注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

iOS Reverse Engineering Part One: Configuring LLDB  

2015-11-24 17:26:02|  分类: IOS逆向 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

Configuring LLDB

LLDB is the default debugger in Xcode and supports debugging Objective-C on iOS devices and the iOS simulator. If you don’t already have it, you will need to download and install Xcode -> https://developer.apple.com/xcode/downloads/

The next thing we will need is debugserver, which allows for remote debugging through GDB or LLDB. We can grab this from the DeveloperDiskImage.

hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/8.0\ \(12A365\)/DeveloperDiskImage.dmg

cp /Volumes/DeveloperDiskImage/usr/bin/debugserver /Users/rotlogix/

Now we need to create an entitlements.plist in order to sign the debugserver application before moving it over to our device. For those who are unfamiliar with entitlements, they essentially assist in granting additional permissions to an application. Apple’s developer resources describe them as effectively extending the sandbox and capabilities of the designated application to allow a particular operation to occur.

Our entitlements.plist should look something like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.springboard.debugapplications</key> <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

We can now use this to sign debugserver:

codesign -s - --entitlements entitlements.plist -f debugserver

After this has been completed, copy debugserver over to your jailbroken iDevice. Lets test whether or not everything is working by attaching to Damn Vulnerable iOS App.

ios_attach_debugserver

Now load up LLDB in another console.

(lldb) platform select remote-ios
(lldb) process connect connect://192.168.0.8:6666

ios_lldb_connect

Finally for symbolicating, which LLDB supports extremely well, we want to load the symbols from the binary into LLDB. This will help us set breakpoints on specific Objective-C methods within the application that we are debugging.

(lldb) target create --arch arm /Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Current executable set to '/Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp' (armv7).

(lldb) b -[InsecureDataStorageVulnVC saveInPlistFileTapped:]
Breakpoint 1: where = DamnVulnerableIOSApp`-[InsecureDataStorageVulnVC saveInPlistFileTapped:], address = 0x00012c2c

Every seems to be working, and now we are ready to start debugging! If you are already familiar with gdb, there is a great resource that maps GDB commands to the LLDB equivalent -> http://lldb.llvm.org/lldb-gdb.html. In part two we will walk the through the basics of using LLDB to debug the Damn Vulnerable iOS Application.

  评论这张
 
阅读(337)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017