[퍼옴] 아이폰 디버기

iPhone Debugger - Documentation

Nicolas A. Economou (*)
Core Security Technologies

Description

This tool is useful for debugging running (or newly created) native processes inside iPhone.

The development of this debugger is based on a previous Windows debugging tool (nicodbg, unreleased) and iPhone's debug API is inspired on the Patrick Walton's (with hdm's updates) weasel debugger.

It was developed on C++ and runs in native code inside iPhone. It has a console interface, similar to that of ntsd.exe, a debugger included in all Windows versions.

The design divides the tool into two parts, the interface and the C++ class for debugging, this enables the possibility of making another debugging tools with different interfaces. This design is simple and the debugger could be easily ported to another platforms.

Setup

Copy the executable iphonedbg to your preferred folder inside iPhone using OpenSSH Secure Copy (scp or WinSCP) or be any means possible.

Its usage is very simple, you've only need to be familiarized with console applications.

The working command and arguments follow:

iphonedbg [-e executable [arguments...]|-p pid executable]

The debugger can attach to a running process or start the process from scratch.

Real Life Example

• We run Safari web browser in the iPhone and we list all the active processes from a console conected through ssh.

• We write the command to attach the debugger to the Safari process.

• Once we are attached to the process, the debugger loads all the process symbols and then waits for user commands.

• We execute command g (go) and the process continues its execution waiting for some event or exception.

If after consulting a web page the Safari process crashes the debugger will inform it.

Help

Help is incorporated to the debugger accessing with the command h, the result is the following:

h                         -help

v                         -version

q                         -quit program

r [reg[=expression]]      -print or set registers

g [expression]            -run

t [value]                 -trace execution n times

p                         -trace execution not entering to calls

u [expression]            -print code

db expression             -read byte format memory

dd expression             -read dword format memory

eb expression b1 b2 ...   -write byte format memory

bp expression [condition] -set breakpoint [reg{<|<=|==|>=|>|<>}value]

bc expression             -clear breakpoint

m                         -show memory map

s addr1 addr2 b1 b2 ...   -search from addr1 to addr2

f addr1 addr2 byte        -fill from addr1 to addr2 with byte value

~                         -threads list

~<0..n>r                  -show register values from the thread number

'enter'                   -repeat last command


note: * to set breakpoints in thumb mode write address+1.

      * to execute many cmds in a line use ';'.

      * to execute many times a line: ex. 'repeat 3:r;g;'.

Command Examples

• command "r"        = "r r3"     --> print the value of register r3 in hexadecimal

• command "g"        = "g _main+8"  --> executes the process until function "_main" + 8 is reached

• command "u"        = "u _main+8"  --> disassemblies function "_main" + 8

• command "db"       = "db _main+8" --> dumps functions "_main" + 8 in 8-bit values

• command "dd"       = "dd _main+8" --> dumps functions "_main" + 8 in 32-bit values

• command "eb"       = "eb _main+8 cc cc cc cc" --> writes value 0xcccccccc at the beginning of function "_main" + 8

• command "bp"       = "bp _main+8" --> sets a breakpoint at function "_main" + 8

• command "bc"       = "bc _main+8" --> erases the breakpoint at function "_main" + 8

• command "s"        = "s 0x1000 0x400000 CE FA ED FE" --> searches for pattern CE FA ED FE between addresses 0x1000 and 0x400000

• command "f"        = "f 0x1000 0x2000 0" --> fills with zeros addresses between 0x1000 and 0x2000

• command "x"        = "x libSystem.B.dylib!*" --> shows all the symbols of library libSystem.B.dylib

• command "~"        = "~" --> shows all the threads of the process

• command "~<0..n>r" = "~3r" --> shows the values of all register of thread number 3

Compiling From Scratch

There are two possibilites:

• Downloading the known toolchain contained on a VMWare Linux image, iPhoneToolChainV2:
  • Copy iphonedbg-v?.?.zip to the VMWare Linux image and decompress it.
  • Run the following commands to compile the debugger:

          iPhoneToolchainV2:~/iphonedbg-v1.1# arm-apple-darwin-gcc -c disasm.c

          iPhoneToolchainV2:~/iphonedbg-v1.1# arm-apple-darwin-g++ -L/usr/local/lib -o iphonedbg iphonedbg.cpp disasm.o

• Download the iPhone SDK for Mac OS X from Apple or from iPhoneFix.de (not tested yet).

iPhone Crashes

When an application crashes inside iPhone a .plist file is generated on directory /private/var/logs/CrashReporter. This is basically an XML file with the state of the register, thread and the exception type generated. If it is a kernel crash is written at /private/var/logs/CrashReporter/Panics.

---

(*) Nicolas A. Economou (neconomou@) is a semi-senior exploit writer at Core Security Technologies. He's being working in computer security for 3 years and he specializes in Windows exploits, mostly, and the development of exploit writing tools. He has also developed exploits for Linux and Mac OS X.

 

* 태그는 쉼표로 구분해서 입력해 주세요(최대 10개까지 입력 가능)

posted by 김태훈-프란치스코
http://blog.paran.com/franc3sco/37107111