Evasion of Jailbreak Detection Using LLDB

      Nessun commento su Evasion of Jailbreak Detection Using LLDB

Greetings, everyone! In today’s blog, I’ll lead you through the process of bypassing jailbreak detection using LLDB.

Let’s explore LLDB, a crucial debugger in the realm of iOS development. Learn how LLDB equips developers to scrutinize and influence code execution during debugging, providing valuable insights into variables, registers, and more. Unearth useful tips and tricks to maximize the efficiency of LLDB for a smooth debugging experience in your iOS projects.

Installation on Jailbroken device

To begin, the initial step is to mount the iOS Developer Image. This can be accomplished using the following command. Please ensure to select the appropriate iOS version corresponding to your device; in my case, it’s version 14.5.

hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/14.5/DeveloperDiskImage.dmg

Extract debugserver from the image to the current directory

cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ./

Create an Entitlements.plist file as showed

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.springboard.debugapplications</key> <true/>
    <key>run-unsigned-code</key> <true/>
    <key>get-task-allow</key> <true/>
    <key>task_for_pid-allow</key> <true/>
</dict> 
</plist>

Sign debugserver

codesign -s - --entitlements entitlements.plist -f debugserver

Transfer the signed binary to the /usr/bin/ directory within the iOS

scp debugserver root@{IP address of iOS device}:/usr/bin

Change the permissions to the binary

ssh root@{IP address of iOS device}
cd /usr/bin/
chmod +x debugserver

Example of jailbreak detection bypass

The app that we will use is the following one link

In this instance, we will connect the debugger to the application and modify the return value of the method – [ViewController isCydiaAppInstalled]. Once the application is installed on the iOS device, it’s necessary to run the following commands:

On the first terminal we will connect to the iPhone via ssh
- iproxy 6666 6666 & iproxy 2222 44 & sleep 3 && ssh -p 2222 root@localhost
- cd /usr/bin
(before to execute the next command you need first lunch the application)
- debugserver localhost:6666  -a "JBDetectionOBJ"

In a fresh terminal, execute the subsequent commands:

- lldb
- process connect connect://localhost:6666
Now we will set a breakpoint in the following way:
- breakpoint set --name "-[ViewController isCydiaAppInstalled]"
- c

Now, engage with the app, press the button to activate the function, and halt the app at the breakpoint.

Now, type the command ‘s’ (step in) repeatedly until you reach the following point.

Using the command register read, we can inspect the registers.

Our objective is to modify the value of register x0 from 1 to 0.

register write x0 0x0
continue

If the process proceeded successfully, you will encounter the following screen displaying a label indicating that the device is not jailbroken.