LLDB(Low Lever Debug),默认内置于Xcode中的动态调试工具。标准的 LLDB 提供了一组广泛的命令,旨在与老版本的 GDB 命令兼容。 除了使用标准配置外,还可以很容易地自定义 LLDB 以满足实际需要。
如果逆向别人的代码可以通过暂停程序执行来使程序进入LLDB状态
LLDB有很多指令,如果忘了相关指令,我们可以通过help命令查看
(lldb) help
Debugger commands:
apropos -- List debugger commands related to a word or subject.
breakpoint -- Commands for operating on breakpoints (see 'help b' for
shorthand.)
...
也可以通过apropos列出与某个单词或主题相关的调试器命令
(lldb) apropos breakpoint
The following commands may relate to 'breakpoint':
_regexp-break -- Set a breakpoint using one of
several shorthand formats.
_regexp-tbreak -- Set a one-shot breakpoint using
one of several shorthand formats.
breakpoint -- Commands for operating on
breakpoints (see 'help b' for
shorthand.)
breakpoint clear -- Delete or disable breakpoints
matching the specified source file
and line.
...
常用命令
- 给所有名为xxx的C函数设置一个断点
(lldb) breakpoint set -name xxx
(lldb) br s -n xxx
(lldb) b xxx
- 给一个OC函数[objc msgSend:]设置一个断点
(lldb) breakpoint set -n "[objc msgSend:]"
(lldb) b -n "[objc msgSend:]"
- 给所有名为xxx的OC方法设置一个断点
(lldb) breakpoint set -selector xxx:
- 给指定文件的某个OC方法设置一个断点
(lldb) breakpoint set --file ViewController.m --selector touchesBegan:withEvent:
- 给所有包含xxx的字段设置断点
(lldb) breakpoint set -r xxx
- 给指定文件F的某一行L设置一个断点
(lldb) breakpoint set --file F -line L
- 断点查看
(lldb) breakpoint list
(lldb) br l
- 断点删除
(lldb) breakpoint delete index//index是组号
(lldb) breakpoint delete //删除所有断点
(lldb) br del index
- 禁用/开启断点
(lldb) breakpoint disable index
(lldb) breakpoint enable index
断点的流程控制
- 继续
(lldb) process continue
(lldb) continue
(lldb) c
- 单步运行,将子函数当做整体一步执行
(lldb) thread step -over
(lldb) next
(lldb) n
(lldb) ni //单步运行汇编级别
- 单步运行,遇到子函数会进去
(lldb) thread step -in
(lldb) step
(lldb) s
(lldb) si //单步运行可跳转指令内部,汇编级别
- 跳出方法,返回上层调用栈
(lldb) thread step -out
(lldb) finish
(lldb) f
expression
expression其实是p的缩写,它的主要作用是在当前线程执行一个表达式,并将结果按照LLDB的默认格式返回。
(lldb) help p
Evaluate an expression on the current thread. Displays any returned value
with LLDB's default formatting. Expects 'raw' input (see 'help
raw-input'.)
Syntax: p <expr>
Command Options Usage:
p <expr>
'p' is an abbreviation for 'expression --'
下面是这个例子,可以看到expression执行了表达式,给属性变量name赋值,并返回了新赋的值,它可以动态的修改变量在内存中的值。
(lldb) po self.name
xiaoli
(lldb) p self.name = @"David"
(NSTaggedPointerString *) $5 = 0xc2f9f48bff645c0d @"David"
(lldb) p self.name
(NSTaggedPointerString *) $6 = 0xc2f9f48bff645c0d @"David"
(lldb)
查看堆栈信息
在一个函数的断点出,输入bt可查看调用堆栈信息
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x000000010056e1c0 002--LLDB调试`-[ViewController test3:](self=0x0000000151e07750, _cmd="test3:", str=@"hook") at ViewController.m:64:20
frame #1: 0x000000010056e180 002--LLDB调试`-[ViewController test2:](self=0x0000000151e07750, _cmd="test2:", str=@"hook") at ViewController.m:60:5
frame #2: 0x000000010056e11c 002--LLDB调试`-[ViewController test1:](self=0x0000000151e07750, _cmd="test1:", str=@"hook") at ViewController.m:56:5
frame #3: 0x000000010056e258 002--LLDB调试`-[ViewController touchesBegan:withEvent:](self=0x0000000151e07750, _cmd="touchesBegan:withEvent:", touches=1 element, event=0x00000002806d0fa0) at ViewController.m:71:5
frame #4: 0x0000000193692b64 UIKitCore`forwardTouchMethod + 328
frame #5: 0x0000000193692a08 UIKitCore`-[UIResponder touchesBegan:withEvent:] + 60
frame #6: 0x00000001936a0af0 UIKitCore`-[UIWindow _sendTouchesForEvent:] + 1692
frame #7: 0x00000001936a20a8 UIKitCore`-[UIWindow sendEvent:] + 3352
