Xcode Debugging

你的代碼，或者任何人的代碼中總會有bug存在，你可以把調試看做是更好地理解代碼的一種方式 —— By Advanced_Apple_Debugging_&_Reverse_Engineering_v0.9.5

The Debugging Process

1. Reproduce the problem

if you cannot reproduce the problem, then you (probably) do not understand it.

2. Gather Debug Information

Logs, program, state,...
What is the value of a variable?
What kind of error?(ex.EXC_BAD_ACCESS)
What line of code caused the error?
Which functions or methods led to the error?

3. Form a Hypothesis

4. Try a fix

Maximize the information gained per fix!

image

Print Debugging

image

TOOL

LLDB

Use commands to debugging, save your time in rebuild and make breakpoints.

常用命令

po —— call the description method on an object.
p —— print the value of 數量級 values

Print variable frame

frame variable
fr v

Expression命令

expression命令的作用是執行一個表達式，并將表達式返回的結果輸出。expression的完整語法是這樣的：

Objective-C

expression <cmd-options> -- <expr>
1
expression <cmd-options> -- <expr>

說expression是LLDB里面最重要的命令都不為過。因為他能實現2個功能。

執行某個表達式。 我們在代碼運行過程中，可以通過執行某個表達式來動態改變程序運行的軌跡。 假如我們在運行過程中，突然想把self.view顏色改成紅色，看看效果。我們不必寫下代碼，重新run，只需暫停程序，用expression改變顏色，再刷新一下界面，就能看到效果
Objective-C

// 改變顏色
(lldb) expression -- self.view.backgroundColor = [UIColor redColor]
// 刷新界面
(lldb) expression -- (void)[CATransaction flush]
將返回值輸出。 也就是說我們可以通過expression來打印東西。 假如我們想打印self.view：
Objective-C

(lldb) expression -- self.view
(UIView *) $1 = 0x00007fe322c18a10

(lldb) expression -- self.view
(UIView *) $1 = 0x00007fe322c18a10

expression 可以支持多行輸入，輸入expression后回車，會顯示行號，每行輸入后換行，雙擊回車代表完成輸入，過掉斷言即刻看到表達式的效果。

image

BreakPoint

image

breakpoint command add給斷點添加命令

e.g: 假設我們需要在ViewController的viewDidLoad中查看self.view的值
我們首先給-[ViewController viewDidLoad]添加一個斷點

(lldb) breakpoint set -n "-[ViewController viewDidLoad]"
'breakpoint 3': where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004

可以看到添加成功之后，這個breakpoint的id為3，然后我們給他增加一個命令：po self.view
(lldb) breakpoint command add -o "po self.view" 3

-o完整寫法是--one-liner，表示增加一條命令。3表示對id為3的breakpoint增加命令。
添加完命令之后，每次程序執行到這個斷點就可以自動打印出self.view的值了

如果我們一下子想增加多條命令，比如我想在viewDidLoad中打印當前frame的所有變量，但是我們不想讓他中斷，也就是在打印完成之后，需要繼續執行。我們可以這樣玩：

(lldb) breakpoint command add 3
Enter your debugger command(s). Type 'DONE' to end.

frame variable
continue
DONE
輸入breakpoint command add 3對斷點3增加命令。他會讓你輸入增加哪些命令，輸入'DONE'表示結束。這時候你就可以輸入多條命令了

多次對同一個斷點添加命令，后面命令會將前面命令覆蓋

breakpoints添加通過條件

image

breakpoint

調試過程中，我們用得最多的可能就是斷點了。LLDB中的斷點命令也非常強大

breakpoint set

breakpoint set命令用于設置斷點，LLDB提供了很多種設置斷點的方式：

使用-n根據方法名設置斷點：

e.g: 我們想給所有類中的viewWillAppear:設置一個斷點:

(lldb) breakpoint set -n viewWillAppear:
Breakpoint 13: 33 locations.

