断SVC的时候看调用栈,发现里面一个特别大的ollvm函数。vx版本8054
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 4.1
frame #0: 0x0000000111ad6124 WeChat`___lldb_unnamed_symbol1315083 + 20
WeChat`___lldb_unnamed_symbol1315083:
-> 0x111ad6124 <+20>: svc #0x80
0x111ad6128 <+24>: b.lo 0x111ad6140 ; <+48>
0x111ad612c <+28>: stp x29, x30, [sp, #-0x10]!
0x111ad6130 <+32>: mov x29, sp
Target 0: (WeChat) stopped.
X0 0000000000000154 | T....... |
X1 0000000281B1EAE0 | ........ | => "/Library/MobileSubstrate"
X2 000000017094B6B0 | ...p.... | => "0"
X3 000000017094C020 | ..p.... | => 0x17094ED10 => 0x17094ED90 => 0x17094EE30 => 0x17094EE70 => 0x17094EE90 => 0x17>
X4 0000000111C037E8 | .7...... | => `___lldb_unnamed_symbol1315105 + 0x1A88`
X5 0000009200A0FDF8 | ........ |
X6 00000001A68172A4 | .r...... | => `nanov2_calloc$VARIANT$armv81 + 0x94`
X7 0000000000000030 | 0....... |
X8 00000000FFFFFF80 | ........ |
X9 000000008EAD5E99 | .^...... |
X10 00000000F6CE104E | N....... |
(lldb) bt
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 4.1
* frame #0: 0x0000000111ad6124 WeChat`___lldb_unnamed_symbol1315083 + 20
frame #1: 0x0000000111ce8440 WeChat`___lldb_unnamed_symbol1315153 + 24
frame #2: 0x0000000111c037e8 WeChat`___lldb_unnamed_symbol1315105 + 6792
frame #3: 0x0000000111cf6d3c WeChat`___lldb_unnamed_symbol1315167 + 52292
frame #4: 0x0000000111ce8880 WeChat`___lldb_unnamed_symbol1315161 + 100
frame #5: 0x000000010155b8c0 WeChat`___lldb_unnamed_symbol35227 + 80
(lldb) ab
Adjusted Backtrace Addresses:
frame #0: 0x111ad6124 0x110c86124 - WeChat -
frame #1: 0x111ce8440 0x110e98440 - WeChat -
frame #2: 0x111c037e8 0x110db37e8 - WeChat -
frame #3: 0x111cf6d3c 0x110ea6d3c - WeChat -
frame #4: 0x111ce8880 0x110e98880 - WeChat -
frame #5: 0x10155b8c0 0x10070b8c0 - WeChat -
(lldb)
第二个svc
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 4.1
frame #0: 0x0000000111ad6124 WeChat`___lldb_unnamed_symbol1315083 + 20
WeChat`___lldb_unnamed_symbol1315083:
-> 0x111ad6124 <+20>: svc #0x80
0x111ad6128 <+24>: b.lo 0x111ad6140 ; <+48>
0x111ad612c <+28>: stp x29, x30, [sp, #-0x10]!
0x111ad6130 <+32>: mov x29, sp
Target 0: (WeChat) stopped.
