一步一步在debugserver中绕过ptrace反调试

@snakeninny wrote:

编辑: 新手请Refer楼下来获得完整的信息 -- @Aimer

其实相关的内容论坛里已经翻来覆去地讨论了好多次了，只要用好搜索，都可以找到答案，但是不知道什么原因，还是有很多朋友卡在了这个地方。既然有问题，那就争取用一个帖子解决问题吧。

以下操作在iPhone SE，iOS 9.3.3中完成，操作对象是“无秘”，一个有损阴德的死妈App。

一、利用ps命令拿到无秘的全路径

首先启动无秘，然后ssh到设备上，用ps命令查看其全路径：

FunMaker-SE:~ root# ps -e
  PID TTY           TIME CMD
    1 ??         8:57.70 /sbin/launchd
  225 ??         7:15.96 /usr/sbin/syslogd
...
13410 ??         0:15.52 /var/containers/Bundle/Application/24550860-1E7B-4A59-9753-9E7040DF0DAA/WMMimi.app/WMMimi
...

二、双击home键，杀掉无秘

三、用debugserver启动无秘

FunMaker-SE:~ root# debugserver *:1234 -x auto /var/containers/Bundle/Application/24550860-1E7B-4A59-9753-9E7040DF0DAA/WMMimi.app/WMMimi
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-340.3.124
 for arm64.
Listening to port 1234 for a connection from *...

四、用LLDB连接debugserver

FunMaker-MBP:~ snakeninny$ lldb
(lldb) process connect connect://YourIP:1234
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x00000001200b9000 dyld`_dyld_start, stop reason = signal SIGSTOP
    frame #0: 0x00000001200b9000 dyld`_dyld_start
dyld`_dyld_start:
->  0x1200b9000 <+0>:  mov    x28, sp
    0x1200b9004 <+4>:  and    sp, x28, #0xfffffffffffffff0
    0x1200b9008 <+8>:  movz   x0, #0
    0x1200b900c <+12>: movz   x1, #0
(lldb)

五、在ptrace上断点

(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 13747 resuming
1 location added to breakpoint 1
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x000000018127c180 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000018127c180 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
->  0x18127c180 <+0>:  adrp   x9, 126570
    0x18127c184 <+4>:  add    x9, x9, #208              ; =208 
    0x18127c188 <+8>:  str    wzr, [x9]
    0x18127c18c <+12>: movz   x16, #0x1a
(lldb)

六、修改ptrace参数

(lldb) b ptrace
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) c
Process 13747 resuming
1 location added to breakpoint 1
Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x000000018127c180 libsystem_kernel.dylib`__ptrace, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000018127c180 libsystem_kernel.dylib`__ptrace
libsystem_kernel.dylib`__ptrace:
->  0x18127c180 <+0>:  adrp   x9, 126570
    0x18127c184 <+4>:  add    x9, x9, #208              ; =208 
    0x18127c188 <+8>:  str    wzr, [x9]
    0x18127c18c <+12>: movz   x16, #0x1a
(lldb) p $x0
(unsigned long) $0 = 31
(lldb) register write $x0 10
(lldb) c
Process 13747 resuming

七、搞定

Process 13747 stopped
* thread #1: tid = 0x2629c0, 0x0000000181260fd8 libsystem_kernel.dylib`mach_msg_trap + 8, stop reason = signal SIGSTOP
    frame #0: 0x0000000181260fd8 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x181260fd8 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x181260fdc <+0>: movn   x16, #0x1f
    0x181260fe0 <+4>: svc    #0x80
    0x181260fe4 <+8>: ret    
(lldb) po [[NSBundle mainBundle] bundleIdentifier]
com.wumii.apps.miliao

以上每一步的“为什么”，论坛里都有答案，搜一搜吧。

Posts: 13

Participants: 6

Read full topic