I had my iPhone 4 jailbroken, so I can debug/crack apps on iPhone.
Server: iPhone 4 + debugserver
Client: Mac OS X + lldb
Server
DebugServer
Debugserver can be found on iOS: /Developer/usr/bin/debugserver
Just follow instructions: debugserver on iPhone Wiki
|
1 2 3 |
# lipo -info /Developer/usr/bin/debugserver Architectures in the fat file: /Developer/usr/bin/debugserver are: armv7 armv7s arm64 # lipo -thin armv7 /Developer/usr/bin/debugserver -output ~/debugserver |
Save following content as a plist like dbg.plist
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist> |
Apply the entitlement
|
1 |
ldid -Sdbg.plist debugserver |
If entitlement above is not applied, debugserver won’t be able to listen to a TCP port.
Remove FairPlay
FairPlay is Apple’s DRM applied to apps on AppStore.
If you see cryptid 1 like below, try Clutch!
If you see cryptid 1 like below, try Clutch!
|
1 2 3 4 5 6 7 |
otool -l /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao |grep LC_ENCRYPTION_INFO -A 5 cmd LC_ENCRYPTION_INFO cmdsize 20 cryptoff 16384 cryptsize 5652480 cryptid 1 Load command 13 |
Disable ASLR
Try otool -hv to your App, if you see PIE flags, you have to disable ASLR.
|
1 2 3 4 5 |
mede-iPhone:~ root# otool -hv /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao /var/mobile/Applications/0732D587-2530-4517-A101-C46602B32628/CheMiYouHao.app/CheMiYouHao: Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags MH_MAGIC ARM V7 0x00 EXECUTE 48 5084 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE |
Make sure you have python installed on your iPhone.
Find your target app.
Client
Copy a decrypted and de-aslr-ed app binary to your OS X and:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
$ lldb /path/to/app/binary (lldb) target create "/path/to/app/binary" Current executable set to '/path/to/app/binary' (arm64). (lldb) platform select remote-ios Platform: remote-ios Connected: no SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)" SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/7.1.2 (11D257)" SDK Roots: [ 1] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.3 (12F70)" SDK Roots: [ 2] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/8.4.1 (12H321)" SDK Roots: [ 3] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/9.2 (13C75)" (lldb) process connect connect://172.18.1.66:9988 |
Set up DebugServer on iOS 7 by @sskaje: https://sskaje.me/2016/01/set-up-debugserver-ios-7/
Link to this post!