使用-f指定文件

e.g: 我們只需要給ViewController.m文件中的viewDidLoad設置斷點：

(lldb) breakpoint set -f ViewController.m -n viewDidLoad
Breakpoint 22: where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:22, address = 0x000000010272a6f4

這里需要注意，如果方法未寫在文件中（比如寫在category文件中，或者父類文件中），指定文件之后，將無法給這個方法設置斷點。

使用-l指定文件某一行設置斷點

e.g: 我們想給ViewController.m第38行設置斷點

(lldb) breakpoint set -f ViewController.m -l 38
Breakpoint 23: where = TLLDB`-[ViewController text:] + 37 at ViewController.m:38, address = 0x000000010272a7d5
使用-c設置條件斷點

e.g: text:方法接受一個ret的參數，我們想讓ret == YES的時候程序中斷：

(lldb) breakpoint set -n text: -c ret == YES
Breakpoint 7: where = TLLDB`-[ViewController text:] + 30 at ViewController.m:37, address = 0x0000000105ef37ce
使用-o設置單次斷點

e.g: 如果剛剛那個斷點我們只想讓他中斷一次：

(lldb) breakpoint set -n text: -o
'breakpoint 3': where = TLLDB`-[ViewController text:] + 30 at ViewController.m:37, address = 0x000000010b6f97ce
breakpoint command

有的時候我們可能需要給斷點添加一些命令，比如每次走到這個斷點的時候，我們都需要打印self對象。我們只需要給斷點添加一個po self命令，就不用每次執行斷點再自己輸入po self了

breakpoint command add

breakpoint command add命令就是給斷點添加命令的命令。

e.g: 假設我們需要在ViewController的viewDidLoad中查看self.view的值
我們首先給-[ViewController viewDidLoad]添加一個斷點

(lldb) breakpoint set -n "-[ViewController viewDidLoad]"
'breakpoint 3': where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004
可以看到添加成功之后，這個breakpoint的id為3，然后我們給他增加一個命令：po self.view

(lldb) breakpoint command add -o "po self.view" 3
-o完整寫法是--one-liner，表示增加一條命令。3表示對id為3的breakpoint增加命令。
添加完命令之后，每次程序執行到這個斷點就可以自動打印出self.view的值了

如果我們一下子想增加多條命令，比如我想在viewDidLoad中打印當前frame的所有變量，但是我們不想讓他中斷，也就是在打印完成之后，需要繼續執行。我們可以這樣玩：

(lldb) breakpoint command add 3
Enter your debugger command(s). Type 'DONE' to end.

frame variable
continue
DONE
輸入breakpoint command add 3對斷點3增加命令。他會讓你輸入增加哪些命令，輸入'DONE'表示結束。這時候你就可以輸入多條命令了

多次對同一個斷點添加命令，后面命令會將前面命令覆蓋
breakpoint command list

如果想查看某個斷點已有的命令，可以使用breakpoint command list。
e.g: 我們查看一下剛剛的斷點3已有的命令

(lldb) breakpoint command list 3
'breakpoint 3':
Breakpoint commands:
frame variable
continue
可以看到一共有2條命令，分別為frame variable和continue

breakpoint command delete

有增加就有刪除，breakpoint command delete可以讓我們刪除某個斷點的命令
e.g: 我們將斷點3中的命令刪除:

(lldb) breakpoint command delete 3
(lldb) breakpoint command list 3
Breakpoint 3 does not have an associated command.
可以看到刪除之后，斷點3就沒有命令了

breakpoint list

如果我們想查看已經設置了哪些斷點，可以使用breakpoint list
e.g:

(lldb) breakpoint list
Current breakpoints:
4: name = '-[ViewController viewDidLoad]', locations = 1, resolved = 1, hit count = 0
4.1: where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004, resolved, hit count = 0
我們可以看到當前只有一個斷點，打在-[ViewController viewDidLoad]上，id是4

breakpoint disable/enable

有的時候我們可能暫時不想要某個斷點，可以使用breakpoint disable讓某個斷點暫時失效
e.g: 我們來讓剛剛的斷點4失效

(lldb) breakpoint disable 4
1 breakpoints disabled.
輸入完命令之后，顯示斷點已經失效

當我們又需要這個斷點的時候，可以使用breakpoint enable再次讓他生效
e.g: 重新啟用斷點4

(lldb) breakpoint enable 4
1 breakpoints enabled.
breakpoint delete

如果我們覺得這個斷點以后再也用不上了，可以用breakpoint delete直接刪除斷點.
e.g: 刪除斷點4

(lldb) breakpoint delete 4
1 breakpoints deleted; 0 breakpoint locations disabled.
如果我們想刪除所有斷點，只需要不指定breakpoint delete參數即可

