Disabling ASLR when debugging a third-party application for iOS

    This article provides a simple short instruction on how to patch a third-party application for iOS to disable ASLR during debugging. The reader is supposed to have:

    1. iOS 7.0-7.0.4 device with evasi0n jailbreak and a computer with Mac OS X 10.9.4 installed with Xcode 5.1.1 and MachOView 2.4 (most likely it will work for other versions too, but I haven’t tried)
    2. some experience in debugging third-party applications for iOS, well, it is advisable to know what ASLR is and understand why to disable it

    Well, let's get started.

    First, select an executable file in which we will debug and in which we need to disable ASLR. Let it be the daemon /usr/sbin/absdresponsible for authorization in some Apple services. Of course, absdhere it is solely for example, in fact, you can take any executable file.

    We use scpit to copy our executable file to the computer (hereinafter 192.168.1.112it is the IP address of our iOS device):

    $ scp root@192.168.1.112:/usr/sbin/absd ./
    

    WARNING! Before you do anything with absd, be sure to save a copy somewhere!

    Then use the tool codesignof XCode and extract the executable from our plist file with a list of entitlements (do not know how it is in Russian, is "list of rights"?):

    $ codesign -d --entitlements - absd > absd.entitlements
    

    After that, open the executable file in MachOView and find the Mach header for the architecture of interest to us. In the case of fat binary, there will be several such headers - one for each architecture; if we don’t have fat binary, there will be only one header. Find the flag in the header MH_PIEand remember the corresponding offset. In MachOView it all looks like this:



    You need to reset the flag, but you can’t do this in MachOView, so open the executable file in any HEX editor, go to the appropriate offset and clear the flag. Then re-sign the executable with saved entitlements:

    $ codesign -s - --entitlements absd.entitlements -f absd
    

    and copy it back to the device

    $ scp ./absd  root@192.168.1.112:/usr/sbin/absd
    

    That's all. Now if you call the daemon - for example, by logging into iMessage - and drive it under debugging in lldb, we will see



    (if you are sitting on gdb instead of lldb, use the appropriate commands ). As you can see from the screenshot, no more ASLR! That's the whole instruction - simple and short, as I promised at the beginning of the article.

    PS Just in case: the author is aware that the method proposed in the article is far from always the most optimal. The author is also aware of alternative ways to disable ASLR, and they may be discussed in future articles. But here it is today - an article about patching the Mach header.

    Happy debugging!

    Also popular now: