Debugging third party iOS apps with lldb

April 13, 2020 1 minute read

Sponsored

Debugging third party iOS apps with lldb

Requirements

macOS
Xcode
usbmuxd
Jailbroken iDevice connected via USB (e.g.: checkra1n)

Installation

Extracting debugserver (via hdiutil)

cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/<iOS version>
hdiutil attach DeveloperDiskImage.dmg
cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ~/Desktop

Signing debugserver (via codesign)

touch entitlements.plist # fill the file using content bellow
codesign -s - --entitlements entitlements.plist -f debugserver

entitlements.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.springboard.debugapplications</key> <true/>
  <key>run-unsigned-code</key> <true/>
  <key>get-task-allow</key> <true/>
  <key>task_for_pid-allow</key> <true/>
</dict>
</plist>

Connecting to iDevice (via iproxy)

iproxy 6666 6666 & iproxy 2222 44 & sleep 3 && ssh -p 2222 root@localhost

Copying debugserver to iDevice (via scp)

scp -P 2222 debugserver root@localhost:/usr/bin/

Running debugserver on iDevice

debugserver localhost:6666 -a "<app's CFBundleDisplayName>"

App’s CFBundleDisplayName can be obtained in many ways, e.g.:

Info.plist
ideviceinstaller
frida-ps

Running lldb on macOS

lldb
process connect connect://localhost:6666

Here we go

Now debug process is ready to go and possibly you would like to figure out more about each lldb command — to do so just jump to official lldb command map or their tutorial. Anyway I will share couple of lldb commands I think are most helpful and frequently used:

Common

Command	Description
help	Explore all available commands
po UIApplication.shared.delegate	Print object

Breakpoints

Command	Description
b	Set breakpoint
br dis 3	Disable third breakpoint
br en 3	Enable third breakpoint
br l	Show list of the existed breakpoints
br del 3	Remove third breakpoint
br del	Remove all breakpoints
br set -n viewDidLoad	Set breakpoint on the each viedDidLoad method
br s -S count	Set breakpoint on the each method with “count” argument
b Testme.swift:33	Set breakpoint on the line #33 in the Testme.swift file

Remote сontrol

Command	Description
c	Resume execution
n	Step over
s	Step in

Variables

Command	Description
e sum	Evaluate expression
e sum = 42	Set expression

Thread state

Command	Description
process status	Show process status
bt	Show the stack backtrace for the current thread
bt all	Show the stack backtraces for all threads
frame info	Show information about current frame
frame variable	Show all variables for current frame