2) Here is the registers dump, right after :
[0x00000000]> \dr
tid 1027 waiting
fp : 0x000000016f7f6c20 lr : 0x00000001844773e0 pc : 0x0000000184477568
sp : 0x000000016f7f6bd0 x0 : 0x000000016f7f6d28 x1 : 0x0000000007000806
x2 : 0x0000000000000000 x3 : 0x0000000000000c00 x4 : 0x0000000000002e03
x5 : 0x00000000ffffffff x6 : 0x0000000000000000 x7 : 0x0000000000000000
x8 : 0x00000000fffffbbf x9 : 0x0000000007000000 x10 : 0x0000000007000100
x11 : 0x0000000000000040 x12 : 0xffffffffffffffff x13 : 0x0000000000000001
x14 : 0x01a9230001a92300 x15 : 0x0000000000000000 x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff x18 : 0xfffffff01da9925c x19 : 0x0000000000000000
x20 : 0x00000000ffffffff x21 : 0x0000000000002e03 x22 : 0x0000000000000c00
x23 : 0x000000016f7f6d28 x24 : 0x0000000007000806 x25 : 0x0000000000000000
x26 : 0x0000000007000806 x27 : 0x0000000000000c00 x28 : 0x0000000000000001
tid 6403 waiting
fp : 0x000000016f90abe0 lr : 0x00000001843b0f70 pc : 0x000000018449860c
sp : 0x000000016f90abb0 x0 : 0x0000000000000a03 x1 : 0x0000000000000000
x2 : 0x0000000000000001 x3 : 0x0000000000000001 x4 : 0x000000000000001f
x5 : 0x0000000000000000 x6 : 0x0000000000000000 x7 : 0x00000001069be310
x8 : 0x00000001b5a70ed8 x9 : 0x000000018449a000 x10 : 0x00000000ef10086e
x11 : 0x0000000000000000 x12 : 0x00000000515132fe x13 : 0x0000000000007eec
x14 : 0x0000000000007eec x15 : 0x0000000010000000 x16 : 0x000000000000014e
x17 : 0x0000000183be08a0 x18 : 0xfffffff01da9925c x19 : 0x000000016f90abf0
x20 : 0x000000016f90ac00 x21 : 0x0000000107dd4ad0 x22 : 0x0000000000000008
x23 : 0x0000000000000001 x24 : 0x000000016f90ace0 x25 : 0x00000001022b4cb4
x26 : 0x0000000106abd960 x27 : 0x00000001845b8744 x28 : 0x0000000107f4fda0
tid 10755 waiting
fp : 0x000000016faaeae0 lr : 0x00000001845aaeec pc : 0x0000000184498d80
sp : 0x000000016faaea50 x0 : 0x0000000000000100 x1 : 0x000000016faaeb80
x2 : 0x0000000000000001 x3 : 0x0000000000000000 x4 : 0x000000018431e7b4
x5 : 0x0000000000000003 x6 : 0x0000000000000000 x7 : 0x0000000000000000
x8 : 0x000000014f97fab0 x9 : 0x0000000000000001 x10 : 0x000000014f97fae8
x11 : 0x0000000000000000 x12 : 0x0000000000000001 x13 : 0x0000000000000000
x14 : 0x0000003700000003 x15 : 0x0000000000000007 x16 : 0x0000000000000170
x17 : 0x0000000000000100 x18 : 0xfffffff01da9925c x19 : 0x000000016faaf000
x20 : 0x000000014f97fab0 x21 : 0x0000000000000011 x22 : 0x0000000000000001
x23 : 0x00000001b5a72000 x24 : 0x0000000000000400 x25 : 0x0000000000080000
x26 : 0x0000000000000003 x27 : 0x00000001b5a72000 x28 : 0x0000000000000001
tid 19971 waiting
fp : 0x000000016fbc5d80 lr : 0x00000001844773e0 pc : 0x0000000184477568
sp : 0x000000016fbc5d30 x0 : 0x000000016fbc5e88 x1 : 0x0000000007000806
x2 : 0x0000000000000000 x3 : 0x0000000000000c00 x4 : 0x0000000000003003
x5 : 0x00000000ffffffff x6 : 0x0000000000000000 x7 : 0x0000000000000000
x8 : 0x00000000fffffbbf x9 : 0x0000000007000000 x10 : 0x0000000007000100
