Set up DebugServer on iOS 7

I had my iPhone 4 jailbroken, so I can debug/crack apps on iPhone.

Server: iPhone 4 + debugserver
Client: Mac OS X + lldb

Server

DebugServer

Debugserver can be found on iOS: /Developer/usr/bin/debugserver
Just follow instructions: debugserver on iPhone Wiki

Save following content as a plist like dbg.plist

Apply the entitlement

If entitlement above is not applied, debugserver won’t be able to listen to a TCP port.

Remove FairPlay

FairPlay is Apple’s DRM applied to apps on AppStore.
If you see cryptid 1 like below, try Clutch!

Disable ASLR

Try otool -hv to your App, if you see PIE flags, you have to disable ASLR.

See: Mach-O Disable ASLR/PIE

Make sure you have python installed on your iPhone.

Find your target app.

Client

Copy a decrypted and de-aslr-ed app binary to your OS X and:

Set up DebugServer on iOS 7 by @sskaje: https://sskaje.me/2016/01/set-up-debugserver-ios-7/

Incoming search terms:

Ocserv IPv6

I’m using AnyConnect both on iOS and OS X, you can read previously posted article on my blog: anyconnect, openconnect, ocserv.

You can find ipv6-network and ipv6-prefix in ocserv’s sample.config:

which means ocserv should be compatible with IPv6.
And, in AnyConnect for iOS, ipv6 can be found somewhere, seems ipv6 is also compatible here.

My VPN is hosted on Linode VPS. Linode provides free IPv6 address pool. Open a ticket and ask for an address pool, you’ll get your own pool routed to your VPS’s ipv6 address.
After that, set the ipv6-network and ipv6-prefix.

Ocserv 0.8.9 does not send correct headers to AnyConnect for iOS, but 0.9.0-dev does.
I can now get a correct ipv6 address on my iPhone but with no connectivity. As it’s said, X-CSTP-Split-Include/Exclude is not well handled by AnyConnect for IPv6 addresses.
After that, I tried the latest AnyConnect for OSX, you can download it here: http://dl.sskaje.me/anyconnect/4.0/4.0.00051/

IPv6 is also assigned to my MBP, also with route, but still not working.

Ocserv IPv6 by @sskaje: https://sskaje.me/2015/01/ocserv-ipv6/

Incoming search terms:

OpenConnect Public Key Authentication

Here are old articles about OpenConnect, the open source AnyConnect server:
OpenConnect on Ubuntu
Open Connect Server Configuration (Working for iOS)
Cisco AnyConnect Client for OS X/Windows/Linux (Version 3.1.05160)

This time, OCServ 0.80 on Ubuntu 14.04.
And still doesn’t work for OS X.

I was using password based authentication, but clients on iOS can not remember my password.
So now add some configurations based on “Open Connect Server Configuration (Working for iOS)“.

Create Client Certificates

Just follow the manual: http://www.infradead.org/ocserv/manual.html.
If you already have a CA based on openssl, I have another article: Generate Certificate with GnuTLS and Sign with OpenSSL.

Here is my user.tmpl:

After the pkcs12 is created like ‘Create Client Config’ in “iOS IPSec VPN Server on Ubuntu“, the mobileconfig should be also created.
Remember to leave the ‘Account‘ and ‘Group‘ BLANK in the VPN page.

Update config

Copy a new sample.config from source, edit it following Open Connect Server Configuration (Working for iOS)

Now comes the certificate authentication related changes:

auth

I tried to use both certificate and plain, but failed.
Just keep the certificate one.

server-cert & server-key

You can add your own certificate or get it somewhere like startssl.com.
I got my certificates from startssl.com, class 1, I got three files: ca.pem, sub.class1.server.ca.pem, and my own ssl.crt:

If you don’t make these three in a right order, you’ll see errors below in syslog:

The server-key I got from startssl is encrypted, decrypt it:

Encrypted private key would result:

ca-cert

This ca-cert is for CLIENT certificates!

cert-user-oid & cert-group-oid

Follow the comment:

cisco-client-compat

Enable this! Thanks to @simamy.

OpenConnect Public Key Authentication by @sskaje: https://sskaje.me/2014/06/openconnect-public-key-authentication/

Incoming search terms:

Free OS X Yosemite(10.10) Developer Preview Redeem Code for Developers

Last time I said: Apple gives free OS X Server 3.0 redeem codes to developers
After the WWDC2014, Apple gives free redemption code for developers, both iOS and OS X, this time os x 10.10 and server again.

You must login before using these links!
For OS X server:
https://developer.apple.com/devcenter/mac/loadredemptioncode.action?seedId=13CB96H8S4
For OS X Yosemite(10.10) developer preview:
https://developer.apple.com/devcenter/mac/loadredemptioncode.action?seedId=14NEDN932X

I tried these two, got 3 for OS X 10.10 and 2 for OS X Server.
If you have a Developer account, you can add sub-accounts to get almost UNLIMITED codes.

If you have any codes, please share.

Free OS X Yosemite(10.10) Developer Preview Redeem Code for Developers by @sskaje: https://sskaje.me/2014/06/free-os-yosemite-10-10-developer-preview-redeem-code-developers/

Incoming search terms:

Mach-O Disable ASLR/PIE

ASLR, Address Space Layout Randomization

Address space layout randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. In order to prevent an attacker from reliably jumping to a particular exploited function in memory (for example), ASLR involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process’s address space.

From http://en.wikipedia.org/wiki/Address_space_layout_randomization

Mach-O

Mach-O, short for Mach object file format, is a file format for executables, object code, shared libraries, dynamically-loaded code, and core dumps. A replacement for the a.out format, Mach-O offered more extensibility and faster access to information in the symbol table.

Mach-O was once used by most systems based on the Mach kernel.[citation needed] NeXTSTEP, OS X, and iOS are examples of systems that have used this format for native executables, libraries and object code.

http://en.wikipedia.org/wiki/Mach-O

There are several tools turning ASLR/PIE off, some of those need to be compiled. So I decided to write one in Python. Repository: https://github.com/sskaje/disable_aslr

Disable ASLR on jailbroken iPod Touch 4 with python installed from Cydia
Disable ASLR

Disable ASLR on OS X for iOS App
Disable ASLR on OS X for iOS App

https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html

Mach-O Disable ASLR/PIE by @sskaje: https://sskaje.me/2014/05/mach-o-disable-aslr-pie/

Incoming search terms: