The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Bugging Debuggers"
m (Worked around.) |
(Piracy note.) |
||
(5 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
+ | Background: |
||
− | '''IMPORTANT NOTE: This trick has been worked around by pirates. Don't rely on it!''' |
||
+ | |||
+ | On jailbroken iOS devices crackers have made it possible to remove the DRM from sold applications so that they can be copied to any device without having to pay for them. NOTE that this is illegal as it is piracy. |
||
+ | |||
+ | As explained in [[Copy Protection Overview]], apps protected by DRM are encrypted, making it usually impossible to transfer and run them on other devices. |
||
+ | |||
+ | One of the methods used by crackers is to let the application run in a debugger (gdb) and then save the then unencrypted app image to disk. |
||
+ | |||
+ | This page explains how to foil this method. |
||
== The ptrace() Trick == |
== The ptrace() Trick == |
||
+ | |||
+ | '''IMPORTANT NOTE: This trick has been worked around by pirates. Don't rely on it!''' |
||
GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it will crash or crash the target process. This is useful for defeating Crackulous and most tutorial-followers. |
GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it will crash or crash the target process. This is useful for defeating Crackulous and most tutorial-followers. |
||
Line 34: | Line 44: | ||
* disable_gdb() should return for debug builds (hint: preprocessor macros) |
* disable_gdb() should return for debug builds (hint: preprocessor macros) |
||
* the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit |
* the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit |
||
− | |||
− | Apple approved [http://github.com/costan/zergsupport/blob/master/ZergSupport/CryptoSupport/ZNDebugIntegrity.m this implementation], when it was submitted with [http://istockplay.com StockPlay] version 0.5. |
Latest revision as of 19:15, 10 November 2013
Background:
On jailbroken iOS devices crackers have made it possible to remove the DRM from sold applications so that they can be copied to any device without having to pay for them. NOTE that this is illegal as it is piracy.
As explained in Copy Protection Overview, apps protected by DRM are encrypted, making it usually impossible to transfer and run them on other devices.
One of the methods used by crackers is to let the application run in a debugger (gdb) and then save the then unencrypted app image to disk.
This page explains how to foil this method.
The ptrace() Trick
IMPORTANT NOTE: This trick has been worked around by pirates. Don't rely on it!
GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it will crash or crash the target process. This is useful for defeating Crackulous and most tutorial-followers.
On OSX, one would need the following piece of code, as close as possible to the start of main().
ptrace(PT_DENY_ATTACH, 0, 0, 0);
A couple of includes are also in order:
#include <sys/ptrace.h> #include <sys/types.h>
On the iPhone, however, <sys/ptrace.h> is not available. Fortunately, that can be worked around:
#import <dlfcn.h> #import <sys/types.h> typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data); #if !defined(PT_DENY_ATTACH) #define PT_DENY_ATTACH 31 #endif // !defined(PT_DENY_ATTACH) void disable_gdb() { void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW); ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace"); ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0); dlclose(handle); }
The following are needed to complete the code, and are left as an exercise for the reader:
- disable_gdb() should return for debug builds (hint: preprocessor macros)
- the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit