iTunes debugging disabling ptrace with LLDB

First of all if we’ve gained a crash in Itunes we need a debugger to see where the actual crash is happening.

Xcode comes with a gdb like darwin debugger which is a good point to start.

You can simply start iTunes by running it with
sh-3.2# gdb /Applications/iTunes.app/

the next thing you will see is Program exited with code 055. But why is iTunes crashing if i want to attach it onto a debugger ?

The reason is simple, Apple has some built in anti-debuggers called in the ptrace function. To disable those we have to look at the source of the ptrace function. Once the gdb debugger we can now set a breakpoint on this function we do this by

(gdb) br ptrace

Breakpoint 1 at 0x7fff8dff9d14

Now our breakpoint is set on the ptrace function, if we now  re-run the application iTunes will hold on this function.

Starting program: /Applications/iTunes.app/Contents/MacOS/iTunes 

Reading symbols for shared libraries . done

Breakpoint 1, 0x00007fff8dff9d14 in ptrace ()

Now we have the programm stopped before the ptrace function is loaded and can now have a look on the registers by

The RDI register is our target we have to set the value of the register to 11 (as seen in the source to disable ptrace)

and then we simply continue the programm by pressing C and are finally able to debugg =)

but during my research i needed a debugger which was able to interpret python Apple’s built in GDB doesn’t support python and it is no longer developed by Apple.

So i started researching and found out that there is a new Debugger called LLDB which is a gdb alike debugger with a tons of new features.

To start iTunes in lldb just do

(lldb) file /Applications/iTunes/

(lldb)  r

but we will soon end on the same point as on GDB… the anti-debuggers

Process 17595 launched: ‚/Applications/iTunes.app/Contents/MacOS/iTunes‘ (x86_64)

Process 17595 exited with status = 45 (0x0000002d) 

But how to proceed on this ?

What i did to solve the problem :  i returned to the previous gdb debugger and looked at the address where the ptrace function was called  in this case it was on

Breakpoint 1 at 0x7fff8dff9d14
What i did  was set a breakpoint in lldb on this position
(lldb) b    0x7fff8dff9d14

the next step is like on GDB to re-run the programm to let it stop before the ptrace function is called

Process 17623 launched: ‚/Applications/iTunes.app/Contents/MacOS/iTunes‘ (x86_64)
Process 17623 stopped
* thread #1: tid = 0x1c03, 0x00007fff8dff9d14 libsystem_kernel.dylibptrace, stop reason = breakpoint 2.1
frame #0: 0x00007fff8dff9d14 libsystem_kernel.dylib
ptrace
Now our debugger has stopped at this point great!
Next step is to have a look at the registers, on lldb it is no longer i r like on gdb you will goal by using read register

Now have a look at the rdi register it is set on 0x000000000000001f  , go back to gdb and have a look there

rdi is set to 0x1f which equals the function 31 before we’ve set it to 11, so no we have to look what changed when we set this to 11

now we can see that the value is now on 0xb

what we have to tell the debugger now is to set the rdi register to the same value as the gdb debugger lldb has this function (thank god!) too.

now we have disabled the anti debuggers and can start debugging on our lldb debugger with built in python interpreter! Great one

 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.