procexp binary dumping on iOS not working

Used for discussing the various tools in the book as well as encouraging members to share tools

procexp binary dumping on iOS not working

Postby 0xdead10cc » Fri Jan 05, 2018 12:17 am

As mentioned by @morpheus in this thread, the excellent procexp should support dumping the decrypted version of iOS apps. However, the version that's part of the latest jailbreak is not capable of doing this:

The default version does not have the required entitlements, though this is rather easily fixed. However, even with proper entitlements (get-task-allow, task_for_pid-allow), program dumping does not work. Because core-dumping apparently does work and produces a (huge) result file, I suspect this to be a bug specific to binary dumping in the current version.

Steps to reproduce:

- Fix entitlements for the provided procexp tool on the iOS device.
- Find out PID of any running app (does not need to be App Store app)
- Execute procexp PID binary

The programs exits with the informative error message "open: No such file or directory".

Potentially helpful steps for tracking down the issue:
This message is printed inside _dumpCore, as a result of the second open() call after opening "/tmp/CORE" for writing.

After the program exits, the file "/tmp/CORE" contains the Mach-O header and load commands of the target executable (though missing actual data / decrypted contents).

Thanks for all your work! MOXil Part 3 is an indispensable resource to me and I'm looking forward to reading the first and second part.
0xdead10cc
 
Posts: 5
Joined: Fri Jan 05, 2018 12:00 am

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests

cron