手机必须是已越狱的iPhone手机,本文用到的工具可以在github下载
1.重签名debugserver
把手机中的/Developer/usr/bin/debugserver拷贝到电脑
端口号映射 把手机端口号22映射为电脑的2222 ,手机端口号1234映射为电脑的1234 , tcprelay.py文件在python-client.zip里面
$ python tcprelay.py -t 22:2222 1234:1234
-P P是大写,表示端口号,回车输入手机ssh密码就行(默认alpine, 通过passwd命令可以修改)
$ scp -P 2222 root@127.0.0.1:/Developer/usr/bin/debugserver ~/Downloads
拆分debugserver架构,也可不拆
查看debugserver包含的架构
$ file debugserver
拆出arm64架构
$ lipo debugserver -thin arm64 -output debugserver
添加调试非xcode安装APP的权限
把debugserver原本的权限导出到 ent.xml
ldid -e debugserver > ent.xml
修改 ent.xml ,添加 platform-application, task_for_pid-allow 等key,删除不用的key,可以用下面2个修改后的xml文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.backboardd.debugapplications</key>
<true/>
<key>com.apple.backboardd.launchapplications</key>
<true/>
<key>com.apple.frontboard.debugapplications</key>
<true/>
<key>com.apple.frontboard.launchapplications</key>
<true/>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>com.apple.system-task-ports</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>platform-application</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
或者(这个我没验证)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
</plist>
复制保存成ent.xml,重新写入debugserver
$ codesign -fs - --entitlements ent.xml debugserver
或者 (这个我的一直在执行,貌似没什么用)
//注意这里的Sent.xml并不是一个文件, -S是一个参数后面的ent.xml是文件
$ ldid -Sent.xml debugserver
拷贝到手机/usr/bin/目录,因为/Developer/usr/bin目录是只读的,添加可执行权限
拷贝到手机`/usr/bin/`目录
$ scp -P 2222 debugserver root@127.0.0.1:/usr/bin/
添加权限
$ chmod 777 /usr/bin/debugserver
2.调试APP
ssh远程连接手机
ssh root@localhost -p 2222
或者
ssh root@127.0.0.1 -p 2222
开始debugserver并且监听来自端口1234的调试指令 要先打开要调试的APP
-a:attach 附加到那个APP
DingTalk:要调试的APP的进程名 DingTalk是钉钉, WeChat是微信
iPhone:~ root# debugserver 127.0.0.1:1234 -a DingTalk
或者 (我的这个没效果)
iPhone:~ root# debugserver *:1234 -a DingTalk
iPhone:~ root# debugserver localhost:1234 -a DingTalk
debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-900.3.98
for arm64.
Attaching to process DingTalk...
error: failed to attach to process named: ""
Exiting.
显示上面的,说明没打开调试的APP,要先打开APP
iPhone:~ root# debugserver localhost:1234 -a DingTalk
debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-900.3.98
for arm64.
Attaching to process DingTalk...
Listening to port 1234 for a connection from localhost...
显示这个说明启动监听成功,等待lldb连接
启动监听成功,重新开一个终端窗口lldb, connect connect://localhost:1234
$ lldb
(lldb)
(lldb) process connect connect://localhost:1234
Process 14402 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x0000000185d08634 libsystem_kernel.dylib` mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x185d08634 <+8>: ret
libsystem_kernel.dylib'mach_msg_overwrite_trap: 0x185d08638 <+0>: mov x16, #-0x20
0x185d0863c <+4>: svc #0x80
0x185d08640 <+8>: ret
libsystem_kernel.dylib'semaphore_signal_trap: 0x185d08644 <+0>: mov x16, #-0x21
0x185d08648 <+4>: svc #0x80
0x185d0864c <+8>: ret
libsystem_kernel.dylib'semaphore_signal_all_trap: 0x185d08650 <+0>: mov x16, #-0x22
Target 0: (DingTalk) stopped.
(lldb)
输入connect connect://localhost:1234 等半分钟左右,如果出现类似的打印,说明连接成功了,此时的app是无法交互的我们输入c继续程序,开始愉(ku)快(bi)的调试吧!
参考:
https://bbs.pediy.com/thread-203592.htm
https://www.cnblogs.com/2f28/p/11189051.html
https://iosre.com/t/ios12-debugserver-lldb/14429
https://www.jianshu.com/p/5040d3730f3f
网友评论