IOS Reverse engineering Use LLDB USB connection to debug third party App_ios

LLDB is the abbreviation of low level debugger, LLDB is often used in the debugging of iOS development, LLDB is the Xcode built-in dynamic debugging tool. Use LLDB to debug your application dynamically, and if you don't do additional processing because Debugserver lacks task_for_pid permissions, you can only use LLDB to debug your own app. In this blog, you will use LLDB to debug apps downloaded from the App Store, and combine hopper to analyze the structure within the Third-party app. The combination of lldb and Hopper, will let you see something different, this blog will be with you to enjoy the charm of lldb and Hopper.

One, SSH USB connection--usbmuxd

Before we ssh connected to the iOS device is connected through the local area network or WiFi, when the network environment is bad, enter a command line card, so we need a faster way to access the iOS device, that is, using a USB connection. In this blog, whether it is an SSH connection to iOS devices or lldb to connect iOS devices, we all use USB to access the device, so the speed is no good. The first part of this blog is about how to use the USB device SSH connection, which is also the basis of this blog, but the content is simple.

1. Get Usbmuxd

Usbmuxd Although the latest version is 1.1.0, the 1.1.0 and 1.0.9 versions only support Linux systems, which means that our Mac still has to download the v1.0.8 version and download the address (usbmuxd-v1.0.8). After downloading, the downloaded file is unpacked, as follows:

　　

2. Use usbmuxd to connect iOS jailbreak device (1) using Usbmuxd forwarding interface

Switch to the Python-client directory under the folder above, and execute the command below to forward Port 22 on iOS to Port 2221 on the current device, as shown below.

./tcprelay.py-t 22:2,221

Below is the result of executing the above command:

　

(2) Use SSH connection to jailbreak device

SSH root@localhost-p 2222

The above command is the SSH connection command-P immediately followed by the above forwarded port, after the execution of the above command, the result is as follows:

Using Usbmuxd, we can connect our iOS jailbreak device via USB, and the lldb connected to the iOS device is connected via USB. Please see below for details.

Second, configure Debugserver

When you do iOS development, you can control the iOS app by typing the LLDB command on the Mac, because there is a debugserver server in our iOS client. Debugserver is specifically used to connect Mac-side LLDB clients, receive commands provided by LLDB, and perform accordingly. If your iOS device is being debugged, the device will be debugserver installed, but the debugserver can only be used to debug your own application. If you want to debug the app from the App Store, then we need to deal with the debugserver on the iOS device. This part is to deal with our debugserver.

1. Get Debugserver

First we have to find the debugserver in the iOS device and copy it to the MAC for processing, below is the debugserver in the/developer/usr/bin directory. This debugserver only supports debugging our own app, and if you need to debug other people's apps, you need to deal with this debugserver process, as described below.

2. Debugserver to the body

Lipo-thin arm64 debugserver-output Debugserver

Go to the Mac in the directory where the Debugserver to execute the above command,-thin to fill in the rear of your test machine corresponding to the ARM structure, because my test machine is the iphone 6 Plus, is the arm64 architecture, so the parameters are filled here is arm64, If you are a iPhone5 device, then it is armv7s.

3. Add Task_for_pid permissions to Debugserver

After adding task_for_pid permissions to Debugserver, we can use LLDB to debug other apps. In this section, we need an XML file that stores configuration information, which reads as follows. You can copy the text below and store it as a ent.xml.

<! DOCTYPE plist Public "-//apple//dtd plist 1.0//en" "Http://www.apple.com/DTDs/PropertyList-1.0.dtd" >
< Plist version= "1.0" >
<dict>
 <key>com.apple.springboard.debugapplications</key>
 <true/>
 <key>get-task-allow</key>
 <true/>
 <key>task_for_ pid-allow</key>
 <true/>
 <key>run-unsigned-code</key>
 <true/>
</dict>
</plist>

When giving Debugserver permission, we need to use the Ldid command, and if you do not have the LDID command installed on your Mac, then use brew for install. Execute the command line below to give task_for_pid permission to our debugserver. Note that the-s and ent.xml file names have no spaces.

Ldid-sent.xml Debugserver

The screenshot below is our process for handling debugserver, as follows:

4, copy the Debugserver to the iOS device

The final step is to copy the processed debugserver to our jailbreak device and give Debugserver permission to execute. Because the debugserver in the/developer/usr/bin directory is read-only, you cannot copy the processed debugserver to the above file, and you will copy the processed debugserver to the/usr/bin/ Directory (where we use ifunbox to make copies of files, of course).

