Xcode Debugging
你的代碼,或者任何人的代碼中總會(huì)有bug存在,你可以把調(diào)試看做是更好地理解代碼的一種方式 —— By Advanced_Apple_Debugging_&_Reverse_Engineering_v0.9.5
The Debugging Process
- Reproduce the problem
if you cannot reproduce the problem, then you (probably) do not understand it.
- Gather Debug Information
Logs, program, state,...
What is the value of a variable?
What kind of error?(ex.EXC_BAD_ACCESS)
What line of code caused the error?
Which functions or methods led to the error?
- Form a Hypothesis
- Try a fix
Maximize the information gained per fix!
Print Debugging
TOOL
LLDB
Use commands to debugging, save your time in rebuild and make breakpoints.
常用命令
po —— call the description method on an object.
p —— print the value of 數(shù)量級(jí) values
Print variable frame
frame variable
fr v
Expression命令
expression命令的作用是執(zhí)行一個(gè)表達(dá)式,并將表達(dá)式返回的結(jié)果輸出。expression的完整語法是這樣的:
Objective-C
expression <cmd-options> -- <expr>
1
expression <cmd-options> -- <expr>
說expression是LLDB里面最重要的命令都不為過。因?yàn)樗軐?shí)現(xiàn)2個(gè)功能。
執(zhí)行某個(gè)表達(dá)式。 我們?cè)诖a運(yùn)行過程中,可以通過執(zhí)行某個(gè)表達(dá)式來動(dòng)態(tài)改變程序運(yùn)行的軌跡。 假如我們?cè)谶\(yùn)行過程中,突然想把self.view顏色改成紅色,看看效果。我們不必寫下代碼,重新run,只需暫停程序,用expression改變顏色,再刷新一下界面,就能看到效果
Objective-C
// 改變顏色
(lldb) expression -- self.view.backgroundColor = [UIColor redColor]
// 刷新界面
(lldb) expression -- (void)[CATransaction flush]
將返回值輸出。 也就是說我們可以通過expression來打印東西。 假如我們想打印self.view:
Objective-C
(lldb) expression -- self.view
(UIView *) $1 = 0x00007fe322c18a10
(lldb) expression -- self.view
(UIView *) $1 = 0x00007fe322c18a10
expression 可以支持多行輸入,輸入expression后回車,會(huì)顯示行號(hào),每行輸入后換行,雙擊回車代表完成輸入,過掉斷言即刻看到表達(dá)式的效果。
BreakPoint
breakpoint command add給斷點(diǎn)添加命令
e.g: 假設(shè)我們需要在ViewController的viewDidLoad中查看self.view的值
我們首先給-[ViewController viewDidLoad]添加一個(gè)斷點(diǎn)
(lldb) breakpoint set -n "-[ViewController viewDidLoad]"
'breakpoint 3': where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004
可以看到添加成功之后,這個(gè)breakpoint的id為3,然后我們給他增加一個(gè)命令:po self.view
(lldb) breakpoint command add -o "po self.view" 3
-o完整寫法是--one-liner,表示增加一條命令。3表示對(duì)id為3的breakpoint增加命令。
添加完命令之后,每次程序執(zhí)行到這個(gè)斷點(diǎn)就可以自動(dòng)打印出self.view的值了
如果我們一下子想增加多條命令,比如我想在viewDidLoad中打印當(dāng)前frame的所有變量,但是我們不想讓他中斷,也就是在打印完成之后,需要繼續(xù)執(zhí)行。我們可以這樣玩:
(lldb) breakpoint command add 3
Enter your debugger command(s). Type 'DONE' to end.
frame variable
continue
DONE
輸入breakpoint command add 3對(duì)斷點(diǎn)3增加命令。他會(huì)讓你輸入增加哪些命令,輸入'DONE'表示結(jié)束。這時(shí)候你就可以輸入多條命令了
多次對(duì)同一個(gè)斷點(diǎn)添加命令,后面命令會(huì)將前面命令覆蓋
breakpoints添加通過條件
breakpoint
調(diào)試過程中,我們用得最多的可能就是斷點(diǎn)了。LLDB中的斷點(diǎn)命令也非常強(qiáng)大
breakpoint set
breakpoint set命令用于設(shè)置斷點(diǎn),LLDB提供了很多種設(shè)置斷點(diǎn)的方式:
使用-n根據(jù)方法名設(shè)置斷點(diǎn):
e.g: 我們想給所有類中的viewWillAppear:設(shè)置一個(gè)斷點(diǎn):
(lldb) breakpoint set -n viewWillAppear:
Breakpoint 13: 33 locations.
