Debugging an OS X application with ASLR

From The AirPort Wiki
Jump to: navigation, search

This tutorial will cover LLDB usage, setting breakpoints in LLDB, and cover using third party tools to successfully hit a breakpoint in Mach-O binary that is stripped and using ASLR. To follow along I suggest you use the stock Calculator.app provided by Apple as I do.

So first thing is first, launch the Calculator app. You should see something like the following on your Desktop.
Calculator-app-open.png

In order to get LLDB to attach to the running Calculator process, one is going to need to find the process ID for the Calculator. To find the process ID for the Calculator app run the following command in a terminal.

$ ps aux | grep -i calculator

The output of the above command will look like the following, but your process ID will probably be different from what is show below.

capin           41625   0.0  0.1  2587168  15252   ??  S    12:10PM   0:00.60 /Applications/Calculator.app/Contents/MacOS/Calculator
capin           46370   0.0  0.0  2451216    680 s001  S+    1:18PM   0:00.01 grep -i calculator

The process ID for the running Calculator app on my current session is 41625.

Then launch LLD from a terminal session.

$ lldb

Next, I want to set a breakpoint with LLDB in the Calculator app when I click the menu item Calculator => About Calculator

In order to set a breakpoint at the method call About Calculator I will find the address location for the method using the following command in a terminal.

$ class-dump -A /Applications/Calculator.app | grep showAbout

The above command will output something similar to the following,

2014-04-20 13:50:02.532 class-dump[48618:507] Unknown load command: 0x0000002a
2014-04-20 13:50:02.533 class-dump[48618:507] Unknown load command: 0x80000028
2014-04-20 13:50:02.534 class-dump[48618:507] Unknown load command: 0x00000029
2014-04-20 13:50:02.534 class-dump[48618:507] Unknown load command: 0x0000002b
- (void)showAbout:(id)arg1;	// IMP=0x100009939

However, the Calculator app is already running, and since Mac OS X uses ASLR, the address location for showAbout has been slided due to ASLR.

The next step is to download a little program called get_aslr from github. I would download this program somewhere in my home directory, and then put the binary in a place that is accessible to the PATH

Now, in order to calculate the slide of the ASLR run the following command in the Terminal.

$ sudo get_aslr 41625

The output from the above command should look something like the following,

ASLR slide: 0xc9a8000

You then add the two memory locations to calculate the slide with the following command,

$ python -c 'print hex(0x100009939 + 0xc9a8000)'
0x10c9b1939

Finally, you can set a breakpoint at the memory location printed above, and when you click the menu command About Calculator the program will halt.

(lldb) b *0x10c9b1939



External Links

Reverse Engineering - Stack Exchange Question