1

I'm trying to reverse engineering one of apps built with release configuration.

My thread info looks like this.

* thread #21: tid = 0x876cb, 0x000000010133856c SomeLibSwift`SomeLibSwift.Auth.auth (Swift.Array<Swift.UInt8>) throws -> Swift.Array<Swift.UInt8>, queue = 'com.apple.root.utility-qos', stop reason = breakpoint 1.6
  * frame #0: 0x000000010133856c SomeLibSwift`SomeLibSwift.Auth.auth (Swift.Array<Swift.UInt8>) throws -> Swift.Array<Swift.UInt8>

Register x0 (address 0x181ba4174) contains the needed argument

memory read shows something like(I've tried different formats)

memory read -s1 -fC -c1000 --force 0x181ba4174

0x181ba4174: ...??._?.......??._?0......??._?
0x181ba4194: P......??._?p......??._?.......?
0x181ba41b4: ?._ְ......??._??......??._?....
0x181ba41d4: ...??._?0......??._?P......??._?
0x181ba41f4: p......??._?.......??._ְ......?
0x181ba4214: ?._??......??._?.......??._?P...
0x181ba4234: ...??._?p......??._?.......??._?
....

I found that auth func has such definition

func auth(_ bytes: Array<UInt8>) throws -> Array<UInt8>

So basically all I want is to get 'bytes' variable stored by address 0x181ba4174.

Also I know that 'auth' method is called with argument like this:

let key = "somekey".utf8
let result = auth(key)

Ideally I want to get back key.

Improve this question

1 Answer 1

Reset to default
1

Finally I was able to get this done. 

expr -l Swift  -- String(unsafeBitCast(0x181ba4174, to: Array<UInt8>.self))

It gives output like:

(String) $R0 = "[10, 11, 118, 105, 19, 1]"

Then using Xcode I was able to get the key:

var arr: [UInt8] = [10, 11, 118, 105, 19, 1]

let data = Data(bytes: arr)
let key = String(data: data, encoding: .ascii)

Also I wrote a command in case someone needs it.

command regex ptrInt8Array 's/(.+)/expr -l Swift  -- String(describing: unsafeBitCast(%1, to: Array<UInt8>.self))/'

Execute it by:

ptrInt8Array 0x181ba4174
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.