使用-f指定文件
e.g: 我們只需要給ViewController.m文件中的viewDidLoad設(shè)置斷點(diǎn):
(lldb) breakpoint set -f ViewController.m -n viewDidLoad
Breakpoint 22: where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:22, address = 0x000000010272a6f4
這里需要注意,如果方法未寫在文件中(比如寫在category文件中,或者父類文件中),指定文件之后,將無法給這個(gè)方法設(shè)置斷點(diǎn)。
使用-l指定文件某一行設(shè)置斷點(diǎn)
e.g: 我們想給ViewController.m第38行設(shè)置斷點(diǎn)
(lldb) breakpoint set -f ViewController.m -l 38
Breakpoint 23: where = TLLDB`-[ViewController text:] + 37 at ViewController.m:38, address = 0x000000010272a7d5
使用-c設(shè)置條件斷點(diǎn)
e.g: text:方法接受一個(gè)ret的參數(shù),我們想讓ret == YES的時(shí)候程序中斷:
(lldb) breakpoint set -n text: -c ret == YES
Breakpoint 7: where = TLLDB`-[ViewController text:] + 30 at ViewController.m:37, address = 0x0000000105ef37ce
使用-o設(shè)置單次斷點(diǎn)
e.g: 如果剛剛那個(gè)斷點(diǎn)我們只想讓他中斷一次:
(lldb) breakpoint set -n text: -o
'breakpoint 3': where = TLLDB`-[ViewController text:] + 30 at ViewController.m:37, address = 0x000000010b6f97ce
breakpoint command
有的時(shí)候我們可能需要給斷點(diǎn)添加一些命令,比如每次走到這個(gè)斷點(diǎn)的時(shí)候,我們都需要打印self對(duì)象。我們只需要給斷點(diǎn)添加一個(gè)po self命令,就不用每次執(zhí)行斷點(diǎn)再自己輸入po self了
breakpoint command add
breakpoint command add命令就是給斷點(diǎn)添加命令的命令。
e.g: 假設(shè)我們需要在ViewController的viewDidLoad中查看self.view的值
我們首先給-[ViewController viewDidLoad]添加一個(gè)斷點(diǎn)
(lldb) breakpoint set -n "-[ViewController viewDidLoad]"
'breakpoint 3': where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004
可以看到添加成功之后,這個(gè)breakpoint的id為3,然后我們給他增加一個(gè)命令:po self.view
(lldb) breakpoint command add -o "po self.view" 3
-o完整寫法是--one-liner,表示增加一條命令。3表示對(duì)id為3的breakpoint增加命令。
添加完命令之后,每次程序執(zhí)行到這個(gè)斷點(diǎn)就可以自動(dòng)打印出self.view的值了
如果我們一下子想增加多條命令,比如我想在viewDidLoad中打印當(dāng)前frame的所有變量,但是我們不想讓他中斷,也就是在打印完成之后,需要繼續(xù)執(zhí)行。我們可以這樣玩:
(lldb) breakpoint command add 3
Enter your debugger command(s). Type 'DONE' to end.
frame variable
continue
DONE
輸入breakpoint command add 3對(duì)斷點(diǎn)3增加命令。他會(huì)讓你輸入增加哪些命令,輸入'DONE'表示結(jié)束。這時(shí)候你就可以輸入多條命令了
多次對(duì)同一個(gè)斷點(diǎn)添加命令,后面命令會(huì)將前面命令覆蓋
breakpoint command list
如果想查看某個(gè)斷點(diǎn)已有的命令,可以使用breakpoint command list。
e.g: 我們查看一下剛剛的斷點(diǎn)3已有的命令
(lldb) breakpoint command list 3
'breakpoint 3':
Breakpoint commands:
frame variable
continue
可以看到一共有2條命令,分別為frame variable和continue
breakpoint command delete
有增加就有刪除,breakpoint command delete可以讓我們刪除某個(gè)斷點(diǎn)的命令
e.g: 我們將斷點(diǎn)3中的命令刪除:
(lldb) breakpoint command delete 3
(lldb) breakpoint command list 3
Breakpoint 3 does not have an associated command.
