LLDB

1、image list-o- f
偏移前基地址从IDA看，ASLR偏移从LLDB看，两者相加偏移后基地址。
2、breakpoint
b function
br s –a address
br s –a 'ASLROffset+address'
要在汇编指令上下断点，就要知道它的偏移后的基地址!
3、register write 
用于给指定的寄存器赋值 
(lldb) register write r0 1
4、
如何启动LLDB：
5、git clone
git clone git://github.com/stefanesser/dumpdecrypted/
6、ssh scp
ssh user@iOSIP  远程登录
--
文件本地拷贝到iOS
scp /path/to/localFile user@iOSIP:/path/to/remoteFile
snakeninnysiMac:~ snakeninny$ scp ~/1.png root@192.168.1.6:/var/tmp/
--
iOS 拷贝到本地
scp user@iOSIP:/path/to/remoteFile /path/to/localFile
snakeninnysiMac:~ snakeninny$ scp root@192.168.1.6:/var/log/syslog ~/iOSlog
--
修改ssh密码
FunMaker-5:~ root# passwd root Changing password for root.
New password:
Retype new password: FunMaker-5:~ root# passwd mobile Changing password for mobile. New password:
Retype new password:

7、打开LLDB
lifedeMBP:~ life$ ssh root@192.168.2.205
root@192.168.2.205's password: 
Yuanlingde-iPhone:~ root# debugserver *:1234 -a "SpringBoard"
----------
lifedeMBP:~ life$ /Users/life/KOALAC/Xcode.app/Contents/Developer/usr/bin/lldb
(lldb) process connect connect://192.168.2.205:1234
8、基地址
hopper：
-[WCRedEnvelopesRedEnvelopesDetailViewController watchMyRedEnvelopesList]:
00d3f200         push       {r4, r5, r6, r7, lr}     hopper
lldb： image list -o -f
0x000ee000 /private/var/mobile/Containers/Bundle/Application/D6107755-C5CA-44CE-A0A9-B1A832BB4210/WeChat.app/WeChat(0x00000000000f2000)
偏移后基地址： 0xE2D200  =  00d3f200 +  0x000ee000 
(lldb) br s -a 0xE2D200 下断点
Breakpoint 3: where = WeChat`__cxa_throw + 7484196, address = 0x00e2d200
触发：
Process 19818 stopped
* thread #1: tid = 0x1a8c75, 0x00e2d200 WeChat`__cxa_throw + 7484196, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x00e2d200 WeChat`__cxa_throw + 7484196
WeChat`__cxa_throw:
->  0xe2d200 <+7484196>: push   {r4, r5, r6, r7, lr}
    0xe2d202 <+7484198>: add    r7, sp, #0xc
    0xe2d204 <+7484200>: sub    sp, #0x14
    0xe2d206 <+7484202>: mov    r4, r0
(lldb) c  继续
ni  si