(lldb) breakpoint delete
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (1 breakpoint)
刪除的時候他會提示你，是不是真的想刪除所有斷點，需要你再次輸入Y確認。如果想直接刪除，不需要他的提示，使用-f命令選項即可

(lldb) breakpoint delete -f
All breakpoints removed. (1 breakpoint)
實際平時我們真正使用breakpoint命令反而比較少，因為Xcode已經內置了斷點工具。我們可以直接在代碼上打斷點，可以在斷點工具欄里面查看編輯斷點，這比使用LLDB命令方便很多。不過了解LLDB相關命令可以讓我們對斷點理解更深刻。
如果你想了解怎么使用Xcode設置斷點，可以閱讀這篇文章《Xcode中斷點的威力》

非重寫方法的符號斷點

非重寫方法的符號斷點
假設你想知道 -[MyViewController viewDidAppear:] 什么時候被調用。如果這個方法并沒有在MyViewController 中實現，而是在其父類中實現的，該怎么辦呢？試著設置一個斷點，會出現以下結果：

(lldb) b -[MyViewController viewDidAppear:]
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.

因為 LLDB 會查找一個符號，但是實際在這個類上卻找不到，所以斷點也永遠不會觸發。你需要做的是為斷點設置一個條件 [self isKindOfClass:[MyViewController class]]，然后把斷點放在 UIViewController 上。正常情況下這樣設置一個條件可以正常工作。但是這里不會，因為我們沒有父類的實現。

viewDidAppear: 是蘋果實現的方法，因此沒有它的符號；在方法內沒有 self 。如果想在符號斷點上使用 self，你必須知道它在哪里 (它可能在寄存器上，也可能在棧上；在 x86 上，你可以在 $esp+4 找到它)。但是這是很痛苦的，因為現在你必須至少知道四種體系結構 (x86，x86-64，armv7，armv64)。想象你需要花多少時間去學習命令集以及它們每一個的調用約定，然后正確的寫一個在你的超類上設置斷點并且條件正確的命令。幸運的是，這個在 facebook的Chisel 被解決了。這被成為 bmessage：

(lldb) bmessage -[MyViewController viewDidAppear:]
Setting a breakpoint at -[UIViewController viewDidAppear:] with condition (void*)object_getClass((id)$rdi) == 0x000000010e2f4d28
Breakpoint 1: where = UIKit`-[UIViewController viewDidAppear:], address = 0x000000010e11533c
LLDB 和 Python

command和expr的組合

建立一個breakPoint.
使用expr表達式
用command添加到br上面。

br com add 1
>expr ...
>continue
>DONE

Thread

thread until (line number)
thread select (thread number)
thread return (value)
frame variable 查看線程相關變量
bt (thread backtrace) backtrace

Watchpoint

Watchpoint

watchpoint set v (變量名)
跟蹤變量的值的變化，如果變量地址變成0x0000000000000000就說明變量被釋放，指向了nil

image

Chisel

Chisel Tutorial
Chisel

border 標記view
mask 標記view
pca layer tree
presponder responder chain
pclass class hierachy
vs vs view, change the view hierachy
caflush refresh screen
visualize previews views

pviews Print the recursive view description for the key window.
pvc Print the recursive view controller description for the key window.
fv Find a view in the hierarchy whose class name matches the provided regex.
fvc Find a view controller in the hierarchy whose class name matches the provided regex.
bmessage Set a symbolic breakpoint on the method of a class or the method of an instance without worrying which class in the hierarchy actually implements the method.
wivar Set a watchpoint on an instance variable of an object.

Xcode Debugging Hotkeys

Here is a listing of Xcode hotkeys (related to debugging) we mentioned in this course. Let us know if we missed any!

Show Navigator (?+0)
Show Debug Navigator (?+6)
Show Breakpoint Navigator (?+7)
Show Debug Area (?+Shift+Y)
Open Documentation (?+Shift+0)
Step Over (F6)
Step Into (F7)
Step Out (F8)
Continue (?+Ctrl+Y)
Build (?+B)
Run (?+R)
Activate/Deactivate Breakpoint (?+Y)
Quick Search (?+Shift+O)

Xcode Debugging Hotkeys

Icon Injection Plugin for Xcode

Icon Injection Plugin for Xcode

[圖片上傳失敗...(image-a4381f-1523691381635)]

