Record 1: Reverse debugging bypassing the latest version of an iOS tone

** rookie one, weekend idle, thinking of a sound reverse analysis study practice hand; When I excitedly started the application with MonkeyDev, the debugger was disconnected from the application, making debugging impossible. **

Ready to debug

IPhone8 iOS13.3 prison break

MacOs 10.14.4

Ipa package of version 12.4.0

MonkeyDev environment

IDA

First, open the “sysctl” comment in Antiantidebug. m in MonkeyDev and continue to run the project

When the application starts, the debugger continues to be disconnected from the application and has no effect

Start debugging analysis

First – [AppDelegate application: didFinishLaunchingWithOptions:] next symbol breakpoints

** Continue to run the MonkeyDev project. After the application is started, the debugger continues to disconnect from the application. The breakpoint is not broken **

* * this means that, in the execution – [AppDelegate application: didFinishLaunchingWithOptions:], the debug logic has been carried out. Keep guessing if the debug logic is in main

Open the main binary file of IDA parsing a sound, find the program main function, this file has 170M, IDA parsing time is relatively long, please wait patiently

** The binary file entry is usually start, you can find the location and logic of main function from start; After IDA has parsed the binaries, it is usually automatically positioned to start. As shown in the figure below, start ** is found in IDA

** F5, see the pseudo code of start, as shown in the figure below: **

** Mac_syscall method found in pseudocode, switch back to the pool code **

** The pseudo-code and assembly in the figure above clearly tells us that from the assembly position 00000001043BE8EC to 00000001043BE900, it is the undebugging logic. If 1A is converted to decimal, it is 26, and if F is converted to 31,26 is the function number. According to the System Call Table provided by Apple, it can be found that the number of ptrace is 26, and the System Call is initiated by “SVC 0x80” instruction. Ptrace (31, 0, 0, 0) **

** Now we can verify that the logic we have found can really bypass undebugging by breaking 00000001043BE8F4 and then changing the value of register X1 from 31 to 0 when the breakpoint is broken. **

** Then continue to run the application, bypassing undebugging for a sound **

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Record 1: Reverse debugging bypassing the latest version of an iOS tone

Ready to debug

First, open the “sysctl” comment in Antiantidebug. m in MonkeyDev and continue to run the project

Start debugging analysis

First – [AppDelegate application: didFinishLaunchingWithOptions:] next symbol breakpoints

Open the main binary file of IDA parsing a sound, find the program main function, this file has 170M, IDA parsing time is relatively long, please wait patiently

End debugging analysis

I can have fun again

Record 1: Reverse debugging bypassing the latest version of an iOS tone

Ready to debug

First, open the “sysctl” comment in Antiantidebug. m in MonkeyDev and continue to run the project

Start debugging analysis

First – [AppDelegate application: didFinishLaunchingWithOptions:] next symbol breakpoints

Open the main binary file of IDA parsing a sound, find the program main function, this file has 170M, IDA parsing time is relatively long, please wait patiently

End debugging analysis

I can have fun again

Related Posts

Mach-o and XCode compilation environment configuration

IOS allows you to click on the image to enlarge & long press to save the image

Talk about the dynamics of Objective C