72  macOS/iOS

72.1 Sign rizin binary

If you install the Rizin pkg file and try to use it to debug a binary, you will very likely get an error message such as:

Child killed
ptrace: Cannot attach: Invalid argument

Please ensure your rizin binary is signed and it has the right entitlements
to make debugger work. Be aware that binaries signed by Apple cannot be
debugged due to the Apple System Integrity Protection (SIP).

For more info look at: https://book.rizin.re/debugger/apple.html#sign-rizin-binary

This is because the Darwin kernel will refuse to allow rizin to debug another process if you don’t have special rights (or if you are not root).

To sign the binary and give it the special rights to allow debugging as a regular user, download the Entitlements file here. Then execute the following command:

$ codesign --entitlements <entitlements-file> --force -s - $(which rizin)

However, be aware that even with a signed rizin binary you cannot debug binaries signed by Apple. To bypass the problem you have a few options:

  • Remove the certificate of the debuggee, by using codesign --remove-signature <binary> or other alternatives like unsign. WARNING: this cannot be undone, so we suggest to make a copy of the original binary.
  • Disable SIP with csrutil enable --without debug in Recovery Mode.

72.2 Debugging on macOS over SSH

If you are trying to debug a program over SSH, you may experience failures like Rizin getting stuck while opening the file. This is because the OS is waiting for user authentication to allow debugging. However, since you are over SSH, the OS has no way of showing the permission window.

To avoid this problem you can either run rizin with sudo or you may instruct taskport to not authenticate the user by executing the following commands. This will disable the debugging authentication prompt even after you reboot.

security authorizationdb read system.privilege.taskport > taskport.plist
/usr/libexec/PlistBuddy -c 'Set :authenticate-user false' ./taskport.plist
sudo security authorizationdb write system.privilege.taskport < taskport.plist