How to Dump using GDB Please Help NewBie in iOS

English Only
1

Hi,

First of all thank you for writing such an good book. Motivated my to RE iOS applications.

Target is an game Boom Beach for learning purpose only.

Also i don’t have an Mac but using windows & jailbreak iphone.
Using putty for windows log into the root with the password.

I want to dump the __text section & all the other section please guide me how to do it.

Will let you know what have been understood so far.

  1. It exports __mh_execute_header Address at 0x100000000

  2. Found at offset 0x4F4000 i.e. 0x100000000 we find mach_header_64
    mach_header_64 struc ; (sizeof=0x20, align=0x4, standard type)
    00000000 magic DCD ? 0xFEEDFACF <— Magic Number
    00000004 cputype DCD ? 0x0100000C <— CpuType
    00000008 cpusubtype DCD ? 0x00000000 <— CpySubType = arm
    0000000C filetype DCD ? 0x00000002 <—Execute
    00000010 ncmds DCD ? 0x00000033 <— No. of Load Commands
    00000014 sizeofcmds DCD ? 0x00001768 <— Size of Load Commands
    00000018 flags DCD ? 0x00210085 <— Sometype of constants
    0000001C reserved DCD ? 0x00000000 <— Reserved Flags
    00000020 mach_header_64 ends

If we see Program Segmentation in IDA we find below details.

HEADER            0000000100000000 000000010000591C ? ? ? . L byte  21 public DATA 64 00 21
__text            000000010000591C 00000001003BF184 ? ? ? . L dword 01 public CODE 64 00 01
__stubs           00000001003BF184 00000001003C0F78 ? ? ? . L word  02 public CODE 64 00 02
__stub_helper     00000001003C0F78 00000001003C2D84 ? ? ? . L dword 03 public CODE 64 00 03
__gcc_except_tab  00000001003C2D84 000000010041CB10 ? ? ? . L dword 04 public      64 00 04
__cstring         000000010041CB10 000000010045167A ? ? ? . L para  05 public DATA 64 00 05
__TEXT_hidden     000000010045167A 0000000100451680 ? ? ? . L byte  22 public DATA 64 00 22
__const           0000000100451680 0000000100488B50 ? ? ? . L para  06 public DATA 64 00 06
__objc_methname   0000000100488B50 00000001004AB85A ? ? ? . L byte  07 public DATA 64 00 07
__objc_classname  00000001004AB85A 00000001004AD6F5 ? ? ? . L byte  08 public DATA 64 00 08
__objc_methtype   00000001004AD6F5 00000001004B3C05 ? ? ? . L byte  09 public DATA 64 00 09
__ustring         00000001004B3C06 00000001004B4212 ? ? ? . L word  0A public      64 00 0A
__TEXT_hidden     00000001004B4212 00000001004B4214 ? ? ? . L byte  23 public DATA 64 00 23
__unwind_info     00000001004B4214 00000001004C3CF8 ? ? ? . L dword 0B public      64 00 0B
__eh_frame        00000001004C3CF8 00000001004C4000 ? ? ? . L qword 0C public      64 00 0C
__got             00000001004C4000 00000001004C43E0 ? ? ? . L qword 0D public DATA 64 00 0D
__la_symbol_ptr   00000001004C43E0 00000001004C57D8 ? ? ? . L qword 0E public DATA 64 00 0E
__mod_init_func   00000001004C57D8 00000001004C5BE8 ? ? ? . L qword 0F public DATA 64 00 0F
__const           00000001004C5BF0 00000001004E8E80 ? ? ? . L para  10 public DATA 64 00 10
__cfstring        00000001004E8E80 00000001004FCC40 ? ? ? . L qword 11 public DATA 64 00 11
__objc_classlist  00000001004FCC40 00000001004FD560 ? ? ? . L qword 12 public DATA 64 00 12
__objc_nlclslist  00000001004FD560 00000001004FD568 ? ? ? . L qword 13 public DATA 64 00 13
__objc_catlist    00000001004FD568 00000001004FD5D8 ? ? ? . L qword 14 public DATA 64 00 14
__objc_protolist  00000001004FD5D8 00000001004FD838 ? ? ? . L qword 15 public DATA 64 00 15
__objc_imageinfo  00000001004FD838 00000001004FD840 ? ? ? . L dword 16 public      64 00 16
__objc_const      00000001004FD840 0000000100547A58 ? ? ? . L qword 17 public      64 00 17
__objc_selrefs    0000000100547A58 00000001005504A0 ? ? ? . L qword 18 public DATA 64 00 18
__objc_protorefs  00000001005504A0 00000001005504C8 ? ? ? . L qword 19 public DATA 64 00 19
__objc_classrefs  00000001005504C8 0000000100551110 ? ? ? . L qword 1A public DATA 64 00 1A
__objc_superrefs  0000000100551110 0000000100551720 ? ? ? . L qword 1B public DATA 64 00 1B
__objc_ivar       0000000100551720 0000000100552B08 ? ? ? . L dword 1C public      64 00 1C
__objc_data       0000000100552B08 0000000100558648 ? ? ? . L qword 1D public      64 00 1D
__data            0000000100558650 000000010055C191 ? ? ? . L para  1E public DATA 64 00 1E
__bss             000000010055C1A0 0000000100560034 ? ? ? . L para  1F public BSS  64 00 1F
__common          0000000100560038 0000000100560C40 ? ? ? . L qword 20 public BSS  64 00 20
__LINKEDIT_hidden 0000000100564000 000000010058F6A0 ? ? ? . L byte  24 public DATA 64 00 24
UNDEF             000000010058F6A0 0000000100591370 ? ? ? . L para  25 public XTRN 64 00 25

