iOS Reverse Engineering Part One: Configuring LLDB

转载：http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/

Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

Configuring LLDB

LLDB is the default debugger in Xcode and supports debugging Objective-C on iOS devices and the iOS simulator. If you don’t already have it, you will need to download and install Xcode ->https://developer.apple.com/xcode/downloads/

The next thing we will need is debugserver, which allows for remote debugging through GDB or LLDB. We can grab this from the DeveloperDiskImage.

hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/8.0\ \(12A365\)/DeveloperDiskImage.dmg

cp /Volumes/DeveloperDiskImage/usr/bin/debugserver /Users/rotlogix/

Now we need to create an entitlements.plist in order to sign the debugserver application before moving it over to our device. For those who are unfamiliar with entitlements, they essentially assist in granting additional permissions to an application. Apple’s developer resources describe them as effectively extending the sandbox and capabilities of the designated application to allow a particular operation to occur.

Our entitlements.plist should look something like this:

1

2

3

4

5

6

7

8

9

10

11

12

13

<?xmlversion="1.0"encoding="UTF-8"?>

<!DOCTYPEplist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">

<plistversion="1.0">

<dict>

    <key>com.apple.springboard.debugapplications</key> <true/>

    <key>run-unsigned-code</key>

    <true/>

    <key>get-task-allow</key>

    <true/>

    <key>task_for_pid-allow</key>

    <true/>

</dict>

</plist>

We can now use this to sign debugserver:

codesign -s - --entitlements entitlements.plist -f debugserver

After this has been completed, copy debugserver over to your jailbroken iDevice. Lets test whether or not everything is working by attaching to Damn Vulnerable iOS App.

Now load up LLDB in another console.

(lldb) platform select remote-ios
(lldb) process connect connect://192.168.0.8:6666

Finally for symbolicating, which LLDB supports extremely well, we want to load the symbols from the binary into LLDB. This will help us set breakpoints on specific Objective-C methods within the application that we are debugging.

(lldb) target create --arch arm /Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp
Current executable set to '/Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp' (armv7).

(lldb) b -[InsecureDataStorageVulnVC saveInPlistFileTapped:]
Breakpoint 1: where = DamnVulnerableIOSApp`-[InsecureDataStorageVulnVC saveInPlistFileTapped:], address = 0x00012c2c

Every seems to be working, and now we are ready to start debugging! If you are already familiar with gdb, there is a great resource that maps GDB commands to the LLDB equivalent ->http://lldb.llvm.org/lldb-gdb.html. In part two we will walk the through the basics of using LLDB to debug the Damn Vulnerable iOS Application.