一個Xcode的插件，讓你在改完代碼后無需重新運行Xcode就可以看到效果。

將需要調試的代碼寫到injected這個方法中，然后在和這個方法中設置一個斷言，使用Ctr + =,即會停在這個斷言里，每次修改，使用一下Ctr + =就會重新注入，釋放斷言就可以看到效果。

- (void)injected
{
    NSLog(@"I've been injected: %@", self);
}

The plugin can be removed either via Alcatraz, or by running:
rm -rf ~/Library/Application\ Support/Developer/Shared/Xcode/Plug-ins/InjectionPlugin.xcplugin

注意

- (void)injected as an instance method, which gives you the chance to re-update an object with new contexts.
+ (void)injected as a class method, making it possible to update globals with new information
Listening for INJECTION_BUNDLE_NOTIFICATION, allowing other classes to listen out for injection calls, this is useful for providing app level changes.

原理

它通過解析應用程序的生成日志來確定源文件是如何最后編譯的。用這個包將重新編譯成一個bundle，該bundle使用動態加載程序注入應用程序。現在在bundle中就有兩個版本，原版本和新的修改版本。修改后的版本是“調和”在原版本發生變化。

LLDB cheatsheet

A cheatsheet for commands and ideas on how to use LLDB.

Getting help

(lldb) help
List all commands and aliases.

(lldb) help po
Get help documentation for po (expression) command.

(lldb) help break set
Get help documentation for breakpoint set.

(lldb) apropos step-in
Search through help documentation containing step-in.

Finding code

(lldb) image lookup -rn UIAlertController
Look up all code containing UIAlertController that's compiled or loaded into an executable.

(lldb) image lookup -rn (?i)hosturl
Case insensitive search for any code that contains "hosturl".

(lldb) image lookup -rn 'UIViewController\ set\w+:\]'
Look up all setter property methods UIViewController implements or overrides.

(lldb) image lookup -rn . Security
Look up all code located within the Security module.

(lldb) image lookup -a 0x10518a720
Look up code based upon address 0x10518a720.

(lldb) image lookup -s mmap
Look up code for the symbol named mmap.

Breakpoints

(lldb) b viewDidLoad
Creates a breakpoint on all methods named viewDidLoad for both Swift and Objective-C.

(lldb) b setAlpha:
Creates a breakpoint on either the setAlpha: Objective-C method or the setter of the Objective-C alpha property.

(lldb) b -[CustomViewControllerSubclass viewDidLoad]
Creates a breakpoint on the Objective-C method [CustomViewControllerSubclass viewDidLoad].

(lldb) rbreak CustomViewControllerSubclass.viewDidLoad
Creates a regex breakpoint to match either an Objective-C or Swift class CustomViewControllerSubclass which contains viewDidLoad. Could be Objective-C - [CustomViewControllerSubclass viewDidLoad] or could be Swift ModuleName.CustomViewControllerSubclass.viewDidLoad () -> ().

(lldb) breakpoint delete
Deletes all breakpoints.

(lldb) breakpoint delete 2
Deletes breakpoint ID 2.

(lldb) breakpoint list
List all breakpoints and their IDs.

(lldb) rbreak viewDid
Creates a regex breakpoint on .viewDid..

(lldb) rbreak viewDid -s SwiftRadio
Creates a breakpoint on .viewDid., but restricts the breakpoint(s) to the SwiftRadio module.

(lldb) rbreak viewDid(Appear|Disappear) -s SwiftHN
Creates a breakpoint on viewDidAppear or viewDidDisappear inside the SwiftHN module.

(lldb) rb "\-\[UIViewController\ set" -s UIKit
Creates a breakpoint on any Objective-C style breakpoints containing - [UIViewController set within the UIKit module.

(lldb) rb . -s SwiftHN -o
Create a breakpoint on every function in the SwiftHN module, but remove all breakpoints once the breakpoint is hit.

(lldb) rb . -f ViewController.m
Create a breakpoint on every function found in ViewController.m.

Expressions

(lldb) po "hello, debugger"
Prints "hello, debugger" regardless of the debugging context.

(lldb) expression -lobjc -O -- [UIApplication sharedApplication]
Print the shared UIApplication instance in an Objective-C context.

(lldb) expression -lswift -O -- UIApplication.shared
Print the shared UIApplication instance in a Swift context.

