Group Group Group Group Group Group Group Group Group

Advanced Apple Debugging & Reverse Engineering | Ray Wenderlich


#1

This is a companion discussion topic for the original entry at https://www.raywenderlich.com/4163-advanced-apple-debugging-reverse-engineering

#2

Too bad most of the time the upper right corner of the video is covered by the video of the speaker, so you can’t see what’s written there. Very frustrating.


#3

@ibum Thank you for your feedback - much appreciated!


#4

Are the files Derek is referring to in the video, available for download somewhere? I can’t see anything like that on the video page.


#5

@ibum You can download them for free over here:

https://store.raywenderlich.com/products/rwdevcon-2017-vault-bundle

I hope it helps!


#6

I’m trying to follow what Derek is saying about attaching to the MobileSMS process (time 1:59:10), but I’m getting an error saying Could not attach to pid : “2354” Ensure “MobileSMS” is not already running, and username has permission to debug it.

Does anyone know how to fix this?
Thanks


#7

@lolgrep Can you please help with this when you get a chance? Thank you - much appreciated! :]


#8

This happens on the sim and on the device. Whatever app I’ve deployed via Xcode, I can attach to. Anything else can’t be attached to.


#9
default 17:22:57.989652 -0500 debugserver 1 +0.000000 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.000724 -0500 debugserver 2 +0.011140 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.011810 -0500 debugserver 3 +0.011081 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.022892 -0500 debugserver 4 +0.011083 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.033973 -0500 debugserver 5 +0.011082 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.045054 -0500 debugserver 6 +0.011082 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.056146 -0500 debugserver 7 +0.011083 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.067284 -0500 debugserver 8 +0.011094 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.078406 -0500 debugserver 9 +0.011118 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.089584 -0500 debugserver 10 +0.011131 sec [03df/0303]: error: ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 52, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)
default 17:22:58.101105 -0500 debugserver error: MachTask::StartExceptionThread (): task invalid, exception thread start failed.
default 17:22:58.101223 -0500 debugserver error: Attach failed: “unable to start the exception thread”.
default 17:22:58.101325 -0500 debugserver error: attach failed.
default 17:22:58.101441 -0500 debugserver 11 +0.011500 sec [03df/2607]: error: ::read ( -1, 0x16b6cea88, 1024 ) => -1 err = Bad file descriptor (0x00000009)
default 17:22:58.101583 -0500 debugserver Exiting.

#10

I’ve tried this on two separate computers, same result.
According to the iphonedevwiki

The vanilla debugserver lacks the task_for_pid() entitlement. For building and debugging your own apps on a properly provisioned device, this is not a problem; assuming your project and device are properly configured with your active iOS Developer Program, debugserver should have no trouble attaching to an app built and sent down to the device by Xcode. However, debugserver cannot attach to any other processes, including other apps from the App Store, due to lack of entitlement to allow task_for_pid(). An entitlement must be inserted into the binary to allow this.

Instructions for jailbroken devices are then provided. I have no jailbroken devices anyway.
How was then @lolgrep and - everybody at the event - able to attach to other processes?


#11

Recently, Apple has added restrictive entitlements to their simulator app GUI processes. This means you can’t attach to these processes even as root. To get around this, you will need to disable System Integrity Protection (aka SIP). You will need to:

Restart your mac
Hold down cmd+R
From the menu select Utilities then Terminal
In the Terminal window type: csrutil disable && reboot

You will then have all the powers that root should normally give you on other OSs including being able to attach to an Apple process


#12

Thank you @lolgrep . How about processes on an iOS device? Would disabling SIP cover those too?


#13

No, that requires a jailbroken iOS device to be able to do that. You can potentially cheat, by resigning an Apple application with your credentials (your developer certificate includes the get-task-allow entitlement), but there will be a lot of functionality that is disabled when that occurs.

A quick reference to that task word: In “Kernel speak” a task can be thought of as a process on your computer. If another program can get access to the task then it has complete control over it. When you sign your application with your developer account, it always includes a get-task-allow entitlement allowing anyone to request the program’s task. Release applications do not include this entitlement. That is why you can debug your own apps, but not apps from the Apple store