LLDB not works in some situation

roothide / Procursus-roothide

Modern *OS Bootstrap

https://apt.procurs.us

BSD Zero Clause License

1 stars 0 forks source link

LLDB not works in some situation #1

Closed fenfenS closed 5 months ago

fenfenS commented 5 months ago

ipadOS 16.3 with BootStrap.tipa

(lldb) target create "/basebin/uicache"
Current executable set to '/basebin/uicache' (arm64).
(lldb) r
Process 8084 launched: '/basebin/uicache' (arm64)
Process 8084 stopped
* thread #1, stop reason = EXC_BAD_ACCESS (code=50, address=0x102c8c008)
    frame #0: 0x0000000102c8c008 dyld`<redacted> + 196
dyld``<redacted>:
->  0x102c8c008 <+196>: ldp    x29, x30, [sp, #0x20]
    0x102c8c00c <+200>: ldp    x20, x19, [sp, #0x10]
    0x102c8c010 <+204>: ldp    x22, x21, [sp], #0x30
    0x102c8c014 <+208>: retab  
Target 0: (uicache) stopped.
(lldb) bt
* thread #1, stop reason = EXC_BAD_ACCESS (code=50, address=0x102c8c008)
  * frame #0: 0x0000000102c8c008 dyld`<redacted> + 196
    frame #1: 0x0000000102c59134 dyld`<redacted> + 436

and it keeps got EXC_BAD_ACCESS signal while debugging

roothider commented 5 months ago

1: are you running lldb on ios ? (or other platforms) 2: which debugserver are you using? 3: does this problem only occur when debugging a specific process?

fenfenS commented 5 months ago

yes. through ssh after roothide bootstrap
lldb from procursus-roothide repo, not with debugserver

most process got the error.

Status: install ok installed
Priority: optional
Section: Development
Installed-Size: 8
Maintainer: RootHide <RootHideDev@twitter>
Architecture: iphoneos-arm64e
Version: 14.0.0~5.7.2~RELEASE
Depends: roothide (>= 0.0.6), lldb-14 (= 14.0.0~5.7.2~RELEASE)
Description: Next generation, high-performance debugger
Homepage: https://www.llvm.org/

fenfenS commented 5 months ago

After add

    <key>get-task-allow</key>
    <true/>

entitlement to the binary file, lldb can work correctly with it.

btw, debugserver works fine on iOS 12.1.2 w/ Unc0ver JB didn't try chimera.

on Unc0ver you need to enable "allow task" from it's options before jailbreaking

on chimera if i remember correctly uses jailbreakd to grant "task for pid" to processes

so sth like ".path/to/jailbreakd binary-name" might work.

after some search, find similar error from iosgods I wonder if we need a kernel patch to make it work same as other jb

fenfenS commented 5 months ago

adding

<key>run-unsigned-code</key>
<true/>

entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?

roothider commented 5 months ago

adding
<key>run-unsigned-code</key>
<true/>
entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?

Bootstrap will automatically add get-task-allow entitlement to the binary when installing the package(deb), but it will not be automatically added to the binary in /basebin

roothider commented 5 months ago

adding
<key>run-unsigned-code</key>
<true/>
entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?

In the case where there is only a signature vulnerability, re-signing the binary is our only option. otherwise we would need a complete jailbreak(krw and pac/ppl bypass) to achieve this.