Inspired by https://infosec.exchange/@jjtech/112612685494089718
Reboot into Recovery OS + Disable SIP
csrutil disable
Launch the binary via lldb. It will exit immedicately.
lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
(lldb) run
Process 3819 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 3819 exited with status = 0 (0x00000000)
Add a breakpoint to the SwiftUI App main entry to investigate. It still exits.
b 0x10000c840
(lldb) run
Process 5078 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5078 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
-> 0x10000c840 <+0>: adrp x17, 4
0x10000c844 <+4>: add x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
0x10000c848 <+8>: ldr x16, [x17]
0x10000c84c <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) c
Process 5078 resuming
Process 5078 exited with status = 0 (0x00000000)
Add a breakpoint to exit stub (0x10000c9c0) and get the backtrace.
lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
b 0x10000c840
b 0x10000c9c0
(lldb) run
Process 5113 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
-> 0x10000c840 <+0>: adrp x17, 4
0x10000c844 <+4>: add x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
0x10000c848 <+8>: ldr x16, [x17]
0x10000c84c <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) c
Process 5113 resuming
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
iPhone Mirroring`exit:
-> 0x10000c9c0 <+0>: adrp x17, 4
0x10000c9c4 <+4>: add x17, x17, #0x2c0 ; (void *)0x0c568001865c9730
0x10000c9c8 <+8>: ldr x16, [x17]
0x10000c9cc <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
* frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
frame #1: 0x000000010000aa78 iPhone Mirroring`___lldb_unnamed_symbol473 + 116
frame #2: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
frame #3: 0x00000001b630470c SwiftUI`merged @objc SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 140
frame #4: 0x00000001867eb504 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 148
frame #5: 0x000000018687bf04 CoreFoundation`___CFXRegistrationPost_block_invoke + 88
frame #6: 0x000000018687be4c CoreFoundation`_CFXRegistrationPost + 436
frame #7: 0x00000001867b9a24 CoreFoundation`_CFXNotificationPost + 732
frame #8: 0x000000018793c954 Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 88
frame #9: 0x000000018a2e11b8 AppKit`-[NSApplication finishLaunching] + 248
frame #10: 0x000000018a2e0e84 AppKit`-[NSApplication run] + 252
frame #11: 0x000000018a2b74a8 AppKit`NSApplicationMain + 888
frame #12: 0x00000001b541bea0 SwiftUI`merged generic specialization <SwiftUI.TestingAppDelegate> of function signature specialization <Arg[0] = Existential To Protocol Constrained Generic> of SwiftUI.runApp(__C.NSResponder & __C.NSApplicationDelegate) -> Swift.Never + 160
frame #13: 0x00000001b57d05d0 SwiftUI`SwiftUI.runApp<τ_0_0 where τ_0_0: SwiftUI.App>(τ_0_0) -> Swift.Never + 84
frame #14: 0x00000001b5aa01dc SwiftUI`static SwiftUI.App.main() -> () + 224
frame #15: 0x0000000100008a20 iPhone Mirroring`___lldb_unnamed_symbol437 + 92
frame #16: 0x000000018638d298 dyld`start + 2876
We have almost got there. The problem is it will call exit(0) on -[iPhone_Mirroring.AppDelegate applicationWillFinishLaunching:]
So we can just add a breakpoint and return the thread here.
(lldb) run
(lldb) b 0x000000010000aa04
Breakpoint 3: where = iPhone Mirroring`___lldb_unnamed_symbol473, address = 0x000000010000aa04
(lldb) c
Process 6907 resuming
Process 6907 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
frame #0: 0x000000010000aa04 iPhone Mirroring`___lldb_unnamed_symbol473
iPhone Mirroring`___lldb_unnamed_symbol473:
-> 0x10000aa04 <+0>: pacibsp
0x10000aa08 <+4>: stp x20, x19, [sp, #-0x20]!
0x10000aa0c <+8>: stp x29, x30, [sp, #0x10]
0x10000aa10 <+12>: add x29, sp, #0x10
Target 0: (iPhone Mirroring) stopped.
(lldb) thread return
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
frame #0: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> ():
-> 0x1b6304148 <+948>: mov x0, x21
0x1b630414c <+952>: bl 0x1b665cae8 ; symbol stub for: swift_unknownObjectRelease
0x1b6304150 <+956>: mov x0, x19
0x1b6304154 <+960>: bl 0x1b665c388 ; symbol stub for: objc_release
(lldb) continue
That's all. Done.
git clone https://github.com/Kyle-Ye/iPhoneMirroringInject.git
cd iPhoneMirroringInject
./build.sh
See detail on iPhoneMirroringInject repo
@EmptyEnergy when you say « all these people on twitter », do you just mean luna? Cause I haven’t seen anyone else who was able to get it to work in the EU.