可以看到刪除之后,斷點(diǎn)3就沒有命令了
breakpoint list
如果我們想查看已經(jīng)設(shè)置了哪些斷點(diǎn),可以使用breakpoint list
e.g:
(lldb) breakpoint list
Current breakpoints:
4: name = '-[ViewController viewDidLoad]', locations = 1, resolved = 1, hit count = 0
4.1: where = TLLDB`-[ViewController viewDidLoad] + 20 at ViewController.m:23, address = 0x00000001055e6004, resolved, hit count = 0
我們可以看到當(dāng)前只有一個(gè)斷點(diǎn),打在-[ViewController viewDidLoad]上,id是4
breakpoint disable/enable
有的時(shí)候我們可能暫時(shí)不想要某個(gè)斷點(diǎn),可以使用breakpoint disable讓某個(gè)斷點(diǎn)暫時(shí)失效
e.g: 我們來讓剛剛的斷點(diǎn)4失效
(lldb) breakpoint disable 4
1 breakpoints disabled.
輸入完命令之后,顯示斷點(diǎn)已經(jīng)失效
當(dāng)我們又需要這個(gè)斷點(diǎn)的時(shí)候,可以使用breakpoint enable再次讓他生效
e.g: 重新啟用斷點(diǎn)4
(lldb) breakpoint enable 4
1 breakpoints enabled.
breakpoint delete
如果我們覺得這個(gè)斷點(diǎn)以后再也用不上了,可以用breakpoint delete直接刪除斷點(diǎn).
e.g: 刪除斷點(diǎn)4
(lldb) breakpoint delete 4
1 breakpoints deleted; 0 breakpoint locations disabled.
如果我們想刪除所有斷點(diǎn),只需要不指定breakpoint delete參數(shù)即可
(lldb) breakpoint delete
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (1 breakpoint)
刪除的時(shí)候他會(huì)提示你,是不是真的想刪除所有斷點(diǎn),需要你再次輸入Y確認(rèn)。如果想直接刪除,不需要他的提示,使用-f命令選項(xiàng)即可
(lldb) breakpoint delete -f
All breakpoints removed. (1 breakpoint)
實(shí)際平時(shí)我們真正使用breakpoint命令反而比較少,因?yàn)閄code已經(jīng)內(nèi)置了斷點(diǎn)工具。我們可以直接在代碼上打斷點(diǎn),可以在斷點(diǎn)工具欄里面查看編輯斷點(diǎn),這比使用LLDB命令方便很多。不過了解LLDB相關(guān)命令可以讓我們對(duì)斷點(diǎn)理解更深刻。
如果你想了解怎么使用Xcode設(shè)置斷點(diǎn),可以閱讀這篇文章《Xcode中斷點(diǎn)的威力》
非重寫方法的符號(hào)斷點(diǎn)
非重寫方法的符號(hào)斷點(diǎn)
假設(shè)你想知道 -[MyViewController viewDidAppear:] 什么時(shí)候被調(diào)用。如果這個(gè)方法并沒有在MyViewController 中實(shí)現(xiàn),而是在其父類中實(shí)現(xiàn)的,該怎么辦呢?試著設(shè)置一個(gè)斷點(diǎn),會(huì)出現(xiàn)以下結(jié)果:
(lldb) b -[MyViewController viewDidAppear:]
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
因?yàn)?LLDB 會(huì)查找一個(gè)符號(hào),但是實(shí)際在這個(gè)類上卻找不到,所以斷點(diǎn)也永遠(yuǎn)不會(huì)觸發(fā)。你需要做的是為斷點(diǎn)設(shè)置一個(gè)條件 [self isKindOfClass:[MyViewController class]],然后把斷點(diǎn)放在 UIViewController 上。正常情況下這樣設(shè)置一個(gè)條件可以正常工作。但是這里不會(huì),因?yàn)槲覀儧]有父類的實(shí)現(xiàn)。
viewDidAppear: 是蘋果實(shí)現(xiàn)的方法,因此沒有它的符號(hào);在方法內(nèi)沒有 self 。如果想在符號(hào)斷點(diǎn)上使用 self,你必須知道它在哪里 (它可能在寄存器上,也可能在棧上;在 x86 上,你可以在 $esp+4 找到它)。但是這是很痛苦的,因?yàn)楝F(xiàn)在你必須至少知道四種體系結(jié)構(gòu) (x86,x86-64,armv7,armv64)。想象你需要花多少時(shí)間去學(xué)習(xí)命令集以及它們每一個(gè)的調(diào)用約定,然后正確的寫一個(gè)在你的超類上設(shè)置斷點(diǎn)并且條件正確的命令。幸運(yùn)的是,這個(gè)在 facebook的Chisel 被解決了。這被成為 bmessage:
