Advanced Apple Debugging and Reverse Engineering

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Author(s): Derek Selander
Edition: Second
Year: 2017

Language: English
Pages: 475

Table of Contents : Extended......Page 8
Introduction......Page 15
Who this book is for......Page 16
Custom LLDB scripts repo......Page 17
License......Page 18
About the cover......Page 19
Section I: Beginning LLDB Commands......Page 20
Chapter 1: Getting Started......Page 21
Getting around Rootless......Page 22
Attaching LLDB to Xcode......Page 24
Where to go from here?......Page 35
Chapter 2: Help & Apropos......Page 36
The "help" command......Page 37
The "apropos" command......Page 39
Where to go from here?......Page 40
Chapter 3: Attaching with LLDB......Page 41
Where to go from here?......Page 47
Chapter 4: Stopping in Code......Page 48
Signals......Page 49
LLDB breakpoint syntax......Page 52
Finally creating breakpoints......Page 56
Where to go from here?......Page 64
Chapter 5: Expression......Page 66
Formatting p & po......Page 67
Swift vs Objective-C debugging contexts......Page 71
User defined variables......Page 72
Where to go from here?......Page 79
Chapter 6: Thread, Frame & Stepping Around......Page 80
Stack 101......Page 81
Examining the stackʼs frames......Page 82
Stepping......Page 85
Examining data in the stack......Page 87
Where to go from here?......Page 89
Chapter 7: Image......Page 90
Wait modules?......Page 91
Snooping around......Page 99
Where to go from here?......Page 104
Chapter 8: Persisting & Customizing Commands......Page 105
Creating the lldbinit file......Page 106
Command aliases with arguments......Page 108
Where to go from here?......Page 109
Chapter 9: Regex Commands......Page 110
command regex......Page 111
Executing complex logic......Page 112
Chaining regex inputs......Page 114
Supplying multiple parameters......Page 116
Where to go from here?......Page 118
Section II: Understanding Assembly......Page 119
Chapter 10: Assembly Register Calling Convention......Page 120
Assembly 101......Page 121
x86_64 register calling convention......Page 123
Objective-C and registers......Page 125
Putting theory to practice......Page 126
Swift and registers......Page 131
RAX, the return register......Page 133
Changing around values in registers......Page 134
Registers and SDK......Page 137
Where to go from here?......Page 139
Chapter 11: Assembly & Memory......Page 141
Setting up the Intel-Flavored Assembly ExperienceTM......Page 142
The RIP register......Page 145
Registers and breaking up the bits......Page 148
Breaking down the memory......Page 151
Endianness this stuff is reversed?......Page 154
Where to go from here?......Page 156
Chapter 12: Assembly and the Stack......Page 157
The stack, revisited......Page 158
Stack pointer & base pointer registers......Page 159
Stack related opcodes......Page 161
Observing RBP & RSP in action......Page 163
The stack and 7+ parameters......Page 170
The stack and debugging info......Page 172
Stack exploration takeaways......Page 175
Where to go from here?......Page 176
Section III: Low Level......Page 178
Chapter 13: Hello, Ptrace......Page 179
The foundation of attachment, ptrace......Page 180
ptrace arguments......Page 182
Creating attachment issues......Page 185
Getting around PT_DENY_ATTACH......Page 186
Where to go from here?......Page 188
Chapter 14: Dynamic Frameworks......Page 189
Statically inspecting an executableʼs frameworks......Page 190
Modifying the load commands......Page 194
Loading frameworks at runtime......Page 197
Exploring frameworks......Page 198
Loading frameworks on an actual iOS device......Page 201
Where to go from here?......Page 202
Chapter 15: Hooking & Executing Code with dlopen & dlsym......Page 203
Setting up your project......Page 204
Easy mode: hooking C functions......Page 205
Hard mode: hooking Swift methods......Page 213
Where to go from here?......Page 219
Chapter 16: Exploring and Method Swizzling Objective-C Frameworks......Page 220
Between iOS 10 and 11......Page 221
Sidestepping checks in prepareDebuggingOverlay......Page 228
Introducing Method Swizzling......Page 233
Where to go from here?......Page 240
Section IV: Custom LLDB Commands......Page 242
Chapter 17: Hello Script Bridging......Page 243
Python 101......Page 244
Creating your first LLDB Python script......Page 248
Setting up commands efficiently......Page 250
Where to go from here?......Page 252
Chapter 18: Debugging Script Bridging......Page 253
Debugging your debugging scripts with pdb......Page 254
pdbʼs post mortem debugging......Page 256
expressionʼs Debug Option......Page 261
How to handle problems......Page 265
Where to go from here?......Page 267
Chapter 19: Script Bridging Classes and Hierarchy......Page 268
The essential classes......Page 269
Learning & finding documentation on script bridging classes......Page 274
Creating the BreakAfterRegex command......Page 276
Where to go from here?......Page 286
Chapter 20: Script Bridging with Options & Arguments......Page 288
Setting up......Page 289
Adding options without params......Page 291
Adding options with params......Page 298
Passing parameters into the breakpoint callback function......Page 302
Real world example: exploring Swift return Strings with bar......Page 308
Where to go from here?......Page 313
Chapter 21: Script Bridging with SBValue & Memory......Page 314
A detour down memory layout lane......Page 315
SBValue......Page 328
Where to go from here?......Page 337
Chapter 22: SB Examples, Improved Lookup......Page 339
Automating script creation......Page 340
lldbinit directory structure suggestions......Page 342
Implementing the lookup command......Page 343
Adding options to lookup......Page 351
Where to go from here?......Page 354
Chapter 23: SB Examples, Resymbolicating a Stripped ObjC Binary......Page 356
So how are you doing this, exactly?......Page 357
50 Shades of Ray......Page 358
The "stripped" 50 Shades of Ray......Page 365
Building sbt.py......Page 368
Implementing the code......Page 369
Where to go from here?......Page 371
Chapter 24: SB Examples, Malloc Logging......Page 372
Setting up the scripts......Page 373
MallocStackLogging explained......Page 374
Hunting in getenv......Page 377
Testing the functions......Page 382
Turning numbers into stack frames......Page 387
Stack trace from a Swift object......Page 390
DRY Python code......Page 391
Where to go from here?......Page 396
Section V: DTrace......Page 397
Chapter 25: Hello, DTrace......Page 398
Jumping right in......Page 399
DTrace Terminology......Page 403
Learning while listing probes......Page 406
A script that makes DTrace scripts......Page 408
Where to go from here?......Page 416
Chapter 26: Intermediate DTrace......Page 417
DTrace & Swift in theory......Page 418
DTrace variables & control flow......Page 422
Inspecting process memory......Page 426
Playing with open syscalls......Page 428
DTrace & destructive actions......Page 430
Where to go from here?......Page 433
Chapter 27: DTrace vs objc_msgSend......Page 435
Building your proof-of-concept......Page 436
How to get around no probes in a stripped binary......Page 440
Researching method calls using DTrace!......Page 441
Scary assembly, part II......Page 449
Converting research into code......Page 451
Limiting scope with LLDB......Page 456
Fixing up the snoopie script......Page 460
Where to go from here?......Page 461
Finding code......Page 463
Breakpoints......Page 464
Expressions......Page 465
Stepping......Page 466
Memory......Page 467
Registers & assembly......Page 468
Modules......Page 469
Python text editors......Page 470
Working with the LLDB Python module......Page 473
Conclusion......Page 474