Hi,
First of all thank you for writing such an good book. Motivated my to RE iOS applications.
Target is an game Boom Beach for learning purpose only.
Also i don’t have an Mac but using windows & jailbreak iphone.
Using putty for windows log into the root with the password.
I want to dump the __text section & all the other section please guide me how to do it.
Will let you know what have been understood so far.
-
It exports __mh_execute_header Address at 0x100000000
-
Found at offset 0x4F4000 i.e. 0x100000000 we find mach_header_64
mach_header_64 struc ; (sizeof=0x20, align=0x4, standard type)
00000000 magic DCD ? 0xFEEDFACF <— Magic Number
00000004 cputype DCD ? 0x0100000C <— CpuType
00000008 cpusubtype DCD ? 0x00000000 <— CpySubType = arm
0000000C filetype DCD ? 0x00000002 <—Execute
00000010 ncmds DCD ? 0x00000033 <— No. of Load Commands
00000014 sizeofcmds DCD ? 0x00001768 <— Size of Load Commands
00000018 flags DCD ? 0x00210085 <— Sometype of constants
0000001C reserved DCD ? 0x00000000 <— Reserved Flags
00000020 mach_header_64 ends
If we see Program Segmentation in IDA we find below details.
HEADER 0000000100000000 000000010000591C ? ? ? . L byte 21 public DATA 64 00 21
__text 000000010000591C 00000001003BF184 ? ? ? . L dword 01 public CODE 64 00 01
__stubs 00000001003BF184 00000001003C0F78 ? ? ? . L word 02 public CODE 64 00 02
__stub_helper 00000001003C0F78 00000001003C2D84 ? ? ? . L dword 03 public CODE 64 00 03
__gcc_except_tab 00000001003C2D84 000000010041CB10 ? ? ? . L dword 04 public 64 00 04
__cstring 000000010041CB10 000000010045167A ? ? ? . L para 05 public DATA 64 00 05
__TEXT_hidden 000000010045167A 0000000100451680 ? ? ? . L byte 22 public DATA 64 00 22
__const 0000000100451680 0000000100488B50 ? ? ? . L para 06 public DATA 64 00 06
__objc_methname 0000000100488B50 00000001004AB85A ? ? ? . L byte 07 public DATA 64 00 07
__objc_classname 00000001004AB85A 00000001004AD6F5 ? ? ? . L byte 08 public DATA 64 00 08
__objc_methtype 00000001004AD6F5 00000001004B3C05 ? ? ? . L byte 09 public DATA 64 00 09
__ustring 00000001004B3C06 00000001004B4212 ? ? ? . L word 0A public 64 00 0A
__TEXT_hidden 00000001004B4212 00000001004B4214 ? ? ? . L byte 23 public DATA 64 00 23
__unwind_info 00000001004B4214 00000001004C3CF8 ? ? ? . L dword 0B public 64 00 0B
__eh_frame 00000001004C3CF8 00000001004C4000 ? ? ? . L qword 0C public 64 00 0C
__got 00000001004C4000 00000001004C43E0 ? ? ? . L qword 0D public DATA 64 00 0D
__la_symbol_ptr 00000001004C43E0 00000001004C57D8 ? ? ? . L qword 0E public DATA 64 00 0E
__mod_init_func 00000001004C57D8 00000001004C5BE8 ? ? ? . L qword 0F public DATA 64 00 0F
__const 00000001004C5BF0 00000001004E8E80 ? ? ? . L para 10 public DATA 64 00 10
__cfstring 00000001004E8E80 00000001004FCC40 ? ? ? . L qword 11 public DATA 64 00 11
__objc_classlist 00000001004FCC40 00000001004FD560 ? ? ? . L qword 12 public DATA 64 00 12
__objc_nlclslist 00000001004FD560 00000001004FD568 ? ? ? . L qword 13 public DATA 64 00 13
__objc_catlist 00000001004FD568 00000001004FD5D8 ? ? ? . L qword 14 public DATA 64 00 14
__objc_protolist 00000001004FD5D8 00000001004FD838 ? ? ? . L qword 15 public DATA 64 00 15
__objc_imageinfo 00000001004FD838 00000001004FD840 ? ? ? . L dword 16 public 64 00 16
__objc_const 00000001004FD840 0000000100547A58 ? ? ? . L qword 17 public 64 00 17
__objc_selrefs 0000000100547A58 00000001005504A0 ? ? ? . L qword 18 public DATA 