frame #8: 0x000000019367eae8 UIKitCore`-[UIApplication sendEvent:] + 336
frame #9: 0x00000001936f623c UIKitCore`__dispatchPreprocessedEventFromEventQueue + 5880
frame #10: 0x00000001936f8798 UIKitCore`__handleEventQueueInternal + 4924
frame #11: 0x00000001936f160c UIKitCore`__handleHIDEventFetcherDrain + 108
frame #12: 0x000000018f5d67e0 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
frame #13: 0x000000018f5d6738 CoreFoundation`__CFRunLoopDoSource0 + 80
frame #14: 0x000000018f5d5ed0 CoreFoundation`__CFRunLoopDoSources0 + 180
frame #15: 0x000000018f5d101c CoreFoundation`__CFRunLoopRun + 1080
frame #16: 0x000000018f5d08bc CoreFoundation`CFRunLoopRunSpecific + 464
frame #17: 0x000000019943c328 GraphicsServices`GSEventRunModal + 104
frame #18: 0x00000001936666d4 UIKitCore`UIApplicationMain + 1936
frame #19: 0x000000010056e518 002--LLDB调试`main(argc=1, argv=0x000000016f8978c8) at main.m:14:16
frame #20: 0x000000018f45b460 libdyld.dylib`start + 4
可以通过up和down指令跟进堆栈的调用信息
(lldb) up
frame #1: 0x000000010056e180 002--LLDB调试`-[ViewController test2:](self=0x0000000151e07750, _cmd="test2:", str=@"hook") at ViewController.m:60:5
57 }
58
59 -(void)test2:(NSString *)str{
-> 60 [self test3:str];
^
61 }
62
63 -(void)test3:(NSString *)str{
(lldb) down
frame #0: 0x000000010056e1c0 002--LLDB调试`-[ViewController test3:](self=0x0000000151e07750, _cmd="test3:", str=@"hook") at ViewController.m:64:20
61 }
62
63 -(void)test3:(NSString *)str{
-> 64 NSLog(@"!!!%@",str);
^
65 }
也可以通过frame select index(堆栈的序号)命令来查看具体序号堆栈的调用信息
(lldb) frame select 3
frame #3: 0x000000010056e258 002--LLDB调试`-[ViewController touchesBegan:withEvent:](self=0x0000000151e07750, _cmd="touchesBegan:withEvent:", touches=1 element, event=0x00000002806d0fa0) at ViewController.m:71:5
68
69 -(void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event
70 {
-> 71 [self test1:@"hook"];
^
72 //Person * p1 = self.models.firstObject;
73 }
74 - (IBAction)save:(id)sender {
通过frame variable命令查看具体序号堆栈的参数
(lldb) frame variable
(ViewController *) self = 0x0000000151e07750
(SEL) _cmd = "touchesBegan:withEvent:"
(__NSSetM *) touches = 0x00000002837f34a0 1 element
(UITouchesEvent *) event = 0x00000002806d0fa0
回滚thread return命令,会回到上一层调用堆栈,但是不会向下继续执行
(lldb) thread return
2019-10-26 16:24:54.495174+0800 002--LLDB调试[13707:437713] XPC connection interrupted
内存断点watchpoint
watchpoint可以对方法或者对象的内存地址设置断点,如果对属性操作,类似KVO观察者,如下是对一个属性变量设置的内存断点,如果属性变量的值发生改变了,程序就会自动中断
(lldb) po self
<ViewController: 0x1033040d0>
(lldb) n
(lldb) watchpoint set variable self->_name
Watchpoint created: Watchpoint 1: addr = 0x103304428 size = 8 state = enabled type = w
watchpoint spec = 'self->_name'
new value: 0x0000000102c10098
(lldb) c
Process 14669 resuming
Watchpoint 1 hit:
old value: 0x0000000102c10098
new value: 0x0000000102c10158
2019-10-28 10:52:01.935109+0800 002--LLDB调试[14669:514790] !!!hook
(lldb) po 0x0000000102c10098
lilei
(lldb) po 0x0000000102c10158
David
也可以通过如下方式操作
(lldb) p &self->_name
(NSString **) $0 = 0x0000000103303b48
(lldb) watchpoint set expression 0x0000000103303b48
Watchpoint created: Watchpoint 1: addr = 0x103303b48 size = 8 state = enabled type = w
new value: 4343234712
(lldb) c
Process 14731 resuming
Watchpoint 1 hit:
old value: 4343234712
new value: 4343234872
(lldb) po 4343234712
lilei
(lldb) po 4343234872
David
watchpoint类似breakpoint也有list、delete等相关命令,可以通过help watchpoint命令来熟悉
(lldb) help watchpoint
Commands for operating on watchpoints.
