Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It only takes a minute to sign up.
I am looking for a free & open source alternative to IDA Pro runs on MacOS - the suggestions should have as close to the features of IDA as possible. I should also be able to edit an executable that I am debugging (i.e. change/remove things).
Ida For Mac Os X
You can find most of the features you have in IDA in radare (including the option to edit a binary that you debug) and in case you lack some feature you can always open a request on the Github page or develop it by yourself. Note that, in my opinion, the learning curve of r2 is pretty steep and it'll take some time to get use to it.
The officially supported debugging package for Mac OS X is lldb.You can always try GDB which is the legendary GNU Debugger. It is not in any way as fancy as IDA buy you can always spice it up with GDB-Dashboard or gdbgui.
This (completely!) free version of IDA offers a privilege opportunity to see IDA in action. This light but powerful tool can quickly analyze the binary code samples and users can save and look closer at the analysis results.
Unpack the debugger server files to any directory on Mac OS X. The debugger server is stand-alone and it is not necessary to have installed the OS X version of IDA to use it. For this tutorial, we will use the Windows version of IDA. But, if you prefer, you may also use the Mac OS X version of IDA, or even the Linux version, they offer the same functionalty.
We're all set! We can either create new processes or attach to existing ones. Do not forget to protect your debugger server from the outside world. If you forget to password-protect it, anyone can connect to the debugger server and launch any program on the machine. If your debugger server is directly accessible from the Internet (a strategy we do not recommend!), or if you are working in a sniffable local environment, consider adding encryption such as a SSH tunnel to prevent password sniffing.
Lets now take a look at our somewhat artificial macvuln demo application. We modified the tool we use to generate IDA message files to make it vulnerable. If you run it with a malformed output file name, it crashes:
Let's go for a first quick run: we will just launch the application and let it crash. This is the easiest way to locate the crash address. Pressing F9 will start the application and the immediate result will be a message box about a SIGBUS signal. The message window will contain this:
Obviously, the supplied command line argument has been used as a format string to the sprintf function. Double clicking on the next line (with the address 757B on it) will display the offending code:
Let's rerun the application and suspend it just before the sprintf call. This will allow us to verify our guess about the format string. Terminate the current debugger session with Ctrl-F2 (Terminate process), create a breakpoint with F2 (Toggle breakpoint) and restart the debugger with F9:
This confirms our guess - yes, the output file name is used as a format string. Congratulations, you have just discovered your first, somewhat artificial, vunerability in a Mac OS X application! Just out of curiosity, we could single step until the call instruction by pressing F7:
IDA-STEP is installed in a two step process; you first install the basic framework on your computer and then, after IDA-STEP is started, the second part of the installation takes place which automatically downloads and install the free and paid components by direct Internet access to our servers. This process is called "online installation" and requires that your computer settings (e.g. firewall) allows IDA-STEP to access the Internet, For the free IDA-STEP Viewer Basic this is the only available installation method. For regular paid licenses an alternative method for the second installation process - the so called "offline installation" is available. For this it is sufficient to have Internet access with any browser on any computer. With a good Internet connection the complete installation (online or offline) should not take you more than 15 minutes.
Second step: After the initial installation start IDA-STEP. The "Register, Update and Install" dialoge will show up.Select either "Free license" or "Enter license ID" if you purchased one. IDA-STEP then connects to the Internet and displays available components to download (for the free license this is "Viewer: Basic"). Select all of the offered components for installation and follow the given instructions. At the end IDA-STEP restarts and the installation is finished.
When processing the second installation step with the "Free license" option, a free one year single computer "IDA-STEP Viewer Basic" license is automatically granted to you. You can repeat this process at any time (e.g. after one year) and on as many computers as you like. You can use the granted license for any purpose, including commercial, private and academic use.
Enhance the IDA-STEP Viewer Basic for better viewing experience and additional functionality by installing IDA-STEP Viewer Pro 3D. It extends existing basic viewing functionality with additional viewing, customization and other options:
Note that this task is riddled with gotchas, and often times it demands precise workarounds that are not required for other platforms.In this tutorial we will purposefully throw ourselves into the various pitfalls of debugging on a Mac, in the hopes that learning things the hard way will ultimately lead to a smoother experience overall.
It is important to note that a debugger running on macOS requires special permissions in order to function properly.This means that the debugger itself must be codesigned in such a way that MacOS allows it to inspect other processes.
This is because IDA is aware that it is not codesigned, and is warning you that attempting to debug the target application will likely fail.Try launching the application with shortcut F9.You will likely get this error message:
Now go to _main in the helloworld disassembly, press F2 to set a breakpoint, then F9 to launch the process.Upon launching the debugger you might receive this prompt from the OS:
macOS is picky about debugging permissions, and despite the fact that mac_server is properly codesigned you still must explicitly grant it permission to take control of another process.Thankfully this only needs to be done once per login session, so macOS should shut up until the next time you log out (we discuss how to disable this prompt entirely in the Debugging Over SSH section below).
Now mac_server64 will be launched in the background whenever you log in.You can connect to it from IDA at any time using the Remote Mac OS X Debugger option.Hopefully this will make local debugging on macOS almost as easy as other platforms.
Despite the fact that mac_server64 is codesigned, it still failed to retrieve permission from the OS to debug the target app.This is because Calculator.app and all other apps in /System/Applications/ are protected by System Integrity Protection and they cannot be debugged until SIP is disabled.Note that the error message is a bit misleading because it implies that running mac_server64 as root will resolve the issue - it will not.Not even root can debug apps protected by SIP.
The effects of SIP are also apparent when attaching to an existing process.Try using menu Debugger>Attach to process, with SIP enabled there will likely only be a handful of apps that IDA can debug:
It is unfortunate that such drastic measures are required to inspect system processes running on your own machine, but this is the reality of MacOS.We advise that you only disable System Integrity Protection when absolutely necessary, or use a virtual machine that can be compromised with impunity.
Choose Remote Mac OS X Debugger from the Debugger menu and under Debugger>Process options be sure to provide a hostname in the Parameters field.IDA will pass this argument to the executable when launching it:
Before launching the process, use Ctrl+S to pull up the segment list for libsystem_info.dylib.Pay special attention to the __eh_frame and __nl_symbol_ptr segments.Note that they appear to be next to each other in memory:
Everything appears to be working normally, but use Ctrl+S to pull up the segment information again.We can still see __eh_frame, but it looks like __nl_symbol_ptr has gone missing:
IDA was able to detect this situation and adjust the database so that it matches the layout in process memory.This functionality is fully supported, but it is not trivial.Essentially the debugger must split your database in half, rebase all code segments to one address, then rebase all data segments to a completely different address.
If we execute a regular instruction step with F7, IDA will step into the _objc_msgSend function in libobjc.A.dylib, which is probably not what we want here.Instead use shortcut Shift+O.IDA will automatically detect the address of the Objective-C method that is being invoked and break at it:
This module appears to be Objective-C heavy, so it might be a good idea to extract Objective-C type info from the module using right click -> Load debug symbols in the Modules window:
Shift+O is purposefully flexible so that it can be invoked at any point before a direct or indirect call to _objc_msgSend.It will simply intercept execution at the function in libobjc.A.dylib and use the arguments to calculate the target method address.
Before we start stepping through this method we might want to peek at the pseudocode to get a sense of how it works.Note that the Objective-C analysis created local types for the IOBluetoothDevice class, as well as many other classes: 2ff7e9595c
Comments