After copying the debugserver to the/usr/bin directory, execute the commands below to assign the executable permission to the Debugserver, as follows:

chmod +x Debugserver

Once you have assigned the permissions, you can use the Debugserver command to turn on the Debuserver, as follows:

The opening of Debugserver and the connection of LLDB

1. Open Debugserver

In the jailbreak device, we can open the Debugserver by using the command line below, and we'll take the example of debugging a micro-mail app. The command below is to start Debugserver to listen for access from any IP address, the iOS device's access port is 12345, the app to be debugged is "WeChat". The order is as follows:

Debugserver *:12345-a "WeChat"

The effect of executing the above command on our iOS device is as follows, after the above command is executed, our iOS device waits for the Mac terminal Lldb access.

2.LLDB Connection Debugserver

LLDB connection Debugserver can be connected using WiFi, but WiFi is unstable and particularly slow, so here we want to use USBMUXD for LLDB and debugserver connections.

(1) Forwarding of ports

As in the first part, we use USBMUXD to forward the port, to the above "12345" Port to a Mac local port, where we use "12345" port. Go to the python-client under the usbmuxd-1.0.8 directory to execute the command below.

./tcprelay.py-t 12,345:12,345

The specific steps are as follows:

(2) Mac end LLDB Access

After port forwarding, we begin to enter the LLDB mode and then debugserver the connection. First enter the LLDB command on the terminal, and then enter the address below to connect. Because we are forwarding the port using USBMUXD, we can use the local loopback test address for the Debugserver connection.

Process Connect connect://127.0.0.1:12345

Below is the result of the connection, after Lldb and Debugserver are established, we can use LLDB to debug the application of the micro-letter.

Four, Hopper + lldb

In the previous blog, "iOS reverse engineering to WeChat Shell" we have to the micro-letter can be shelled, so the use of hopper processing is no problem. In this part, we will combine Hopper and lldb to play the role of combining the two swords together. This part of the blog is also part of the actual combat.

1. View the WeChat in the thread

Once the LLDB connection is debugserver, we first use the commands below to view all the modules in the current process. From these output information we can find the "WeChat" process in terms of the offset of virtual memory relative to the module base address.

Image List-o-F

After the LLDB connection Debugserver, the partial results of the above command output are shown below. In the screenshot below, the first is the information about the "WeChat" program. The left red box is the ASLR offset (random offset), the ASLR offset is actually the virtual memory address, relative to the module base address offset. The address in the red box on the right is the offset address.

In the introduction address this piece of stuff is first familiar with the two concepts below:

The starting address of module in memory----module base site

ASLR offset----Virtual memory start and module base address offset

From the bottom of the output we can know:ASLR offset = 0x5b000, module offset after the base address = 0x5f000

Below is the use of Hopper opened after the decryption of the micro-letter installation package, the starting address from the following figure we can see is 0x4000, this address is the module offset before the address, that is, the module in virtual memory starting address. From the hopper, we can know that the base address before the module offset =0x4000

　　

From the above two sets of data we can draw:

Base Address after module offset (0x5f000) = ASLR offset (0x5b000) + module offset Front base address (0x4000)

The above formula is particularly important, because the hopper shows "module offset before base address", and lldb to operate is "module offset after the base site." So from Hopper to Lldb, we're going to do a conversion of address offsets. This will be used more than once in the bottom. Of course, one thing to note is that Hopper and Lldb selected AMR architecture of the same number of digits, either 32 bits, or 64 bits, if the number does not match, then the calculated memory address is certainly wrong.

2. Use Lldb to add breakpoints to micro-letter Login

(1), before adding the breakpoint analysis

The "breakpoint" thing is something that's often used in iOS development, and then all we have to do is add a breakpoint to the page jump when the micro-mail clicks on the login. is to click on the left screenshot of the login button to the right page jump to add a breakpoint. For the moment, we add breakpoints to the initialization method of the right page.

To add a breakpoint to the right page above, you must first know the memory address of the "phone number Login" View controller above before you can use LLDB to add a breakpoint. So the task of looking for the memory address of the above view controller is given to our hopper. In Hopper we search for "login" and then filter out the good viewcontroller with the Login keyword, and then we look for suspicious target objects again in the filtered results. Then we found a class called "Wcaccountphonelogincontrollogic" (we can translate English, presumably meaning "micro-letter Mobile account Login Control logic"), and from the name of this class it is not difficult to infer that the class is most likely what we are looking for. Mobile account Login "page.

After the above analysis, we decided to give the class "Initwithdata" (this is definitely an initialization method) to add a breakpoint using LLDB.