Creates a breakpoint on getenv, executes the getenv function, and stops at the beginning of the getenv function.
(lldb) b getenv
(lldb) expression -i0 -- getenv("HOME")
raywenderlich.com 361
Advanced Apple Debugging & Reverse Engineering Appendix A: LLDB Cheatsheet (lldb) expression -u0 -O -- [UIApplication test]
Don't let LLDB unwind the stack if you’re executing a method that will cause the program to crash.
Declares a global NSString* called globalString. (lldb) expression -g -O -lobjc -- [NSObject new]
Debug the debugger that's parsing the [NSObject new] Objective-C expression.
Stepping
(lldb) thread return false
Return early from code with false.
Step in.
Step over.
Step out of a function.
Step in if about to execute a function. Step an assembly instruction otherwise.
GDB formatting
(lldb) p/x 128
Print value in hexadecimal.
(lldb) expression -p -- NSString *globalString = [NSString
stringWithUTF8String: "Hello, Debugger"];
(lldb) po globalString
Hello, Debugger
(lldb) thread step-in
(lldb) s
(lldb) thread step-over
(lldb) n
(lldb) thread step-out
(lldb) finish
(lldb) thread step-inst
(lldb) ni
raywenderlich.com 362
Advanced Apple Debugging & Reverse Engineering
Appendix A: LLDB Cheatsheet
(lldb) p/d 128
Print value in decimal.
(lldb) p/t 128
Print value in binary.
(lldb) p/a 128
Print value as address.
(lldb) x/gx 0x000000010fff6c40
Get the value pointed at by 0x000000010fff6c40 and display in 8 bytes. (lldb) x/wx 0x000000010fff6c40
Get the value pointed at by 0x000000010fff6c40 and display in 4 bytes.
Memory
(lldb) memory read 0x000000010fff6c40
Read memory at address 0x000000010fff6c40.
Grab an instance of a remote file and write it to /tmp/file on your computer.
Registers & assembly
(lldb) register read -a
Display all registers on the system.
(lldb) register read rdi rsi
Read the RSI and the RDI register in x64 assembly. (lldb) register write rsi 0x0
Set the RSI register to 0x0 in x64 assembly. (lldb) register write rflags $rflags ^ 64
(lldb) po id $d = [NSData dataWithContentsOfFile:@"..."]
(lldb) mem read (uintptr_t)[$d bytes] (uintptr_t)[$d bytes] + (uintptr_t)[$d length] -r -b -o /tmp/file
raywenderlich.com 363
Advanced Apple Debugging & Reverse Engineering Appendix A: LLDB Cheatsheet
Toggle the zero flag in x64 assembly (augment if condition logic).
(lldb) register write rflags $rflags | 64
Set the zero flag (set to 1) in x64 assembly (augment if condition logic).
(lldb) register write rflags $rflags & ~64
Clear the zero flag (set to 0) in x64 assembly (augment if condition logic).
(lldb) register write pc $pc+4
Increments the program counter by 4.
(lldb) disassemble
Display assembly for function in which you’re currently stopped.
(lldb) disassemble -p
Disassemble around current location; useful if in the middle of a function.
(lldb) disassemble -b
Disassemble function while showing opcodes; useful for learning what is responsible for what.
(lldb) disassemble -n '-[UIViewController setTitle:]'
Disassemble the Objective-C -[UIViewController setTitle:] method. (lldb) disassemble -a 0x000000010b8d972d
Disassemble the function that contains the address 0x000000010b8d972d.
Modules
(lldb) image list
List all modules loaded into the executable's process space.
(lldb) image list -b
Get the names of all the modules loaded into the executable's process space.
(lldb) process load /Path/To/Module.framework/Module
Load the module located at path into the executable's process space.