(lldb) ad
{"errcode": 0, "msg": "ok", "data": "goto_address|||0x110c86124"}
IDA Offset: 0x110c86124
(lldb) bt
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 4.1
* frame #0: 0x0000000111ad6124 WeChat`___lldb_unnamed_symbol1315083 + 20
frame #1: 0x0000000111ce841c WeChat`___lldb_unnamed_symbol1315152 + 24
frame #2: 0x0000000111cf70bc WeChat`___lldb_unnamed_symbol1315167 + 53188
frame #3: 0x0000000111ce8880 WeChat`___lldb_unnamed_symbol1315161 + 100
frame #4: 0x000000010155b8c0 WeChat`___lldb_unnamed_symbol35227 + 80
(lldb) ab
Adjusted Backtrace Addresses:
frame #0: 0x111ad6124 0x110c86124 - WeChat -
frame #1: 0x111ce841c 0x110e9841c - WeChat -
frame #2: 0x111cf70bc 0x110ea70bc - WeChat -
frame #3: 0x111ce8880 0x110e98880 - WeChat -
frame #4: 0x10155b8c0 0x10070b8c0 - WeChat -
(lldb)
X0 0000000000000152 | R....... |
X1 0000000281B85980 | .Y...... | => "/Applications/Cydia.app"
X2 000000017094E150 | P..p.... | => ""
X3 000000017094ED10 | ...p.... | => 0x17094ED90 => 0x17094EE30 => 0x17094EE70 => 0x17094EE90 => 0x17094EEB0 => 0x17>
X4 0000000111CF70BC | .p...... | => `___lldb_unnamed_symbol1315167 + 0xCFC4`
X5 00000002829580A8 | ........ |
X6 000000017094BB30 | 0..p.... |
X7 0000000282958030 | 0....... | => 0x281B85980 => "/Applications/Cydia.app"
X8 000000017094E150 | P..p.... | => ""
X9 00000000BB85CDAE | ........ |
X10 00000000BB85CDAE | ........ |
X11 00000000635FDECA | .._c.... |
X12 00000000FFFFFFFD | ........ |
X13 0000010000000000 | ........ |
X14 00000000FA753DB5 | .=u..... |
X15 00000000C12A8D41 | A.*..... |
X16 0000000000000000 | ........ |
X17 0000000000000001 | ........ |
X18 0000000000000000 | ........ |
X19 000000017094C030 | 0..p.... |
X20 00000000F3A96282 | .b...... |
X21 000000017094BC90 | ...p.... | => 0x281B85900 => "smc_core.cc:ReportIDKeyWithUin"
X22 000000017094D820 | ..p.... | => 0x17094E150 => ""
X23 00000000000000A8 | ........ |
X24 000000017094C030 | 0..p.... |
X25 000000017094CA60 | `..p.... |
X26 00000000E115B598 | ........ |
X27 000000004D06AE2D | -..M.... |
x1字符串一直在变,在做越狱检测
ni执行系统调用后:
X0 0000000000000000 | ........ |
X1 0000000000000000 | ........ |
X2 000000017094E150 | P..p.... | => ""
X3 000000017094ED10 | ...p.... | => 0x17094ED90 => 0x17094EE30 => 0x17094EE70 => 0x17094EE90 => 0x17094EEB0 => 0x17>
X4 0000000111CF70BC | .p...... | => `___lldb_unnamed_symbol1315167 + 0xCFC4`
X5 00000002829580A8 | ........ |
X6 000000017094BB30 | 0..p.... |
X7 0000000282958030 | 0....... | => 0x281B85980 => "/Applications/Cydia.app"
X8 000000017094E150 | P..p.... | => ""
X9 00000000BB85CDAE | ........ |
X10 00000000BB85CDAE | ........ |
X11 00000000635FDECA | .._c.... |
X12 00000000FFFFFFFD | ........ |
X13 0000010000000000 | ........ |
X14 00000000FA753DB5 | .=u..... |
X15 00000000C12A8D41 | A.*..... |
X16 0000000000000000 | ........ |
X17 0000000000000001 | ........ |
X18 0000000000000000 | ........ |
X19 000000017094C030 | 0..p.... |
X20 00000000F3A96282 | .b...... |
X21 000000017094BC90 | ...p.... | => 0x281B85900 => "smc_core.cc:ReportIDKeyWithUin"
X22 000000017094D820 | ..p.... | => 0x17094E150 => ""
X23 00000000000000A8 | ........ |
X24 000000017094C030 | 0..p.... |
X25 000000017094CA60 | `..p.... |