(lldb) bmessage -[MyViewController viewDidAppear:]
Setting a breakpoint at -[UIViewController viewDidAppear:] with condition (void*)object_getClass((id)$rdi) == 0x000000010e2f4d28
Breakpoint 1: where = UIKit`-[UIViewController viewDidAppear:], address = 0x000000010e11533c
LLDB 和 Python
command和expr的組合
建立一個(gè)breakPoint.
使用expr表達(dá)式
用command添加到br上面。
br com add 1
>expr ...
>continue
>DONE
Thread
thread until (line number)
thread select (thread number)
thread return (value)
frame variable 查看線程相關(guān)變量
bt (thread backtrace) backtrace
Watchpoint
Watchpoint
watchpoint set v (變量名)
跟蹤變量的值的變化,如果變量地址變成0x0000000000000000就說明變量被釋放,指向了nil
Chisel
border 標(biāo)記view
mask 標(biāo)記view
pca layer tree
presponder responder chain
pclass class hierachy
vs vs view, change the view hierachy
caflush refresh screen
visualize previews views
pviews Print the recursive view description for the key window.
pvc Print the recursive view controller description for the key window.
fv Find a view in the hierarchy whose class name matches the provided regex.
fvc Find a view controller in the hierarchy whose class name matches the provided regex.
bmessage Set a symbolic breakpoint on the method of a class or the method of an instance without worrying which class in the hierarchy actually implements the method.
wivar Set a watchpoint on an instance variable of an object.
Xcode Debugging Hotkeys
Here is a listing of Xcode hotkeys (related to debugging) we mentioned in this course. Let us know if we missed any!
Show Navigator (?+0)
Show Debug Navigator (?+6)
Show Breakpoint Navigator (?+7)
Show Debug Area (?+Shift+Y)
Open Documentation (?+Shift+0)
Step Over (F6)
Step Into (F7)
Step Out (F8)
Continue (?+Ctrl+Y)
Build (?+B)
Run (?+R)
Activate/Deactivate Breakpoint (?+Y)
Quick Search (?+Shift+O)
Icon Injection Plugin for Xcode
Icon Injection Plugin for Xcode
[圖片上傳失敗...(image-a4381f-1523691381635)]
一個(gè)Xcode的插件,讓你在改完代碼后無需重新運(yùn)行Xcode就可以看到效果。
將需要調(diào)試的代碼寫到injected這個(gè)方法中,然后在和這個(gè)方法中設(shè)置一個(gè)斷言,使用Ctr + =,即會(huì)停在這個(gè)斷言里,每次修改,使用一下Ctr + =就會(huì)重新注入,釋放斷言就可以看到效果。
- (void)injected
{
NSLog(@"I've been injected: %@", self);
}
The plugin can be removed either via Alcatraz, or by running:
rm -rf ~/Library/Application\ Support/Developer/Shared/Xcode/Plug-ins/InjectionPlugin.xcplugin
注意
- (void)injected as an instance method, which gives you the chance to re-update an object with new contexts.