64 00 18
__objc_protorefs 00000001005504A0 00000001005504C8 ? ? ? . L qword 19 public DATA 64 00 19
__objc_classrefs 00000001005504C8 0000000100551110 ? ? ? . L qword 1A public DATA 64 00 1A
__objc_superrefs 0000000100551110 0000000100551720 ? ? ? . L qword 1B public DATA 64 00 1B
__objc_ivar 0000000100551720 0000000100552B08 ? ? ? . L dword 1C public 64 00 1C
__objc_data 0000000100552B08 0000000100558648 ? ? ? . L qword 1D public 64 00 1D
__data 0000000100558650 000000010055C191 ? ? ? . L para 1E public DATA 64 00 1E
__bss 000000010055C1A0 0000000100560034 ? ? ? . L para 1F public BSS 64 00 1F
__common 0000000100560038 0000000100560C40 ? ? ? . L qword 20 public BSS 64 00 20
__LINKEDIT_hidden 0000000100564000 000000010058F6A0 ? ? ? . L byte 24 public DATA 64 00 24
UNDEF 000000010058F6A0 0000000100591370 ? ? ? . L para 25 public XTRN 64 00 25
How will i know in gdb which portion of memory we need to dump ? I fail to understand.
Suppose if i need to dump __text
__text 000000010000591C 00000001003BF184
which starts at 0x10000591C & ends at 0x1003BF184 size: 0x3B9868
Now in IDA
000100000068 ; LC_SEGMENT_64 - 64-bit segment of this file to be mapped
HEADER:0000000100000068 segment_command_64 <0x19, 0x408, “__TEXT”, 0x100000000, 0x4C4000, 0, \ ; LC_SEGMENT_64 - 64-bit segment of this file to be mapped
HEADER:0000000100000068 0x4C4000, 5, 5, 0xC, 0>
HEADER:00000001000000B0 ; Sections
HEADER:00000001000000B0 DCB “__text”,0,0,0,0,0,0,0,0,0,0; sectname
HEADER:00000001000000B0 DCB “__TEXT”,0,0,0,0,0,0,0,0,0,0; segname
HEADER:00000001000000B0 DCQ 0x10000591C ; addr <------ Start Address
HEADER:00000001000000B0 DCQ 0x3B9868 ; size <------ Size
HEADER:00000001000000B0 DCD 0x591C ; offset
HEADER:00000001000000B0 DCD 2 ; align
HEADER:00000001000000B0 DCD 0 ; reloff
HEADER:00000001000000B0 DCD 0 ; nreloc
HEADER:00000001000000B0 DCD 0x80000400 ; flags
HEADER:00000001000000B0 DCD 0 ; reserved1
HEADER:00000001000000B0 DCD 0 ; reserved2
HEADER:00000001000000B0 DCD 0 ; reserved3
How should i dump using gdb in such scenario ? Experts please help in understanding it.
Since i dont have an MAC to get process id of the app used an app called DeviceStats which gives the Process ID of the app. I attach in gdb using attach
Below is some snippets from it while it attaches to the PID
/usr/bin/gdb: line 55: awk: command not found
warning: unrecognized host cpusubtype , defaulting to host==armv7.
GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “arm-apple-darwin”.
(gdb) attach 2086
Attaching to process 2086.
Reading symbols for shared libraries . done
unable to read unknown load command 0x80000028
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries …warning: Could not find object file “/Volumes/Data/BuildkiteWorkspace/IBA-BuildBox.local-1/itty-bitty-apps/reveal/build/Release-iphoneos/libReveal-iOS.a(IBAFunctions.o)” - no debug information available for “IBAFunctions.m”.
Lots of warning message
then finally
................ done
unable to read unknown load command 0x80000028
unable to read unknown load command 0x80000028
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
bfd_mach_o_scan: unknown architecture 0x100000c/0x0
Reading symbols for shared libraries + done
0x3ba19544 in __semwait_signal ()
(gdb) **dump binary memory result1.bin 0x10000591c 0x1003bf184**
I tried dumping using above command & crash.
How should i dump properly ? please guide.
Thanks & Regards,
Nick