X26 00000000E115B598 | ........ |
X27 000000004D06AE2D | -..M.... |
后面又来一个/bin/bash,ni执行,X0 0000000000000001 | ........ |
X1 0000000000000000 | ........ |
/private/jailbreak.txt 执行完x0 = 1
还有一个 frida-server的字符串出现过
X0 0000000000000152 | R....... |
X1 000000017094BD90 | ...p.... | => "/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64"
X2 000000017094BC60 | `..p.... |
X3 000000017094ED10 | ...p.... | => 0x17094ED90 => 0x17094EE30 => 0x17094EE70 => 0x17094EE90 => 0x17094EEB0 => 0x17>
X4 0000000111D6C90C | ........ | => `___lldb_unnamed_symbol1315167 + 0x82814`
X5 0000000000000000 | ........ |
X6 00000000000000A0 | ........ |
X7 000000017094BCA0 | ...p.... |
X8 000000017094BCF8 | ...p.... | => 0x17094BD90 => "/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64"
X9 0000000000000001 | ........ |
X10 00000000ECA4B8A8 | ........ |
X11 0000000000000000 | ........ |
X12 000000017094E868 | h..p.... |
X13 000000000000000E | ........ |
X14 000000001A3E1F71 | q.>..... |
X15 00000000CFBDBA29 | )....... |
X16 0000000000000000 | ........ |
X17 00000000D2FB9DC9 | ........ |
X18 0000000000000000 | ........ |
X19 000000017094C030 | 0..p.... |
X20 00000000200DF33F | ?.. .... |
X21 000000017094E828 | (..p.... | => 0x17094BFE0 => "127.0.0.1"
X22 00000000AADA2D19 | .-...... |
X23 000000006EE6462D | -F.n.... |
X24 000000005E5626A5 | .&V^.... |
X25 000000017094D824 | $..p.... | => ""
X26 000000017094E828 | (..p.... | => 0x17094BFE0 => "127.0.0.1"
X27 000000012B82A808 | ...+.... | => 0x11A98B920
ni
X0 0000000000000000 | ........ |
X1 0000000000000000 | ........ |
X0 0000000000000152 | R....... |
X1 000000017094BF50 | P..p.... | => "/System/Library/CoreServices/SystemVersion.plist"
X2 000000017094E150 | P..p.... |
X3 000000017094ED10 | ...p.... | => 0x17094ED90 => 0x17094EE30 => 0x17094EE70 => 0x17094EE90 => 0x17094EEB0 => 0x17>
X4 0000000111D6C6AC | ........ | => `___lldb_unnamed_symbol1315167 + 0x825B4`
X5 0000000000000000 | ........ |
X6 00000000000000A0 | ........ |
X7 000000017094BCA0 | ...p.... |
X8 000000017094E150 | P..p.... |
X9 00000000D1A786CB | ........ |
X10 00000000D1A786CB | ........ |
X11 000000000000005E | ^....... |
X12 000000017094D028 | (..p.... |
X13 000000000000005B | [....... |
ni
0
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 2.1
frame #0: 0x0000000111ad60f8 WeChat`___lldb_unnamed_symbol1315081 + 4
WeChat`___lldb_unnamed_symbol1315081:
-> 0x111ad60f8 <+4>: svc #0x80
0x111ad60fc <+8>: ret
WeChat`___lldb_unnamed_symbol1315082:
0x111ad6100 <+0>: mov x16, #-0x2f
0x111ad6104 <+4>: svc #0x80
Target 0: (WeChat) stopped.
(lldb) ab
Adjusted Backtrace Addresses:
frame #0: 0x111ad60f8 0x110c860f8 - WeChat -
frame #1: 0x111d87e28 0x110f37e28 - WeChat -
frame #2: 0x111ce8880 0x110e98880 - WeChat -
frame #3: 0x10155b8c0 0x10070b8c0 - WeChat -
(lldb) bt
* thread #36, queue = 'com.apple.root.default-qos', stop reason = breakpoint 2.1
* frame #0: 0x0000000111ad60f8 WeChat`___lldb_unnamed_symbol1315081 + 4
frame #1: 0x0000000111d87e28 WeChat`___lldb_unnamed_symbol1315167 + 646448
frame #2: 0x0000000111ce8880 WeChat`___lldb_unnamed_symbol1315161 + 100
frame #3: 0x000000010155b8c0 WeChat`___lldb_unnamed_symbol35227 + 80
(lldb)