+ (void)injected as a class method, making it possible to update globals with new information
Listening for INJECTION_BUNDLE_NOTIFICATION, allowing other classes to listen out for injection calls, this is useful for providing app level changes.
原理
它通過解析應(yīng)用程序的生成日志來確定源文件是如何最后編譯的。用這個(gè)包將重新編譯成一個(gè)bundle,該bundle使用動(dòng)態(tài)加載程序注入應(yīng)用程序。現(xiàn)在在bundle中就有兩個(gè)版本,原版本和新的修改版本。修改后的版本是“調(diào)和”在原版本發(fā)生變化。
LLDB cheatsheet
A cheatsheet for commands and ideas on how to use LLDB.
Getting help
(lldb) help
List all commands and aliases.
(lldb) help po
Get help documentation for po (expression) command.
(lldb) help break set
Get help documentation for breakpoint set.
(lldb) apropos step-in
Search through help documentation containing step-in.
Finding code
(lldb) image lookup -rn UIAlertController
Look up all code containing UIAlertController that's compiled or loaded into an executable.
(lldb) image lookup -rn (?i)hosturl
Case insensitive search for any code that contains "hosturl".
(lldb) image lookup -rn 'UIViewController\ set\w+:\]'
Look up all setter property methods UIViewController implements or overrides.
(lldb) image lookup -rn . Security
Look up all code located within the Security module.
(lldb) image lookup -a 0x10518a720
Look up code based upon address 0x10518a720.
(lldb) image lookup -s mmap
Look up code for the symbol named mmap.
Breakpoints
(lldb) b viewDidLoad
Creates a breakpoint on all methods named viewDidLoad for both Swift and Objective-C.
(lldb) b setAlpha:
Creates a breakpoint on either the setAlpha: Objective-C method or the setter of the Objective-C alpha property.
(lldb) b -[CustomViewControllerSubclass viewDidLoad]
Creates a breakpoint on the Objective-C method [CustomViewControllerSubclass viewDidLoad].
(lldb) rbreak CustomViewControllerSubclass.viewDidLoad
Creates a regex breakpoint to match either an Objective-C or Swift class CustomViewControllerSubclass which contains viewDidLoad. Could be Objective-C - [CustomViewControllerSubclass viewDidLoad] or could be Swift ModuleName.CustomViewControllerSubclass.viewDidLoad () -> ().
(lldb) breakpoint delete
Deletes all breakpoints.
(lldb) breakpoint delete 2
Deletes breakpoint ID 2.
(lldb) breakpoint list
List all breakpoints and their IDs.
(lldb) rbreak viewDid
Creates a regex breakpoint on .viewDid..
(lldb) rbreak viewDid -s SwiftRadio
Creates a breakpoint on .viewDid., but restricts the breakpoint(s) to the SwiftRadio module.
(lldb) rbreak viewDid(Appear|Disappear) -s SwiftHN
Creates a breakpoint on viewDidAppear or viewDidDisappear inside the SwiftHN module.
(lldb) rb "\-\[UIViewController\ set" -s UIKit
Creates a breakpoint on any Objective-C style breakpoints containing - [UIViewController set within the UIKit module.
(lldb) rb . -s SwiftHN -o
Create a breakpoint on every function in the SwiftHN module, but remove all breakpoints once the breakpoint is hit.
(lldb) rb . -f ViewController.m
Create a breakpoint on every function found in ViewController.m.
Expressions
(lldb) po "hello, debugger"
Prints "hello, debugger" regardless of the debugging context.
(lldb) expression -lobjc -O -- [UIApplication sharedApplication]
Print the shared UIApplication instance in an Objective-C context.
(lldb) expression -lswift -O -- UIApplication.shared
Print the shared UIApplication instance in a Swift context.
Creates a breakpoint on getenv, executes the getenv function, and stops at the beginning of the getenv function.
(lldb) b getenv
(lldb) expression -i0 -- getenv("HOME")
raywenderlich.com 361
Advanced Apple Debugging & Reverse Engineering Appendix A: LLDB Cheatsheet (lldb) expression -u0 -O -- [UIApplication test]
Don't let LLDB unwind the stack if you’re executing a method that will cause the program to crash.
