LLDB动态调试

进入断点模式

常用指令

• 查看当前断点

breakpoint list / break l

当前断点

• 通过方法名加断点

breakpoint set --name getNum

• 通过sel加断点

breakpoint set --selector touchesBegan:withEvent:

• 通过不完整的sel加断点

breakpoint set --func-regex getNu

• 删除断点

breakpoint delete 8

• 断点下一步执行
  • continue(c) - 过掉这个断点
  • step(s) - 往下执行一步，遇到嵌套函数会进入
  • next(n) - 往下执行一步，遇到嵌套函数直接执行掉这个函数
• 禁用断点 & 启动断点

breakpoint disable 2  /  breakpoint dis 2
breakpoint enable 2

• 执行代码expression / p

(lldb) p num
(NSInteger) $0 = 3

• po 是 expression -O ( --object-description NSObject 的 description 方法 ) 的简写

(lldb) po num
3

• 查看函数调用栈

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x000000010f426710 LLDB调试`-[ViewController getNum](self=0x00007fd805d107d0, _cmd="getNum") at ViewController.m:29:13
    frame #1: 0x000000010f4266bb LLDB调试`-[ViewController touchesBegan:withEvent:](self=0x00007fd805d107d0, _cmd="touchesBegan:withEvent:", touches=1 element, event=0x0000600000d85320) at ViewController.m:24:21

• 跳转前一个/后一个方法，up/down

(lldb) up
frame #1: 0x000000010f4266bb LLDB调试`-[ViewController touchesBegan:withEvent:](self=0x00007fd805d107d0, _cmd="touchesBegan:withEvent:", touches=1 element, event=0x0000600000d85320) at ViewController.m:24:21
   21   
   22   - (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
   23       NSLog(@"我来了");
-> 24       NSInteger num = [self getNum];
                            ^
   25       NSLog(@"%ld", num);
   26   }
   27   
(lldb) down
frame #0: 0x000000010f426710 LLDB调试`-[ViewController getNum](self=0x00007fd805d107d0, _cmd="getNum") at ViewController.m:29:13
   26   }
   27   
   28   - (NSInteger)getNum {
-> 29       return  arc4random()%10+1;
                    ^
   30   }
   31   
   32   @end

• 通过编号跳转对应方法

frame select 5

• 查看方法参数

frame variable

• 查看当前加载的库 image list

(lldb) image list
[  0] B9970493-7622-3728-A35A-BADBEAA5978D 0x0000000106935000 /Users/liumingfei/Library/Developer/Xcode/DerivedData/LLDB调试-dtexkkvfffircsgsiivncltrmcgy/Build/Products/Debug-iphonesimulator/LLDB调试.app/LLDB调试 
[  1] CE635DB2-D47E-3C05-A0A3-6BD982E7E750 0x0000000110338000 /usr/lib/dyld 
[  2] 528E1F55-F655-3533-99B9-7EAE1DAE5D07 0x000000010693f000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/dyld_sim 
[  3] 30153EA5-45E2-334A-99DF-6E79D88AB4D0 0x0000000106c2b000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/Frameworks/Foundation.framework/Foundation 
[  4] 83003EB9-EC0F-3743-871E-ED786CDAAFC7 0x0000000107207000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/libobjc.A.dylib 
[  5] 5D4D8F98-6E5B-31E1-94EA-3839C26E223F 0x0000000107b3d000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/libSystem.B.dylib 

• 查看类的信息 image lookup -t 类名

(lldb) image lookup -t LObject
1 match found in /Users/liumingfei/Library/Developer/Xcode/DerivedData/LLDB调试-dtexkkvfffircsgsiivncltrmcgy/Build/Products/Debug-iphonesimulator/LLDB调试.app/LLDB调试:
id = {0x40000002b}, name = "LObject", byte-size = 24, decl = LObject.h:13, compiler_type = "@interface LObject : NSObject{
    NSString * _flag;
    NSInteger _tag;
}
@property ( getter = flag,setter = setFlag:,readwrite,copy,nonatomic ) NSString * flag;
@property ( getter = tag,setter = setTag:,assign,readwrite,nonatomic ) NSInteger tag;
@end"

• 逆向常用指令

@interface LObject : NSObject

@property (nonatomic, copy) NSString *flag;
@property (nonatomic, assign) NSInteger tag;
- (void)lDescribtion;

@end

@interface ViewController ()
@property (nonatomic, retain) LObject *to;
@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view.
    self.to = [[LObject alloc] init];
    self.to.tag = 22;
    self.to.flag = @"normal";
    NSLog(@"我来了");
}

- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
    self.to.flag = @"special";
}

@end

1.添加内存断点
在NSLog处加断点，然后控制台执行指令watchpoint set variable self->_to->_flag

(lldb) watchpoint set variable self->_to->_flag
Watchpoint created: Watchpoint 1: addr = 0x6000018e7448 size = 8 state = enabled type = w
    watchpoint spec = 'self->_to->_flag'
    new value: 0x00000001016cc078
2020-03-26 10:17:21.657879+0800 LLDB调试[80028:2548356] 我来了

Watchpoint 1 hit:
old value: 0x00000001016cc078
new value: 0x00000001016cc0b8
(lldb) po 0x00000001016cc078
normal

(lldb) po 0x00000001016cc0b8
special

2. 通过内存地址添加断点
   还是在NSLog处添加断点，然后获取flag的内存地址，在通过watchpoint set expression下断点

(lldb) p &self->_to->_flag
(NSString **) $0 = 0x0000600003da8328
(lldb) watchpoint set expression 0x0000600003da8328
Watchpoint created: Watchpoint 1: addr = 0x600003da8328 size = 8 state = enabled type = w
    new value: 4495532152
2020-03-26 10:31:12.151198+0800 LLDB调试[80318:2565697] 我来了

Watchpoint 1 hit:
old value: 4495532152
new value: 4495532216
(lldb) po 4495532152
normal

(lldb) po 4495532216
special

生活如此美好，今天就点到为止。。。