@sskaje

lldb 断点自动执行命令

By @sskaje
Link: https://sskaje.me/2018/03/lldb-%e6%96%ad%e7%82%b9%e8%87%aa%e5%8a%a8%e6%89%a7%e8%a1%8c%e5%91%bd%e4%bb%a4/

调试某软件，需要取到断点时候的内存数据。

之前是每次到断点，一个地址一个地址地 p 或者 memory read，后来看到 breakpoint command 命令，于是有了：

添加断点

(lldb) breakpoint set -a 0x100110000
Breakpoint 1: where = someapp`___lldb_unnamed_symbol10122$$global, address = 0x0000000100110000

1 2	(lldb) breakpoint set -a 0x100110000 Breakpoint 1: where = someapp`___lldb_unnamed_symbol10122$$global, address = 0x0000000100110000

添加命令

(lldb) breakpoint command add 1.1
Enter your debugger command(s).  Type 'DONE' to end.

1 2	(lldb) breakpoint command add 1.1 Enter your debugger command(s). Type 'DONE' to end.

输入命令

> memory read -f Y -c 0x100 $x1 
> memory read -f Y -c 0x100 $x2
> DONE

> memory read -f Y -c 0x100 $x1

> memory read -f Y -c 0x100 $x2

> DONE

这样，每次运行到断点的时候，就会执行这两条命令。

lldb 断点自动执行命令 by @sskaje: https://sskaje.me/2018/03/lldb-%e6%96%ad%e7%82%b9%e8%87%aa%e5%8a%a8%e6%89%a7%e8%a1%8c%e5%91%bd%e4%bb%a4/

MH: A CLI based Memory Editor for iOS/macOS

By @sskaje
Link: https://sskaje.me/2018/03/mh-cli-based-memory-editor-ios-macos/

I write this project just because I don’t like those game memory editor like igg.

Code: https://github.com/sskaje/mh

CMake is required for building. Build scripts already included in build/.

Leave an issue if there’s any bugs/feature requests.

MH: A CLI based Memory Editor for iOS/macOS by @sskaje: https://sskaje.me/2018/03/mh-cli-based-memory-editor-ios-macos/

Run HelloWorld on Jailbroken iOS 11

By @sskaje
Link: https://sskaje.me/2018/03/run-helloworld-on-jailbroken-ios-11/

iPhone 5s, iOS 11.1

Jailbroken by Electra

How to jailbreak

Cydia Impactor and a new Apple ID required (You can use your own Apple ID at your risk).

If any error occurs on Cydia Impactor, try to login in Xcode and remove useless app/cert.

Trust your developer certificate in iOS Settings => General => Profiles & Device Management => DEVELOPER APP.

Write HelloWorld

helloworld.c

#include <stdio.h>
int main()
{
    printf("Hello, world!\n");
    return 0;
}

#include <stdio.h>

int main()

{

printf("Hello, world!\n");

return 0;

}

build

clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c

1	clang -arch arm64 -mios-version-min=10.2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -o helloworld helloworld.c

sign with jtool

ARCH=arm64 jtool --sign --ent ent.xml helloworld

1	ARCH=arm64 jtool --sign --ent ent.xml helloworld

ent.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
    </dict>
</plist>

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>platform-application</key>

<true/>

</dict>

</plist>

upload and run helloworld

iPhone:~ root# /tmp/helloworld 
-sh: /tmp/helloworld: Operation not permitted
iPhone:~ root# mv /tmp/helloworld /bin/
iPhone:~ root# helloworld
Hello, world!

iPhone:~ root# /tmp/helloworld

-sh: /tmp/helloworld: Operation not permitted

iPhone:~ root# mv /tmp/helloworld /bin/

iPhone:~ root# helloworld

Hello, world!

If this binary is not signed with platform-application entitlement, it will get a ‘Killed’ if it’s under /bin/

I wrote a cli based memory editor, which requires more than a hello world.

1 entitlements

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>proc_info-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
        <key>platform-application</key>
        <true/>
    </dict>
</plist>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.springboard.debugapplications</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>proc_info-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

<key>run-unsigned-code</key>

<true/>

<key>platform-application</key>

<true/>

</dict>

</plist>

2 patch_setuid() from coolstar’s example. But I’m using code from electra’s cydia fork, also mentioned after his example.

