Now continue the execution with c and the popup will show on the application, but there will be no error on the debugger. Click the button and then when the breakpoint is hit, this time change the x0 register from 0x1f to 0x0. Now lets relaunch the application and set the breakpoint on ptrace again. This shows that the debugging was disabled.
This should lead to the debugger exiting and the process closing with the error message as below. Without changing anything, continue execution with c. After you are attached set the breakpoint with:Īt this point we can see that x0 is currently 0x1f. (SSH in to the iOS device, run the debugserver specifying your mac IP address, run LLDB on your mac, then use process connect connect://IphoneIP:1234 to attach). First you will need to launch LLDB and attach ot the application. We can deal with this rather elegantly by setting a breakpoint on ptrace within LLDB. If another one attempts to attach, then the process will terminate. Ptrace on iOS has a unique feature, which is the PT_DENY_ATTACH flag, which allows it to be set just to prevent other debuggers attaching. If you google about anti-debugging measures on iOS, you will find several documents including OWASP and Apple detailing the use of ptrace to prevent debugging in iOS applications. We can see in this function that there is a string for ptrace.
We can double click on it in Ghidra to go to the function. This function is named _disable_gdb and seems like it will be of interest.