x11 : 0x0000000000000040 x12 : 0xffffffffffffffff x13 : 0x0000000000000001
x14 : 0x0001360000013600 x15 : 0x0000000000000000 x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff x18 : 0xfffffff01da9925c x19 : 0x0000000000000000
x20 : 0x00000000ffffffff x21 : 0x0000000000003003 x22 : 0x0000000000000c00
x23 : 0x000000016fbc5e88 x24 : 0x0000000007000806 x25 : 0x0000000000000000
x26 : 0x0000000007000806 x27 : 0x0000000000000c00 x28 : 0x0000000000000001
tid 37127 waiting
fp : 0x000000016fcdeb00 lr : 0x00000001843b0f70 pc : 0x000000018449860c
sp : 0x000000016fcdead0 x0 : 0x0000000000000a03 x1 : 0x0000000000000000
x2 : 0x0000000000000001 x3 : 0x0000000000000001 x4 : 0x0000000000000000
x5 : 0x0000000005f48434 x6 : 0x000000014fc9cab0 x7 : 0x0000000000000000
x8 : 0x00000001b5a70ed8 x9 : 0x0000000000000011 x10 : 0x00000000000003ff
x11 : 0x0000000200000003 x12 : 0x000000014fada420 x13 : 0x000001a107cab4e1
x14 : 0x0000000000007eec x15 : 0x0000000000000002 x16 : 0x000000000000014e
x17 : 0x000000018537e220 x18 : 0xfffffff01da9925c x19 : 0x0000000000000000
x20 : 0x000000016fcdeb30 x21 : 0x000000018ebfbd75 x22 : 0x0000000197c0e961
x23 : 0x0000000107b33000 x24 : 0x000000014fd2f7b0 x25 : 0x000000014fc23240
x26 : 0x0000000197c0e961 x27 : 0x0000000000000058 x28 : 0x000000018ebf6e84
tid 43779 waiting
fp : 0x000000016fe805c0 lr : 0x00000001843b0f70 pc : 0x000000018449860c
sp : 0x000000016fe80590 x0 : 0x0000000000000a03 x1 : 0x0000000000000000
x2 : 0x0000000000000001 x3 : 0x0000000000000001 x4 : 0x0000000000000001
x5 : 0x0000000000000000 x6 : 0x0000000000000000 x7 : 0x0000000000000001
x8 : 0x00000001b5a70ed8 x9 : 0x000000018449a000 x10 : 0x0000000000028800
x11 : 0x0000000000000001 x12 : 0x0002890000028900 x13 : 0x0000000000000000
x14 : 0x0008a6000008a703 x15 : 0x0000000000000000 x16 : 0x000000000000014e
x17 : 0x00000000ffffffff x18 : 0xfffffff01da9925c x19 : 0x000000016fe805d0
x20 : 0x000000016fe805e0 x21 : 0x000000010cc75e70 x22 : 0x0000000000000000
x23 : 0x000000010d575398 x24 : 0x000000010cc85bd3 x25 : 0x000000010bdd556c
x26 : 0x000000010cc77df8 x27 : 0x000000010d575428 x28 : 0x000000010d575420
tid 48135 waiting
fp : 0x000000016ff0e040 lr : 0x00000001844773e0 pc : 0x0000000184477568
sp : 0x000000016ff0dff0 x0 : 0x000000016ff0e148 x1 : 0x0000000007000806
x2 : 0x0000000000000000 x3 : 0x0000000000000c00 x4 : 0x0000000000014503
x5 : 0x00000000ffffffff x6 : 0x0000000000000000 x7 : 0x00000000000001f0
x8 : 0x00000000fffffbbf x9 : 0x0000000007000000 x10 : 0x0000000007000100
x11 : 0x0000000000000040 x12 : 0xffffffffffffffff x13 : 0x0000000000000001
x14 : 0x0000060000000600 x15 : 0x0000000000000000 x16 : 0xffffffffffffffe1
x17 : 0x00000000ffffffff x18 : 0xfffffff01da9925c x19 : 0x0000000000000000
x20 : 0x00000000ffffffff x21 : 0x0000000000014503 x22 : 0x0000000000000c00
x23 : 0x000000016ff0e148 x24 : 0x0000000007000806 x25 : 0x0000000000000000
x26 : 0x0000000007000806 x27 : 0x0000000000000c00 x28 : 0x0000000000000001