Declares a global NSString* called globalString. (lldb) expression -g -O -lobjc -- [NSObject new]
Debug the debugger that's parsing the [NSObject new] Objective-C expression.
Stepping
(lldb) thread return false
Return early from code with false.
Step in.
Step over.
Step out of a function.
Step in if about to execute a function. Step an assembly instruction otherwise.
GDB formatting
(lldb) p/x 128
Print value in hexadecimal.
(lldb) expression -p -- NSString *globalString = [NSString
stringWithUTF8String: "Hello, Debugger"];
(lldb) po globalString
Hello, Debugger
(lldb) thread step-in
(lldb) s
(lldb) thread step-over
(lldb) n
(lldb) thread step-out
(lldb) finish
(lldb) thread step-inst
(lldb) ni
raywenderlich.com 362
Advanced Apple Debugging & Reverse Engineering
Appendix A: LLDB Cheatsheet
(lldb) p/d 128
Print value in decimal.
(lldb) p/t 128
Print value in binary.
(lldb) p/a 128
Print value as address.
(lldb) x/gx 0x000000010fff6c40
Get the value pointed at by 0x000000010fff6c40 and display in 8 bytes. (lldb) x/wx 0x000000010fff6c40
Get the value pointed at by 0x000000010fff6c40 and display in 4 bytes.
Memory
(lldb) memory read 0x000000010fff6c40
Read memory at address 0x000000010fff6c40.
Grab an instance of a remote file and write it to /tmp/file on your computer.
Registers & assembly
(lldb) register read -a
Display all registers on the system.
(lldb) register read rdi rsi
Read the RSI and the RDI register in x64 assembly. (lldb) register write rsi 0x0
Set the RSI register to 0x0 in x64 assembly. (lldb) register write rflags $rflags ^ 64
(lldb) po id $d = [NSData dataWithContentsOfFile:@"..."]
(lldb) mem read (uintptr_t)[$d bytes] (uintptr_t)[$d bytes] + (uintptr_t)[$d length] -r -b -o /tmp/file
raywenderlich.com 363
Advanced Apple Debugging & Reverse Engineering Appendix A: LLDB Cheatsheet
Toggle the zero flag in x64 assembly (augment if condition logic).
(lldb) register write rflags $rflags | 64
Set the zero flag (set to 1) in x64 assembly (augment if condition logic).
(lldb) register write rflags $rflags & ~64
Clear the zero flag (set to 0) in x64 assembly (augment if condition logic).
(lldb) register write pc $pc+4
Increments the program counter by 4.
(lldb) disassemble
Display assembly for function in which you’re currently stopped.
(lldb) disassemble -p
Disassemble around current location; useful if in the middle of a function.
(lldb) disassemble -b
Disassemble function while showing opcodes; useful for learning what is responsible for what.
(lldb) disassemble -n '-[UIViewController setTitle:]'
Disassemble the Objective-C -[UIViewController setTitle:] method. (lldb) disassemble -a 0x000000010b8d972d
Disassemble the function that contains the address 0x000000010b8d972d.
Modules
(lldb) image list
List all modules loaded into the executable's process space.
(lldb) image list -b
Get the names of all the modules loaded into the executable's process space.
(lldb) process load /Path/To/Module.framework/Module
Load the module located at path into the executable's process space.