(2), Location breakpoint address

After you find the method in the class where you added the breakpoint, the first step is to figure out the memory address for the method, and then use LLDB to add a breakpoint to the address. By Hopper we can easily navigate to the above "Initwithdata:" method, as shown here. The "asterisk" address in the screenshot below is the base address before the "Initwithdata:" Method offset. According to the formula above, we can easily calculate the "offset base address" of the method, which is the real memory address. The algorithm looks like this:

Initwithdata memory address = 0x1304b60 + 0x5b000 (alsr offset) = 0x135fb60

(3), add breakpoints

Use the following command to add a breakpoint to the address above. After the breakpoint is added, clicking on the login button will jump to the "mobile phone number Login" page will execute the breakpoint, the bottom screenshot of the red box is "breakpoint" after the execution of the effect. From the screenshot below we can see that the number of the breakpoint is 1,breakpoint the breakpoint number, which will be used in the Operation Breakpoint, and will give an example below.

BR S-a 0x135fb60

(4) Single Step Execution of breakpoint (Ni, si)

You can use Nexti (short: NI) and stepi (abbreviation: SI) for one step of debugging. NI encountered a jump will not go into the jump, and Si will jump to the corresponding branch. Below is through Si and NI for one step debugging effect screenshot.

(5) Release execution of the breakpoint (c)

Command C can execute the breakpoint, which, if you execute the C command because there is only one breakpoint, will jump to the "mobile number landing page" After the breakpoint is executed.

(6) Disabling and opening of breakpoints

As mentioned above, the number of the breakpoint created above is 1, we want to disable and open the breakpoint, the specific command is as follows:

BR Dis 1--Disable (disable) Number 1 breakpoint

BR en 1--enabled (enable) Number 1 breakpoint

BR Dis--Disable all breakpoints

BR en--Enable all breakpoints

The specific operation results are as follows, when the breakpoint is disabled, clicking the login button does not trigger the breakpoint. When the breakpoint is restarted, clicking the login button still triggers the breakpoint. The specific effect is as follows:

(7) The deletion of the breakpoint

BR del 1--Deletes a breakpoint with the number 1 (delete)

BR del--Remove all breakpoints

3. Output register value (p, PO)

In iOS development, when we use LLDB debugging, we often use the PO command to output a variable or constant value. When using LLDB to debug WeChat, we can also use certain commands to output the values in registers. We use $ to access the values in a register and print using the P command. Below is through the P command to the contents of the R1 register to print, before printing $r1 type conversion, PO command output Objective-c object, and P output is C language type of data. As shown below:

We can also print the value of an address, and the bottom of this command is to output the value of the address that the $SP pointer refers to:

p/x $SP

4. Modify the value in the Register

We can not only view the values in some registers, but also modify the registers in the Register, through the following command we can modify the value of the reference register.

Register Write Register value

Next we're going to go through an example of the register write this command, through the hopper in the Login module analysis, we are not difficult to find "wcaccountmanualauthcontrollogic" in this class " Handleauthresponse: "The method is used to process the" Login Authentication Response "method. That is, "handleauthresponse:" is responsible for handling the network response of the login business logic, and there is a comparison (CMP r0, R1) at the front of the function, which jumps according to the r0 and R1 comparison results.

The next thing we need to do is to change the values in the registers R0 and R1, and then we'll see how the app works. The screenshot below is a random input to the phone number and password when the content is prompted. That is, the normal flow will eject the box below.

The next thing we do is to add a breakpoint to the memory address of 0x1063a24 + 0x5b000 = 0x10bea24 (CMP), and then modify the value of the register R1. The screenshot below is to add a breakpoint to 0x10bea24 's memory address, and after entering the phone number and password, clicking on the login will execute the breakpoints we added, as shown below. At the breakpoint we clearly see the CMP r0, R1 This line of arm instructions.

　

Next we'll print the values in R0 and R1, $r 0 = 8, $r 1 = 351. Then we change the value in the $R1 to 8, and then enter C to continue, and then we find that the normal process alter is not going to come out, but instead make a network request again.

The above example is done on a 32-bit system, and if you are using a arm64 architecture device, such as Iphone6plus, your address will be one-fold longer than the address above. The two screenshot below is a screenshot of the experiment using the iphone 6 Plus jailbreak device, which can be compared to the above steps, although different, but the above content is also applicable when debugging the content below.

The content of this blog is here, so, you should be able to combine lldb and hopper use it. Today we take "micro-faith" as an example, and have no other meaning, just want to achieve in the real example. The reason for experimenting with micro-letters is that micro-letters are safe enough, and the micro-trust team is still very powerful. Because with my jailbreak equipment to finish the experiment, the jailbreak device has been unable to login to the micro-letter account, it must be a micro-letter backstage monitoring the "jailbreak equipment" abnormal behavior, thus doing some security measures.

"Attack and defense" is like "spear and shield" complement each other.

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.