我的debug速查表（入門級）My debug cheatsheet

我的debug速查表（入門級）My debug cheatsheet

debug cheetsheet
common
查找進程：

ps aux | grep /App
ps -e | grep /Applications
查找文件：

grep -r ToBeFind /System/Library/
分離fat binary

lipo -thin armv7 WeChat.decrypted -output WeChat_armv7.decrypted
lipo -thin armv64 xxx.decrypted -output xxx_arm64.decrypted
class dump

class-dump --list-arches AlipayWallet.decrypted

class-dump -S -s -H WeChat_armv7.decrypted -o dumparmv7
class-dump -s -S -H --arch armv7 AlipayWallet.decrypted -o dumpAlipay
lldb
參考 
- https://github.com/iosre/iOSAppReverseEngineering43
- http://objccn.io/issue-19-2/27

幫助

help frame
打印UI結構

po [[[UIWindow keyWindow] rootViewController] _printHierarchy]    (iOS 8)
po [[UIWindow keyWindow] recursiveDescription]
棧信息

bt (backtrace)
bt all (all threads)
objc_msgSend 參數打印

po $r0
p (char*)$r1
p (SEL)$r1
返回地址

p/x $lr
斷點

br s -a 0x0023234f 
breakpoint set -F "-[NSArray objectAtIndex:]"

br s -a 0x02107730+0x000ab000 -c '(BOOL)[(NSString *)$r2 isEqualToString:@"snakeninny"]'

b ptrace
列舉模塊

image -o -f
lldb基礎命令

c
n
s
frame info
expr

thread return
breakpoint command add 1
遠程調試

debugserver *:1234 -a AlipayWallet
debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app/AlipayWallet
lldb連接遠程調試

(lldb) process connect connect://192.168.199.164:1234
lldb expr例子

(lldb) expr char *$str = (char *)malloc(8)
(lldb) expr (void)strcpy($str, "munkeys")
(lldb) expr $str[1] = 'o'
(char) $0 = 'o'
(lldb) p $str
(char *) $str = 0x00007fd04a900040 "monkeys"

(lldb) x/4c $str
(lldb) x/1w `$str + 3`
(lldb) expr (void)free($str)

(lldb) expr id $myView = (id)0x7f82b1d01fd0
(lldb) expr (void)[$myView setBackgroundColor:[UIColor blueColor]]
(lldb) expr (void)[CATransaction flush]

(lldb) po [$myButton allTargets]

(lldb) p (ptrdiff_t)ivar_getOffset((struct Ivar *)class_getInstanceVariable([MyView class], "_layer"))
觀察點

(lldb) watchpoint set expression -- (int *)$myView + 8
arm64

param1 $x0
param2 $x1

po $x0
p (char*)$x1
cycript
參考： http://www.cycript.org/manual/17

開始

cycript -p BinaryName
打印UI結構

[[UIWindow keyWindow] recursiveDescription].toString()
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
打印沙盒Documents路徑

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask]
基本使用

cy# [#0xb226710 url]
@"ww4fd1rfRDShBo_4K6rqfwAAACMAAQED"

cy# c = #0x1752d8c0
cy#"<FavAudioPlayerController: 0x1752d8c0; frame = (0 0; 290 60); autoresize = W; layer = <CALayer: 0x172dc2b0>>"
cy# c->m_audioInfo
cy#"<FavAudioInfo: 0x172b2a30>"
cy# c->m_audioInfo.m_nsAudioPath
linker
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
into Other link flag
Anti
iHex replace RESTRICT , restrict
ldid -S AppName
AppSync
Info.plist
輸出bundle id

/var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app root# cat Info.plist | grep com.
    <string>com.alipay.iphoneclient</string>
dumpdecrypted
https://github.com/stefanesser/dumpdecrypted

例子

scp -P 2222 Security/dumpdecrypted-master/dumpdecrypted.dylib root@localhost:/var/mobile/Containers/Data/Application/BA2644DB-450F-4DB0-A71F-A38F65488A48/Documents/

scp ~/sec/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.199.164:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents/
dumpdecrypted.dylib

everettjfs-iPhone:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/2DAD493D-6275-4CED-8242-BDEF27F36740/AlipayWallet.app/AlipayWallet
theos
https://github.com/theos/theos3

開始

everettjf@e WeChatVoiceSaver (master)]$ ~/sec/theos/bin/nic.pl
chisel
參考：https://github.com/facebook/chisel

usbmuxd
https://cgit.sukimashita.com/usbmuxd.git/snapshot/usbmuxd-1.0.8.tar.gz2
https://cgit.sukimashita.com/usbmuxd.git/3
First:

cd python-client 
python tcprelay.py -t 22:2222
Then:

ssh root@localhost -p 2222

參考

The Debugging Process

Advanced Apple Debugging & Reverse Engineering

Debugging in Xcode2012

What's New in LLDB 2015

LLDB

小笨狼與LLDB的故事

lldb.llvm.org

Chisel