iOS Reverse Engineering: Part One – Configuring LLDB

Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

Configuring LLDB

LLDB is the default debugger in Xcode and supports debugging Objective-C on iOS devices and the iOS simulator. If you don’t already have it, you will need to download and install Xcode -> https://developer.apple.com/xcode/downloads/ The next thing we will need is debugserver, which allows for remote debugging through GDB or LLDB. We can grab this from the DeveloperDiskImage.

hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/8.0 (12A365)/DeveloperDiskImage.dmg cp /Volumes/DeveloperDiskImage/usr/bin/debugserver /Users/rotlogix/

Now we need to create an entitlements.plist in order to sign the debugserver application before moving it over to our device. For those who are unfamiliar with entitlements, they essentially assist in granting additional permissions to an application. Apple’s developer resources describe them as effectively extending the sandbox and capabilities of the designated application to allow a particular operation to occur.

Our entitlements.plist should look something like this:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.springboard.debugapplications</key> <true/>

<key>run-unsigned-code</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

</dict>

</plist>

We can now use this to sign debugserver:

codesign -s - --entitlements entitlements.plist -f debugserver

After this has been completed, copy debugserver over to your jailbroken iDevice. Lets test whether or not everything is working by attaching to Damn Vulnerable iOS App.

Now load up LLDB in another console.

(lldb) platform select remote-ios (lldb) process connect connect://192.168.0.8:6666

Finally for symbolicating, which LLDB supports extremely well, we want to load the symbols from the binary into LLDB. This will help us set breakpoints on specific Objective-C methods within the application that we are debugging.

(lldb) target create --arch arm /Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp Current executable set to '/Users/rotlogix/Downloads/Payload/DamnVulnerableIOSApp.app/DamnVulnerableIOSApp' (armv7). (lldb) b -[InsecureDataStorageVulnVC saveInPlistFileTapped:] Breakpoint 1: where = DamnVulnerableIOSApp`-[InsecureDataStorageVulnVC saveInPlistFileTapped:], address = 0x00012c2c

Every seems to be working, and now we are ready to start debugging! If you are already familiar with gdb, there is a great resource that maps GDB commands to the LLDB equivalent -> http://lldb.llvm.org/lldb-gdb.html. In part two we will walk the through the basics of using LLDB to debug the Damn Vulnerable iOS Application.

Protect Your Assets from Various Threat Actors

VerSprite’s Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies.

Our clients rely on VerSprite’s unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors.

From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges. Learn more about Research as a Service →