LLDB、cycript

作者: 喵喵粉 | 来源:发表于2019-08-04 18:42 被阅读0次

LLDB、cycript
LLDB高级调试+Cycript
Class - dump
越狱调试Reveal、debugserver、Class-dum
八 LLDB高级用法&Cycript
逆向
ios逆向- 01逆向原理&Class-dump安装及获
10.LLDB高级调试+Cycript
七 iOS逆向 - Cycript
逆向使用lldb调试命令(cycript)

1. LLDB设置断点

给方法设置断点命令

//单个断点
(lldb) breakpoint set -n demoMethod1

//断点设置在一个组内
(lldb) breakpoint set -n "-[ViewController method5]" -n "-[ViewController method4]" -n "-[ViewController method3]"

//1 禁用/激活全部断点
(lldb) breakpoint disable 
(lldb) breakpoint enable

//2 禁用/激活该组内的断点
(lldb) breakpoint disable 2     
(lldb) breakpoint enable 2
 
//3 禁用/激活组内断点              简写
(lldb) breakpoint disable 2.2    break dis 2.2
(lldb) breakpoint enable 2.2     break en 2.2
注意：3设置的断点状态是独立的，不受1、2设置影响

//删除断点
(lldb) breakpoint delete //删除所有的断点
(lldb) breakpoint delete 2 //删除组2所有的断点
(lldb) breakpoint delete 2.2 2.3 2.4 //禁用2.2 2.3 2.4 断点

//给方法加断点
(lldb) breakpoint set -selector method3

//通过方法地址下断点
(lldb) b -a 0x12345

//在Person.m文件eat方法下断点
(lldb) breakpoint set --file Person.m --selector eat

//将包含zzdemo的方法循环设置断点
(lldb) breakpoint set -r zzdemo
Breakpoint 2: 5 locations.
(lldb) breakpoint list 
Current breakpoints:
2: regex = 'zzdemo', locations = 5, resolved = 5, hit count = 6
  2.1: where = demo1`-[ViewController zzdemo2] + 12 at ViewController.m:24:37, address = 0x00000001008764cc, resolved, hit count = 1 
  2.2: where = demo1`-[ViewController zzdemo5] + 36 at ViewController.m:28:17, address = 0x000000010087652c, resolved, hit count = 1 
  2.3: where = demo1`-[ViewController zzdemo1] + 12 at ViewController.m:23:37, address = 0x00000001008764b4, resolved, hit count = 2 
  2.4: where = demo1`-[ViewController zzdemo3] + 12 at ViewController.m:25:37, address = 0x00000001008764e4, resolved, hit count = 1 
  2.5: where = demo1`-[ViewController zzdemo4] + 12 at ViewController.m:26:37, address = 0x00000001008764fc, resolved, hit count = 1

简写命令

(lldb) break en 2.2
(lldb) break dis 2.2
(lldb) b -f Person.m -r eat
(lldb) b -f ViewController.m -r demo //.m文件包含demo的所有方法下断点
(lldb) b -n zzdemo1 -n zzdemo2  //设置1组多个方法
(lldb) b zzdemo1
(lldb) break li 
Current breakpoints:
3: regex = 'eat', locations = 1, resolved = 1, hit count = 0
  3.1: where = demo1`-[Person eat] + 20 at Person.m:14:5, address = 0x0000000100876780, resolved, hit count = 0 

5: regex = 'demo', locations = 5, resolved = 5, hit count = 0
  5.1: where = demo1`-[ViewController zzdemo2] + 12 at ViewController.m:24:37, address = 0x00000001008764cc, resolved, hit count = 0 
  5.2: where = demo1`-[ViewController zzdemo5] + 36 at ViewController.m:28:17, address = 0x000000010087652c, resolved, hit count = 0 
  5.3: where = demo1`-[ViewController zzdemo1] + 12 at ViewController.m:23:37, address = 0x00000001008764b4, resolved, hit count = 0 
  5.4: where = demo1`-[ViewController zzdemo3] + 12 at ViewController.m:25:37, address = 0x00000001008764e4, resolved, hit count = 0 
  5.5: where = demo1`-[ViewController zzdemo4] + 12 at ViewController.m:26:37, address = 0x00000001008764fc, resolved, hit count = 0