我的debug速查表(入門級(jí))My debug cheatsheet
我的debug速查表(入門級(jí))My debug cheatsheet
debug cheetsheet
common
查找進(jìn)程:
ps aux | grep /App
ps -e | grep /Applications
查找文件:
grep -r ToBeFind /System/Library/
分離fat binary
lipo -thin armv7 WeChat.decrypted -output WeChat_armv7.decrypted
lipo -thin armv64 xxx.decrypted -output xxx_arm64.decrypted
class dump
class-dump --list-arches AlipayWallet.decrypted
class-dump -S -s -H WeChat_armv7.decrypted -o dumparmv7
class-dump -s -S -H --arch armv7 AlipayWallet.decrypted -o dumpAlipay
lldb
參考
- https://github.com/iosre/iOSAppReverseEngineering43
- http://objccn.io/issue-19-2/27
幫助
help frame
打印UI結(jié)構(gòu)
po [[[UIWindow keyWindow] rootViewController] _printHierarchy] (iOS 8)
po [[UIWindow keyWindow] recursiveDescription]
棧信息
bt (backtrace)
bt all (all threads)
objc_msgSend 參數(shù)打印
po $r0
p (char*)$r1
p (SEL)$r1
返回地址
p/x $lr
斷點(diǎn)
br s -a 0x0023234f
breakpoint set -F "-[NSArray objectAtIndex:]"
br s -a 0x02107730+0x000ab000 -c '(BOOL)[(NSString *)$r2 isEqualToString:@"snakeninny"]'
b ptrace
列舉模塊
image -o -f
lldb基礎(chǔ)命令
c
n
s
frame info
expr
thread return
breakpoint command add 1
遠(yuǎn)程調(diào)試
debugserver *:1234 -a AlipayWallet
debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app/AlipayWallet
lldb連接遠(yuǎn)程調(diào)試
(lldb) process connect connect://192.168.199.164:1234
lldb expr例子
(lldb) expr char *$str = (char *)malloc(8)
(lldb) expr (void)strcpy($str, "munkeys")
(lldb) expr $str[1] = 'o'
(char) $0 = 'o'
(lldb) p $str
(char *) $str = 0x00007fd04a900040 "monkeys"
(lldb) x/4c $str
(lldb) x/1w `$str + 3`
(lldb) expr (void)free($str)
(lldb) expr id $myView = (id)0x7f82b1d01fd0
(lldb) expr (void)[$myView setBackgroundColor:[UIColor blueColor]]
(lldb) expr (void)[CATransaction flush]
(lldb) po [$myButton allTargets]
(lldb) p (ptrdiff_t)ivar_getOffset((struct Ivar *)class_getInstanceVariable([MyView class], "_layer"))
觀察點(diǎn)
(lldb) watchpoint set expression -- (int *)$myView + 8
arm64
param1 $x0
param2 $x1
po $x0
p (char*)$x1
cycript
參考: http://www.cycript.org/manual/17
開始
cycript -p BinaryName
打印UI結(jié)構(gòu)
[[UIWindow keyWindow] recursiveDescription].toString()
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()
打印沙盒Documents路徑
[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask]
基本使用
cy# [#0xb226710 url]
@"ww4fd1rfRDShBo_4K6rqfwAAACMAAQED"
cy# c = #0x1752d8c0
cy#"<FavAudioPlayerController: 0x1752d8c0; frame = (0 0; 290 60); autoresize = W; layer = <CALayer: 0x172dc2b0>>"
cy# c->m_audioInfo
cy#"<FavAudioInfo: 0x172b2a30>"
cy# c->m_audioInfo.m_nsAudioPath
linker
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
into Other link flag
Anti
iHex replace RESTRICT , restrict
ldid -S AppName
AppSync
Info.plist
輸出bundle id
/var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app root# cat Info.plist | grep com.
<string>com.alipay.iphoneclient</string>
dumpdecrypted
https://github.com/stefanesser/dumpdecrypted
例子
scp -P 2222 Security/dumpdecrypted-master/dumpdecrypted.dylib root@localhost:/var/mobile/Containers/Data/Application/BA2644DB-450F-4DB0-A71F-A38F65488A48/Documents/
scp ~/sec/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.199.164:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents/
dumpdecrypted.dylib
everettjfs-iPhone:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/2DAD493D-6275-4CED-8242-BDEF27F36740/AlipayWallet.app/AlipayWallet
theos
https://github.com/theos/theos3
開始
everettjf@e WeChatVoiceSaver (master)]$ ~/sec/theos/bin/nic.pl
chisel
參考:https://github.com/facebook/chisel
usbmuxd
https://cgit.sukimashita.com/usbmuxd.git/snapshot/usbmuxd-1.0.8.tar.gz2
https://cgit.sukimashita.com/usbmuxd.git/3
First:
cd python-client
python tcprelay.py -t 22:2222
Then:
ssh root@localhost -p 2222
參考
Advanced Apple Debugging & Reverse Engineering
