First of all if we’ve gained a crash in Itunes we need a debugger to see where the actual crash is happening.
Xcode comes with a gdb like darwin debugger which is a good point to start.
You can simply start iTunes by running it with
sh-3.2# gdb /Applications/iTunes.app/
the next thing you will see is Program exited with code 055. But why is iTunes crashing if i want to attach it onto a debugger ?
The reason is simple, Apple has some built in anti-debuggers called in the ptrace function. To disable those we have to look at the source of the ptrace function. Once the gdb debugger we can now set a breakpoint on this function we do this by
(gdb) br ptrace
Breakpoint 1 at 0x7fff8dff9d14
Now our breakpoint is set on the ptrace function, if we now re-run the application iTunes will hold on this function.
Starting program: /Applications/iTunes.app/Contents/MacOS/iTunes
Reading symbols for shared libraries . done
Breakpoint 1, 0x00007fff8dff9d14 in ptrace ()
Now we have the programm stopped before the ptrace function is loaded and can now have a look on the registers by
(gdb) i r rax 0x44f0 17648 rbx 0x7fff5fc35110 140734800023824 rcx 0x0 0 rdx 0x0 0 rsi 0x44f0 17648 rdi 0x1f 31 rbp 0x7fff5fbfe4f0 0x7fff5fbfe4f0 rsp 0x7fff5fbfe498 0x7fff5fbfe498 r8 0x7fff5fc351c0 140734800024000
The RDI register is our target we have to set the value of the register to 11 (as seen in the source to disable ptrace)
(gdb) set $rdi=11
(gdb) i r rax 0x44f0 17648 rbx 0x7fff5fc35110 140734800023824 rcx 0x0 0 rdx 0x0 0 rsi 0x44f0 17648 rdi 0xb 11
and then we simply continue the programm by pressing C and are finally able to debugg =)
but during my research i needed a debugger which was able to interpret python Apple’s built in GDB doesn’t support python and it is no longer developed by Apple.
So i started researching and found out that there is a new Debugger called LLDB which is a gdb alike debugger with a tons of new features.
To start iTunes in lldb just do
(lldb) file /Applications/iTunes/
but we will soon end on the same point as on GDB… the anti-debuggers
Process 17595 launched: ‘/Applications/iTunes.app/Contents/MacOS/iTunes’ (x86_64)
Process 17595 exited with status = 45 (0x0000002d)
But how to proceed on this ?
What i did to solve the problem : i returned to the previous gdb debugger and looked at the address where the ptrace function was called in this case it was on
Breakpoint 1 at 0x7fff8dff9d14
What i did was set a breakpoint in lldb on this position
(lldb) b 0x7fff8dff9d14
the next step is like on GDB to re-run the programm to let it stop before the ptrace function is called
Process 17623 launched: ‘/Applications/iTunes.app/Contents/MacOS/iTunes’ (x86_64)
Process 17623 stopped
* thread #1: tid = 0x1c03, 0x00007fff8dff9d14 libsystem_kernel.dylib
ptrace, stop reason = breakpoint 2.1ptrace
frame #0: 0x00007fff8dff9d14 libsystem_kernel.dylib
Now our debugger has stopped at this point great!
Next step is to have a look at the registers, on lldb it is no longer i r like on gdb you will goal by using read register
(lldb) register read General Purpose Registers: rax = 0x00000000000044f8 rbx = 0x00007fff5fc35110 dyld::gLinkContext rcx = 0x0000000000000000 rdx = 0x0000000000000000 rdi = 0x000000000000001f
Now have a look at the rdi register it is set on 0x000000000000001f , go back to gdb and have a look there
rdi 0x1f 31
rdi is set to 0x1f which equals the function 31 before we’ve set it to 11, so no we have to look what changed when we set this to 11
rdi 0xb 11
now we can see that the value is now on 0xb
what we have to tell the debugger now is to set the rdi register to the same value as the gdb debugger lldb has this function (thank god!) too.
(lldb) register write rdi 0x000000000000000b
now we have disabled the anti debuggers and can start debugging on our lldb debugger with built in python interpreter! Great one