您的位置:首页 > 移动开发 > IOS开发

iOS Reverse Engineering Part One: Configuring LLDB

2015-10-08 17:38 671 查看


转载:http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/


Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.


Configuring LLDB

LLDB is the default debugger in Xcode and supports debugging Objective-C on iOS devices and the iOS simulator. If you don’t already have it, you will need to download and install Xcode ->https://developer.apple.com/xcode/downloads/

The next thing we will need is 
debugserver
, which allows for remote
debugging through GDB or LLDB. We can grab this from the 
DeveloperDiskImage
.

hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/8.0\
\(12A365\)/DeveloperDiskImage.dmg

cp /Volumes/DeveloperDiskImage/usr/bin/debugserver /Users/rotlogix/


Now we need to create an entitlements.plist in order to sign the debugserver application before moving it over to our device. For those who are unfamiliar with entitlements, they essentially assist in granting additional permissions to an application. Apple’s
developer resources describe them as effectively extending the sandbox and capabilities of the designated application to allow a particular operation to occur.

Our entitlements.plist should look something like this:

We can now use this to sign debugserver:

codesign -s - --entitlements entitlements.plist -f debugserver


After this has been completed, copy debugserver over to your jailbroken iDevice. Lets test whether or not everything is working by attaching to Damn Vulnerable iOS App.





Now load up LLDB in another console.

(lldb) platform select remote-ios

(lldb) process connect connect://192.168.0.8:6666






Finally for symbolicating, which LLDB supports extremely well, we want to load the symbols from the binary into LLDB. This will help us set breakpoints on specific Objective-C methods within the application that we are debugging.

(lldb) target create --arch arm /Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp

Current executable set to '/Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp' (armv7).


(lldb) b -[InsecureDataStorageVulnVC saveInPlistFileTapped:]

Breakpoint 1: where = DamnVulnerableIOSApp`-[InsecureDataStorageVulnVC saveInPlistFileTapped:], address = 0x00012c2c


Every seems to be working, and now we are ready to start debugging! If you are already familiar with gdb, there is a great resource that maps GDB commands to the LLDB equivalent ->http://lldb.llvm.org/lldb-gdb.html.
In part two we will walk the through the basics of using LLDB to debug the Damn Vulnerable iOS Application.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: