Difference between revisions of "Bugging Debuggers"

From The iPhone Wiki
Jump to: navigation, search
(New page: == The ptrace Trick == GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it w...)
 
Line 33: Line 33:
 
* the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit
 
* the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit
   
  +
Apple approved this code, when it was submitted with [http://istockplay.com|StockPlay] version 0.5.
At the time of this writing, it is uncertain whether Apple would approve an application containing this code, but that should change in a few weeks.
 

Revision as of 05:09, 24 May 2009

The ptrace Trick

GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it will crash or crash the target process. This is useful for defeating Crackulous and most tutorial-followers.

On OSX, one would need the following piece of code, as close as possible to the start of main().

ptrace(PT_DENY_ATTACH, 0, 0, 0);

A couple of includes are also in order:

#include <sys/ptrace.h>
#include <sys/types.h>

On the iPhone, however, <sys/ptrace.h> is not available. Fortunately, that can be worked around:

#import <dlfcn.h>
#import <sys/types.h>

typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
#if !defined(PT_DENY_ATTACH)
#define PT_DENY_ATTACH 31
#endif  // !defined(PT_DENY_ATTACH)

void disable_gdb() {
  void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);
  ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
  ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);
  dlclose(handle);
}

The following are needed to complete the code, and are left as an exercise for the reader:

  • disable_gdb() should return for debug builds (hint: preprocessor macros)
  • the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit

Apple approved this code, when it was submitted with [1] version 0.5.