tid 76063 waiting
fp : 0x000000016fb3aae0 lr : 0x00000001845aaeec pc : 0x0000000184498d80
sp : 0x000000016fb3aa50 x0 : 0x0000000000000100 x1 : 0x000000016fb3ab80
x2 : 0x0000000000000001 x3 : 0x0000000000000000 x4 : 0x000000018431e7b4
x5 : 0x0000000000000000 x6 : 0x0000000000000000 x7 : 0x0000000000000000
x8 : 0x000000014f97bee0 x9 : 0x0000000000000001 x10 : 0x000000014f97bf18
x11 : 0x0000000000000000 x12 : 0x0000000000000001 x13 : 0x0000000000000000
x14 : 0x0000003700000003 x15 : 0x0000000000000007 x16 : 0x0000000000000170
x17 : 0x0000000000000100 x18 : 0xfffffff01da9925c x19 : 0x000000016fb3b000
x20 : 0x000000014f97bee0 x21 : 0x0000000000000015 x22 : 0x0000000000000001
x23 : 0x00000001b5a72000 x24 : 0x0000000000000800 x25 : 0x0000000000080000
x26 : 0x0000000000000004 x27 : 0x00000001b5a72000 x28 : 0x0000000000000001
tid 21267 waiting
fp : 0x000000016fd6af70 lr : 0x00000001845ab080 pc : 0x0000000184498d80
sp : 0x000000016fd6aee0 x0 : 0x0000000000000004 x1 : 0x0000000000000000
x2 : 0x0000000000000000 x3 : 0x0000000000000000 x4 : 0x0000000000060015
x5 : 0x0000000000000000 x6 : 0x0000000000000000 x7 : 0x0000000000000000
x8 : 0x0000000000000000 x9 : 0x1b4151e0db200095 x10 : 0x000000010d3e0038
x11 : 0x0000000000000000 x12 : 0x0000000004000000 x13 : 0x00000000000004ff
x14 : 0x0000007700000001 x15 : 0x0020000000000000 x16 : 0x0000000000000170
x17 : 0x0000000000000000 x18 : 0xfffffff01da9925c x19 : 0x000000016fd6b000
x20 : 0x0000000000060015 x21 : 0x0000000000000015 x22 : 0x0000000000000000
x23 : 0x00000001b5a72000 x24 : 0x0000000000000800 x25 : 0x0000000000000000
x26 : 0x0000000000000004 x27 : 0x00000001b5a72000 x28 : 0x0000000000000000
My Questions
First, could someone explain to me why sometimes the trace shows register as follow:
(x1: 0x1022a98f4 (��) << with the ( )
and sometimes not :
: x3: 0x2e1a6d94 << there is no ( )
Another question is: as we can notice the trace shows up some weird values. Is that because the tool tries to encode the value in UTF-8 or such of thing? How to deal with that?
Sometimes it produces really weird result and I’m not really sure to know how to deal with it, eg:
(fig 3: really weird output) →
[0x00000000]> [TRACE] dtr 0x100af4548 (x1: "����o��g��_���W��O��{������" x2: "�o���g��_��W��O��{��C
�����B��c!��g|� ��c��w� ��_��!��{C!��[��!���S1��W��A��JQ��S��A��k���O��7�kmA��K��G��C��?��;��!�1��7��3��/��+��'�(�� ��#������������
���(~� �������������((� �����������������������������������" x3: 0x578cb275) 0x
My last question is: what the dumped registers list corresponds to?
If you look at the trace (fig1) and you compare hex values from x1, x2, or x3, none of these values is visible on the registers dump (fig2). Do I misunderstand something? It seems the registers printed out in (fig2) are not the same as those printed by the trace (fig1).
Could someone help me understand all these things?
Thank you in advance and sorry for the complex question