This is a companion discussion topic for the original entry at https://www.raywenderlich.com/4163-advanced-apple-debugging-reverse-engineering
This is a companion discussion topic for the original entry at https://www.raywenderlich.com/4163-advanced-apple-debugging-reverse-engineering
Too bad most of the time the upper right corner of the video is covered by the video of the speaker, so you can’t see what’s written there. Very frustrating.
Are the files Derek is referring to in the video, available for download somewhere? I can’t see anything like that on the video page.
@ibum You can download them for free over here:
https://store.raywenderlich.com/products/rwdevcon-2017-vault-bundle
I hope it helps!
1 Like
I’m trying to follow what Derek is saying about attaching to the MobileSMS process (time 1:59:10), but I’m getting an error saying Could not attach to pid : “2354” Ensure “MobileSMS” is not already running, and username has permission to debug it.
Does anyone know how to fix this?
Thanks
@lolgrep Can you please help with this when you get a chance? Thank you - much appreciated! :]
1 Like
This happens on the sim and on the device. Whatever app I’ve deployed via Xcode, I can attach to. Anything else can’t be attached to.
| default | 17:22:57.989652 -0500 | debugserver | 1 +0.000000 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
|---|---|---|---|
| default | 17:22:58.000724 -0500 | debugserver | 2 +0.011140 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.011810 -0500 | debugserver | 3 +0.011081 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.022892 -0500 | debugserver | 4 +0.011083 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.033973 -0500 | debugserver | 5 +0.011082 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.045054 -0500 | debugserver | 6 +0.011082 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.056146 -0500 | debugserver | 7 +0.011083 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.067284 -0500 | debugserver | 8 +0.011094 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.078406 -0500 | debugserver | 9 +0.011118 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.089584 -0500 | debugserver | 10 +0.011131 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005) |
| default | 17:22:58.101105 -0500 | debugserver | error: MachTask::StartExceptionThread (): task invalid, exception thread start failed. |
| default | 17:22:58.101223 -0500 | debugserver | error: Attach failed: “unable to start the exception thread”. |
| default | 17:22:58.101325 -0500 | debugserver | error: attach failed. |
| default | 17:22:58.101441 -0500 | debugserver | 11 +0.011500 sec [03df/2607]: error: ::read ( -1, 0x16b6cea88, 1024 ) => -1 err = Bad file descriptor (0x00000009) |
| default | 17:22:58.101583 -0500 | debugserver | Exiting. |
I’ve tried this on two separate computers, same result.
According to the iphonedevwiki
The vanilla debugserver lacks the task_for_pid() entitlement. For building and debugging your own apps on a properly provisioned device, this is not a problem; assuming your project and device are properly configured with your active iOS Developer Program, debugserver should have no trouble attaching to an app built and sent down to the device by Xcode. However, debugserver cannot attach to any other processes, including other apps from the App Store, due to lack of entitlement to allow task_for_pid(). An entitlement must be inserted into the binary to allow this.
Instructions for jailbroken devices are then provided. I have no jailbroken devices anyway.
How was then @lolgrep and - everybody at the event - able to attach to other processes?
Recently, Apple has added restrictive entitlements to their simulator app GUI processes. This means you can’t attach to these processes even as root. To get around this, you will need to disable System Integrity Protection (aka SIP). You will need to:
Restart your mac
Hold down cmd+R
From the menu select Utilities then Terminal
In the Terminal window type: csrutil disable && reboot
You will then have all the powers that root should normally give you on other OSs including being able to attach to an Apple process
1 Like
No, that requires a jailbroken iOS device to be able to do that. You can potentially cheat, by resigning an Apple application with your credentials (your developer certificate includes the get-task-allow entitlement), but there will be a lot of functionality that is disabled when that occurs.
A quick reference to that task word: In “Kernel speak” a task can be thought of as a process on your computer. If another program can get access to the task then it has complete control over it. When you sign your application with your developer account, it always includes a get-task-allow entitlement allowing anyone to request the program’s task. Release applications do not include this entitlement. That is why you can debug your own apps, but not apps from the Apple store
1 Like
On the PDF version, page 167, just above the note, it says:
When a function prologue is finished setting up, the contents of RBP will point to the previous RBP a stack frame lower.
If I understood it right, shouldn’t it say previous RSP instead of previous RBP.
Please point me right if I miss understood.
@ouraigua Thank you for the heads up - much appreciated! We will fix this in the next version of the book.