How to install Appmon here.

LLDB reference can be found here.

More on ASLR and debugging with LLDB here.


If we install Appmon, then we have an LLDB window, where we can debug the IOS application. Debugging is one way to examine/manipulate an application.

The best way to debug the application is to load it into IdaPro first. Then let us find an address, where we want to set breakpoint. For this blog post, I am using the DamnVulnerableIosApp. Here is the [JailbreakDetectionVC jailbreakTest1Tapped:] method in IdaPro.

The address is 0x10001974C. However the real address in memory is different, because the whole TEXT segment is shifted with a certain value (ASLR). In order to determine the shift value, execute the following command in LLDB:

(lldb) image dump sections <APP_NAME>

The TEXT segment starts at 0x1000a8000, so the shift value is 0xa8000. We have to add this value to every address, that comes from IdaPro. The following command disassemble a few bytes from the passed address:

(lldb) disassemble –start-address 0xa8000+0x10001974

I set a breakpoint at 0x100019770.

(lldb) breakpoint set -a 0xa8000+0x100019770

This is the next instruction after the [JailbreakDetectionVC jailbreakTest1Tapped:] call in jailbreakTestTapped1 method. The return value is in X0 register. 0x1 means, that the device is jailbroken.

This can be modified with …

(lldb) register write x0 0

(lldb) continue

The application does not recognize the device as jailbroken one.