查看设置的断点

(lldb) breakpoint set -n "-[ViewController method5]" -n "-[ViewController method4]" -n "-[ViewController method3]"
Breakpoint 2: 3 locations.
(lldb) breakpoint list
Current breakpoints:
1: file = '/Users/zz/Projects/code/OCPj/demo1/demo1/ViewController.m', line = 42, exact_match = 0, locations = 1, resolved = 1, hit count = 1

  1.1: where = demo1`-[ViewController touchesBegan:withEvent:] + 72 at ViewController.m:43:6, address = 0x000000010477e658, resolved, hit count = 1 

2: names = {'-[ViewController method5]', '-[ViewController method4]', '-[ViewController method3]'}, locations = 3, resolved = 3, hit count = 0
  2.1: where = demo1`-[ViewController method5] + 20 at ViewController.m:39:5, address = 0x000000010477e5e8, resolved, hit count = 0 
  2.2: where = demo1`-[ViewController method4] + 20 at ViewController.m:35:5, address = 0x000000010477e5ac, resolved, hit count = 0 
  2.3: where = demo1`-[ViewController method3] + 20 at ViewController.m:31:5, address = 0x000000010477e570, resolved, hit count = 0

p执行代码

(lldb) p self.view.backgroundColor = [UIColor redColor];

在所有断点触发时执行命令

(lldb) target stop-hook add -o "frame variable"

Xcode debugview拿到view的名字，lldb命令fv找到该view的地址

(lldb) fv vname         ->得到0x12345
(lldb) methods 0x12345  ->该view包含的属性、方法列表，方法名后面带有方法的地址(0x45678)
(lldb) b -a 0x45678     ->通过方法地址下断点
点击按钮触发方法进入断点，通过bt命令查看函数调用栈
若没有恢复符号就用sbt命令

2. LLDB的插件

Chisel 、LLDB
存放路径

/usr/local/opt/chisel
/opt/LLDB/lldb_commands

配置 Chisel、LLDB

//LLDB默认加载.lldbinit文件
open ~/.lldbinit 

//配置 Chisel
command script import /usr/local/opt/chisel/libexec/fblldb.py
//配置 LLDB
command script import /opt/LLDB/lldb_commands/dslldb.py

常用的调试命令

cmd	用途
`pviews`	打印视图层级
`pvc`	vc层级关系
`fvc`	知道控制器的名称 fvc -n HomeVC
	知道控制器的地址 fvc -v 0x12345
`fv`	类似fvc
`presponder` 0x1234	查看对象的响应链
`taplog`	点击按钮后会打印响应者的info
`flicker` 0x1234	视图隐藏再显示，闪烁效果
`vs` 0x1234	视图背景呈现红色
`pactions` 0x1234	查看对象的action、target
`pmethods` 0x1234	查看类的方法
`pinternals` 0x1234	查看类的属性、成员变量
`methods` 0x1234	查看对象的属性和方法(带有地址)
`sbt`	恢复符号表，查看方法调用栈
`search` Person	查找Person类型的对象

3. cycript脚本

LLDB 会断住程序
cycript 附加到进程，动态调试，不用断住程序
运行monkey工程

存放路径

/opt/cycript

配置环境变量

open ~/.zshrc

//添加CY变量
export CY=/opt/cycript
export PATH=$CY/:$PATH

cycript 附加到进程
手机IP 192.168.2.103和mac同一网段
在iTerm2执行 cycript -r 192.168.2.103:6666
出现c#表示附加成功，ctrl+d退出

cmd	用途
UIApp	application
UIWindow.keywindow()	<UIWindow: 0x13f0ed300 对象
pviews ()	视图层级
choose (UIButton)	打印所有的UIButton类型的对象
..	..

附加进程命令写成脚本cy103.sh，放在/Users/zz/ZZShell目录

cy103.sh

配置环境变量

open ~/.zshrc

//添加ZZSHELL目录
export ZZSHELL=/Users/zz/ZZShell
export PATH=$ZZSHELL|$PATH

执行脚本完成附加进程

image.png

给Person类的某个响应方法下断点

通过viewdebug或者lldb找到方法名

下断点 b [Person eat] ，符号未恢复可能不成功

fv Person 查看Person类的地址0x1234

methods 0x1234 查看类的方法列表，找到eat方法的地址0x3456

b -a 0x3456 //eat下断点

点击触发eat事件，xcode进入断点

sbt 尝试恢复符号表且查看方法调用栈