2016-12-01

通过debugserver&lldb来调试一个被加了ptrace反调试的app

关于ptrace,ptrace是一个系统函数，它提供了一种可以使父进程监控其他进程的方式，还可以改变
子进程中的寄存器和内核印象，因而可以实现断点调试和系统调用的跟踪。
使用ptrace，可以在用户层拦截和修改系统调用。

那么我们来到官网看看他是怎么讲的http://iphonedevwiki.net/index.php/Debugserver
官网一张图表达得很清楚
one

我们这里首先使用debugserver正常附加，来判断目标app究竟有没有使用ptrace来反调试

linguochengde-iPhone:~ root# debugserver *:1234 -a AMapiPhone
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process AMapiPhone...
error: failed to attach to process named: ""
Exiting.

可以看到这里debugserver附加失败，再根据目前公开的反调试的方法只有通过ptrace系统函数来反调试，于是了解了ptrace后基本上也就很好绕过了

首先通过lldb来启动app

linguochengde-iPhone:~ root# debugserver -x posix *:1234 /var/mobile/Containers/Bundle/Application/9F0A5D73-7589-4BE5-A209-A96002B6D641/AMapiPhone.app/AMapiPhone
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Listening to port 1234 for a connection from *...

这里之前参考http://bbs.iosre.com/t/7-2-0-ios/770中的backboard参数，发现失败，于是把参数换成posix后debugserver可以正常附加

然后就按照网上很多方法，启动lldb后，先通过在ptrace上下断点，找到ptrace偏移后的地址，再通过image list -o -f找到ASLR偏移，相减算出ptrace的正确位置后在ida或者hopper中打开，进一步分析

┌─(~)─────────────────────────(linguocheng@Sherlock-HolmesdeMacBook-Pro:s002)─┐
└─(09:27:13)──> lldb                                              ──(三,1130)─┘
(lldb)  process connect connect://192.168.1.102:1234
Process 59223 stopped
* thread #1: tid = 0x3240a, 0x1fe4d000 dyld`_dyld_start, stop reason = signal SIGSTOP
    frame #0: 0x1fe4d000 dyld`_dyld_start
dyld`_dyld_start:
->  0x1fe4d000 <+0>:  mov    r8, sp
    0x1fe4d004 <+4>:  sub    sp, sp, #16
    0x1fe4d008 <+8>:  bic    sp, sp, #7
    0x1fe4d00c <+12>: ldr    r3, [pc, #0x70]           ; <+132>
(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 59223 resuming
1 location added to breakpoint 1
2016-11-30 09:27:57.361 AMapiPhone[59223:205834] Foundation called mkdir("/tmp/(A Document Being Saved By 高德地图)"), it didn't return 0, and errno was set to 1.
2016-11-30 09:27:57.378 AMapiPhone[59223:205834] Foundation called mkdir("/tmp/(A Document Being Saved By 高德地图)"), it didn't return 0, and errno was set to 1.
Process 59223 stopped
* thread #1: tid = 0x3240a, 0x364b0e58 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x364b0e58 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
->  0x364b0e58 <+0>:  ldr    r12, [pc, #0x4]           ; <+12>
    0x364b0e5c <+4>:  ldr    r12, [pc, r12]
    0x364b0e60 <+8>:  b      0x364b0e68                ; <+16>
    0x364b0e64 <+12>: addeq  r9, r6, #204, #2
(lldb) p/x $lr
(unsigned int) $0 = 0x0004515d
(lldb) image list -o -f
[  0] 0x0002f000 /private/var/mobile/Containers/Bundle/Application/9F0A5D73-7589-4BE5-A209-A96002B6D641/AMapiPhone.app/AMapiPhone(0x0000000000033000)

two

可以看到和之前文章中不一样，这个是在start中加入了ptrace系统函数，我们分析当ptrace第一个参为31时，会detach调试器。所以，newptrace中可以直接返回0，也可以判断第一个参数等于31时，更改参数的返回值

#import <substrate.h>
#import <mach-o/dyld.h>
#import <dlfcn.h>
static int (*oldptrace)(int request, pid_t pid, caddr_t addr, int data);
static int newptrace(int request, pid_t pid, caddr_t addr, int data){
        return 0;
}
%ctor {
        MSHookFunction((void *)MSFindSymbol(NULL,"_ptrace"), (void *)newptrace, (void **)&oldptrace);
}

OK，有了tweak加持就可以动态调试了

linguocheng in ~ λ ssh root@192.168.1.102
root@192.168.1.102's password:
linguochengde-iPhone:~ root# debugserver *:1234 -a AMapiPhone
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process AMapiPhone...
Listening to port 1234 for a connection from *...

┌─(~)─────────────────────────(linguocheng@Sherlock-HolmesdeMacBook-Pro:s002)─┐
└─(11:27:21)──> lldb                                        146 ↵ ──(四,120
(lldb) process connect connect://192.168.1.102:1234
Process 1996 stopped
* thread #1: tid = 0x21a2, 0x322a549c libsystem_kernel.dylib`mach_msg_trap + 20, name = 'RouMainThread', queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x322a549c libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
->  0x322a549c <+20>: pop    {r4, r5, r6, r8}
    0x322a54a0 <+24>: bx     lr
libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x322a54a4 <+0>:  mov    r12, sp
    0x322a54a8 <+4>:  push   {r4, r5, r6, r8}
(lldb)

参考:http://bbs.iosre.com/t/7-2-0-ios/770
http://www.linuxjournal.com/article/6100?page=0,1

本文标题:通过debugserver&lldb来调试一个被加了ptrace反调试的app

文章作者:凌迟

发布时间:2016-12-01, 16:21:58

最后更新:2016-12-01, 17:49:24

原始链接:http://Hello-Sherlock.github.io/2016/12/01/two-Blog/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。