iPhone Debugger - Documentation
Nicolas A. Economou (*)Core Security Technologies
Description
This tool is useful for debugging running (or newly created) native processes inside iPhone.
The development of this debugger is based on a previous Windows debugging tool (nicodbg, unreleased) and iPhone's debug API is inspired on the Patrick Walton's (with hdm's updates) weasel debugger.
It was developed on C++ and runs in native code inside iPhone. It has a console interface, similar to that of ntsd.exe, a debugger included in all Windows versions.
The design divides the tool into two parts, the interface and the C++ class for debugging, this enables the possibility of making another debugging tools with different interfaces. This design is simple and the debugger could be easily ported to another platforms.
Setup
Copy the executable iphonedbg to your preferred folder inside iPhone using OpenSSH Secure Copy (scp or WinSCP) or be any means possible.
Its usage is very simple, you've only need to be familiarized with console applications.
The working command and arguments follow:
iphonedbg [-e executable [arguments...]|-p pid executable]
The debugger can attach to a running process or start the process from scratch.
Real Life Example
- We run Safari web browser in the iPhone and we list all the active processes from a console conected through ssh.
- We write the command to attach the debugger to the Safari process.
- Once we are attached to the process, the debugger loads all the process symbols and then waits for user commands.
- We execute command g (go) and the process continues its execution waiting for some event or exception.
If after consulting a web page the Safari process crashes the debugger will inform it.
Help
Help is incorporated to the debugger accessing with the command h, the result is the following:
h -help
v -version
q -quit program
r [reg[=expression]] -print or set registers
g [expression] -run
t [value] -trace execution n times
p -trace execution not entering to calls
u [expression] -print code
db expression -read byte format memory
dd expression -read dword format memory
eb expression b1 b2 ... -write byte format memory
bp expression [condition] -set breakpoint [reg{<|<=|==|>=|>|<>}value]
bc expression -clear breakpoint
m -show memory map
s addr1 addr2 b1 b2 ... -search from addr1 to addr2
f addr1 addr2 byte -fill from addr1 to addr2 with byte value
~ -threads list
~<0..n>r -show register values from the thread number
'enter' -repeat last command
note: * to set breakpoints in thumb mode write address+1.
* to execute many cmds in a line use ';'.
* to execute many times a line: ex. 'repeat 3:r;g;'.
Command Examples
command "r" = "r r3" --> print the value of register r3 in hexadecimal
command "g" = "g _main+8" --> executes the process until function "_main" + 8 is reached
command "u" = "u _main+8" --> disassemblies function "_main" + 8
command "db" = "db _main+8" --> dumps functions "_main" + 8 in 8-bit values
command "dd" = "dd _main+8" --> dumps functions "_main" + 8 in 32-bit values
command "eb" = "eb _main+8 cc cc cc cc" --> writes value 0xcccccccc at the beginning of function "_main" + 8
command "bp" = "bp _main+8" --> sets a breakpoint at function "_main" + 8
command "bc" = "bc _main+8" --> erases the breakpoint at function "_main" + 8
command "s" = "s 0x1000 0x400000 CE FA ED FE" --> searches for pattern CE FA ED FE between addresses 0x1000 and 0x400000
command "f" = "f 0x1000 0x2000 0" --> fills with zeros addresses between 0x1000 and 0x2000
command "x" = "x libSystem.B.dylib!*" --> shows all the symbols of library libSystem.B.dylib
command "~" = "~" --> shows all the threads of the process
command "~<0..n>r" = "~3r" --> shows the values of all register of thread number 3
Compiling From Scratch
There are two possibilites:
- Downloading the known toolchain contained on a VMWare Linux image, iPhoneToolChainV2:
- Copy iphonedbg-v?.?.zip to the VMWare Linux image and decompress it.
- Run the following commands to compile the debugger:
iPhoneToolchainV2:~/iphonedbg-v1.1# arm-apple-darwin-gcc -c disasm.c
iPhoneToolchainV2:~/iphonedbg-v1.1# arm-apple-darwin-g++ -L/usr/local/lib -o iphonedbg iphonedbg.cpp disasm.o- Download the iPhone SDK for Mac OS X from Apple or from iPhoneFix.de (not tested yet).
iPhone Crashes
When an application crashes inside iPhone a .plist file is generated on directory /private/var/logs/CrashReporter. This is basically an XML file with the state of the register, thread and the exception type generated. If it is a kernel crash is written at /private/var/logs/CrashReporter/Panics.
(*) Nicolas A. Economou (neconomou@) is a semi-senior exploit writer at Core Security Technologies. He's being working in computer security for 3 years and he specializes in Windows exploits, mostly, and the development of exploit writing tools. He has also developed exploits for Linux and Mac OS X.
http://blog.paran.com/franc3sco/37107111
'작업공간 > 기본적인 삽질 & 기록' 카테고리의 다른 글
| Static analysis of malicous PDFs (Part #2) (0) | 2010.05.30 |
|---|---|
| The Tools (0) | 2010.05.30 |
| 강원도 춘천 닭갈비집 - 통나무집 (0) | 2010.05.24 |
| gcc 2.96이상 버전에서의 버퍼구조 (2) | 2010.05.16 |
| 3.1.3 탈옥 (0) | 2010.05.03 |
spirit.exe
iDeneb Mac OSX 10.5.8.torrent