3 Special thanks to ThisTakenIsUsername.

Run HelloWorld on Jailbroken iOS 11 by @sskaje: https://sskaje.me/2018/03/run-helloworld-on-jailbroken-ios-11/

使用WireGuard为阿里云专有网络主机提供外网访问

By @sskaje
Link: https://sskaje.me/2018/02/aliyun-vpc-hosts-access-internet-using-wireguard/

前言

我的阿里云服务器网络处于混合过度模式，逐步从经典网络往专有网络迁移。

之前每台经典网络主机都申请了公网IP和带宽，实际上对于大多数主机的业务而言，并不需要对外提供网络服务，只需要能访问外网即可。
所以这次新加的主机部分都没有去加弹性公网IP。

于是带来了问题：内网主机如何访问外网？

阿里云的dnat方案太贵了。不考虑。

尝试过本地配置网关，但是实验证明，阿里云的VPC交换机不是一个纯粹的二层交换，也许是设计有问题，也许是刻意阻止用户自己拿一台能访问公网的主机当内网网关。

所以这次使用WireGuard实现网络架构调整。

阿里云的经典网络主机里加了几条默认的路由：

10.0.0.0/8
172.16.0.0/12
100.64.0.0/10

10.0.0.0/8

172.16.0.0/12

100.64.0.0/10

前两个都好说，第三个是运营商级的NAT网络地址，之前在 OpenVPN Site-to-Site VPN between Asus Merlin And Ubnt EdgeRouter 里提过贵州电信的光纤网络对外就是这个地址段。

WireGuard的配置过程参考之前的文章，此处不多解释，只贴配置。

Continue reading “使用WireGuard为阿里云专有网络主机提供外网访问” »

使用WireGuard为阿里云专有网络主机提供外网访问 by @sskaje: https://sskaje.me/2018/02/aliyun-vpc-hosts-access-internet-using-wireguard/

VMware Fusion “Unable to create the installation media”

By @sskaje
Link: https://sskaje.me/2018/02/vmware-fusion-unable-create-installation-media/

I saw “Unable to create the installation media” (无法创建安装介质) when creating VM right after download macOS High Sierra installer from Mac App Store.

To solve this:

$ diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.3 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                 Apple_APFS Container disk1         500.1 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +500.1 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            311.1 GB   disk1s1
   2:                APFS Volume Preboot                 19.4 MB    disk1s2
   3:                APFS Volume Recovery                509.8 MB   disk1s3
   4:                APFS Volume VM                      3.2 GB     disk1s4

/dev/disk2 (disk image):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        +9.3 GB     disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:                  Apple_HFS InstallESD              9.0 GB     disk2s2

$ diskutil list

/dev/disk0 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.3 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_APFS Container disk1 500.1 GB disk0s2

/dev/disk1 (synthesized):

#: TYPE NAME SIZE IDENTIFIER

0: APFS Container Scheme - +500.1 GB disk1

Physical Store disk0s2

1: APFS Volume Macintosh HD 311.1 GB disk1s1

2: APFS Volume Preboot 19.4 MB disk1s2

3: APFS Volume Recovery 509.8 MB disk1s3

4: APFS Volume VM 3.2 GB disk1s4

/dev/disk2 (disk image):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme +9.3 GB disk2

1: EFI EFI 209.7 MB disk2s1

2: Apple_HFS InstallESD 9.0 GB disk2s2

You can see an installation image named InstallESD is mounted.
Just eject this whole disk and retry VMware Fusion creation.

$ hdiutil eject /dev/disk2
"disk2" unmounted.
"disk2" ejected.
$ diskutil list
/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.3 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                 Apple_APFS Container disk1         500.1 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +500.1 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            311.1 GB   disk1s1
   2:                APFS Volume Preboot                 19.4 MB    disk1s2
   3:                APFS Volume Recovery                509.8 MB   disk1s3
   4:                APFS Volume VM                      3.2 GB     disk1s4

$ hdiutil eject /dev/disk2

"disk2" unmounted.

"disk2" ejected.

$ diskutil list

/dev/disk0 (internal, physical):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *500.3 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_APFS Container disk1 500.1 GB disk0s2

/dev/disk1 (synthesized):

#: TYPE NAME SIZE IDENTIFIER

0: APFS Container Scheme - +500.1 GB disk1

Physical Store disk0s2

1: APFS Volume Macintosh HD 311.1 GB disk1s1

2: APFS Volume Preboot 19.4 MB disk1s2

3: APFS Volume Recovery 509.8 MB disk1s3

4: APFS Volume VM 3.2 GB disk1s4

VMware Fusion “Unable to create the installation media” by @sskaje: https://sskaje.me/2018/02/vmware-fusion-unable-create-installation-media/

How to jailbreak

Write HelloWorld

More

前言