Syntax: watchpoint <subcommand> [<command-options>]
The following subcommands are supported:
command -- Commands for adding, removing and examining LLDB commands
executed when the watchpoint is hit (watchpoint 'commands').
delete -- Delete the specified watchpoint(s). If no watchpoints are
specified, delete them all.
disable -- Disable the specified watchpoint(s) without removing it/them.
If no watchpoints are specified, disable them all.
enable -- Enable the specified disabled watchpoint(s). If no watchpoints
are specified, enable all of them.
ignore -- Set ignore count on the specified watchpoint(s). If no
watchpoints are specified, set them all.
list -- List all watchpoints at configurable levels of detail.
modify -- Modify the options on a watchpoint or set of watchpoints in
the executable. If no watchpoint is specified, act on the
last created watchpoint. Passing an empty argument clears the
modification.
set -- Commands for setting a watchpoint.
For more help on any particular subcommand, type 'help <command> <subcommand>'.
command
command可以用来给一个断点添加命令,如下所示,先给test1方法设置断点,然后用command添加命令,当再一次调用test1方法的时候,程序就会执行test1方法添加的指令
(lldb) breakpoint set -n "[ViewController test1:]"
Breakpoint 3: where = 002--LLDB调试`-[ViewController test1:] + 48 at ViewController.m:57:6, address = 0x0000000104b86100
(lldb) breakpoint command add 3
Enter your debugger command(s). Type 'DONE' to end.
> po self
> p self.view
> DONE
(lldb) c
Process 14830 resuming
po self
<ViewController: 0x105107580>
p self.view
(UIView *) $1 = 0x0000000105209550
(lldb) breakpoint command list 3
Breakpoint 3:
Breakpoint commands:
po self
p self.view
(lldb) breakpoint command delete 3
(lldb) breakpoint command list 3
Breakpoint 3 does not have an associated command.
target stop-hook
target stop-hook让每个断点都去执行一些命令,可以把它当作初始化的配置,如下所示,在每个断点处添加target stop-hook add -o "frame variable"查看每个断点的参数信息,当断点触发的时候,该断点的参数信息就会打印出来
(lldb) breakpoint list
Current breakpoints:
1: file = '/Users/niujf/Desktop/ios逆向/007--LLDB/代码/002--LLDB调试/002--LLDB调试/ViewController.m', line = 56, exact_match = 0, locations = 1, resolved = 1, hit count = 0
1.1: where = 002--LLDB调试`-[ViewController test1:] + 48 at ViewController.m:57:6, address = 0x00000001027ba100, resolved, hit count = 0
2: file = '/Users/niujf/Desktop/ios逆向/007--LLDB/代码/002--LLDB调试/002--LLDB调试/ViewController.m', line = 70, exact_match = 0, locations = 1, resolved = 1, hit count = 0
2.1: where = 002--LLDB调试`-[ViewController touchesBegan:withEvent:] + 80 at ViewController.m:72:6, address = 0x00000001027ba240, resolved, hit count = 0
(lldb) target stop-hook add -o "frame variable" //查看每个断点的参数信息
Stop hook #1 added.
(lldb) c
Process 14962 resuming
(ViewController *) self = 0x0000000143e06f90
(SEL) _cmd = "touchesBegan:withEvent:"
(__NSSetM *) touches = 0x00000002800e5a20 1 element
(UITouchesEvent *) event = 0x00000002831f8c80
(lldb) c
Process 14962 resuming
(ViewController *) self = 0x0000000143e06f90
(SEL) _cmd = "test1:"
(__NSCFConstantString *) str = 0x00000001027bc138 @"hook"
image
image lookup -t xxxx可以查看文件的详细信息
(lldb) image lookup -t ViewController
Best match found in /Users/niujf/Library/Developer/Xcode/DerivedData/002--LLDB调试-hblhlghervytczgywjtrdblfcdga/Build/Products/Debug-iphoneos/002--LLDB调试.app/002--LLDB调试:
id = {0x10000002b}, name = "ViewController", byte-size = 24, decl = ViewController.h:11, compiler_type = "@interface ViewController : UIViewController{
NSMutableArray * _models;
NSString * _name;
}
@property ( getter = models,setter = setModels:,readwrite,nonatomic ) NSMutableArray * models;
@property ( getter = name,setter = setName:,readwrite,copy,nonatomic ) NSString * name;
@end"
image list查看调用的库
(lldb) image list
[ 0] EE92FCA2-C78B-31CC-8C2C-C7A123E92F28 0x00000001029b8000 /Users/niujf/Library/Developer/Xcode/DerivedData/002--LLDB调试-hblhlghervytczgywjtrdblfcdga/Build/Products/Debug-iphoneos/002--LLDB调试.app/002--LLDB调试
[ 1] 571392A7-E1E6-369F-8805-C1A141F3C1C5 0x0000000102cdc000 /Users/niujf/Library/Developer/Xcode/iOS DeviceSupport/13.1.3 (17A878)/Symbols/usr/lib/dyld
...
网友评论