How will i know in gdb which portion of memory we need to dump ? I fail to understand.

Suppose if i need to dump __text

__text 000000010000591C 00000001003BF184

which starts at 0x10000591C & ends at 0x1003BF184 size: 0x3B9868

Now in IDA

000100000068 ; LC_SEGMENT_64 - 64-bit segment of this file to be mapped
HEADER:0000000100000068 segment_command_64 <0x19, 0x408, “__TEXT”, 0x100000000, 0x4C4000, 0, \ ; LC_SEGMENT_64 - 64-bit segment of this file to be mapped
HEADER:0000000100000068 0x4C4000, 5, 5, 0xC, 0>
HEADER:00000001000000B0 ; Sections
HEADER:00000001000000B0 DCB “__text”,0,0,0,0,0,0,0,0,0,0; sectname
HEADER:00000001000000B0 DCB “__TEXT”,0,0,0,0,0,0,0,0,0,0; segname
HEADER:00000001000000B0 DCQ 0x10000591C ; addr <------ Start Address
HEADER:00000001000000B0 DCQ 0x3B9868 ; size <------ Size
HEADER:00000001000000B0 DCD 0x591C ; offset
HEADER:00000001000000B0 DCD 2 ; align
HEADER:00000001000000B0 DCD 0 ; reloff
HEADER:00000001000000B0 DCD 0 ; nreloc
HEADER:00000001000000B0 DCD 0x80000400 ; flags
HEADER:00000001000000B0 DCD 0 ; reserved1
HEADER:00000001000000B0 DCD 0 ; reserved2
HEADER:00000001000000B0 DCD 0 ; reserved3

How should i dump using gdb in such scenario ? Experts please help in understanding it.

Since i dont have an MAC to get process id of the app used an app called DeviceStats which gives the Process ID of the app. I attach in gdb using attach

Below is some snippets from it while it attaches to the PID

/usr/bin/gdb: line 55: awk: command not found
warning: unrecognized host cpusubtype , defaulting to host==armv7.
GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “arm-apple-darwin”.
(gdb) attach 2086
Attaching to process 2086.
Reading symbols for shared libraries . done
unable to read unknown load command 0x80000028
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries …warning: Could not find object file “/Volumes/Data/BuildkiteWorkspace/IBA-BuildBox.local-1/itty-bitty-apps/reveal/build/Release-iphoneos/libReveal-iOS.a(IBAFunctions.o)” - no debug information available for “IBAFunctions.m”.

Lots of warning message

then finally

................ done
unable to read unknown load command 0x80000028
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries + done
0x3ba19544 in __semwait_signal ()
(gdb) **dump binary memory result1.bin 0x10000591c 0x1003bf184**

I tried dumping using above command & crash.
How should i dump properly ? please guide.

Thanks & Regards,
Nick

2

@MouthPutCleanDot FYI

3

snakeninny

thanks will check it out sooner.
Regards, Nick