preface

When we get someone else’s executable, it should be unsigned, so how do we debug to get what we want? Or what are some useful tools?

Symbol recovery

Symbol recovery is as follows:

./restore-symbol symbolDemo -o symbolDemo2
Copy the code

Only OC’s methods can recover symbols because the message sending mechanism dictates that class and method names must be present.

We can see in the code section can find the method name, so as long as according to certain rules can restore the OC method symbol, since the method has, there must be a big boss package tool, tool can be downloaded below, and then enter the previous command can restore the symbol.

Generate header file

Generate the following header file:

./class-dump -H WeChat -o ./headers/
Copy the code

The principle is the same as symbol recovery, except this time, instead of fixing symbols, classes are split into files and familiar header files are generated, which can be downloaded at the bottom of the tools article at MonkeyDev (github.com/AloneMonkey…

LLDB lightweight code debugging tool

Common commands

  • Multiple symbol breakpoints:br set -n test -n test1
  • Memory address breakpoint:br set -a 0x10006782
  • To continue:c
  • Step down:n
  • Breakpoint list display:br list
  • To invalidate a set or a breakpoint:br disable 1
  • To delete a set or breakpoint:br delete 1
  • Breakpoint Usage help:help breakpoint
  • Wildcard breakpoint:br set -r '\[EncryptString .*\]'
  • Execution code:p [self.model addObject:[[Person alloc] init]];
  • View stack information:bt
  • Toggle the current stack environment forward or backward:upordown
  • Select a stack environment directly:frame select 12
  • Look at the local variables of a stack, etc. (function arguments, which have no effect when used in reverse) :frame variable
  • The function returns directly at the breakpoint:Thread Return Indicates the returned value
  • Memory breakpoint (used on a variable to break if it changes) :watchpoint set variable p1->_name
  • Add instruction:

  • Add one line to all breakpoints:target stop-hook add -o "frame variable"
  • View the list of breakpoint hooks:target stop-hook list
  • Delete breakpoint hook:target stop-hook delete 2orundisplay 2

LLDB easy to use plug-ins

  • Chisel of Facebook, use method in readme
  • Another one is called LLDB

Chisel good grammar

  • View the application layer diagram structure:pviews
  • View the layer diagram structure:pviews self.view
  • View the parent layer structure:pviews -u self.view
  • View the controller structure:pvc
  • View the class inheritance structure structure:pclass obj
  • View object methods:pmethods obj
  • View object member variables:pinternals obj
  • View the current controller:fvc -v view
  • View of the current page class:fv CSView
  • View the location of the view (a flash on the view page) :flicker view

LLDB easy to use syntax

  • View a class view:search viewClass
  • Viewing method:methods obj
  • Show the stack for restoring symbols:sbt

Cycript

This requires injecting the Cycript library into a running project, which I’m not particularly fond of. The biggest advantage is that you can debug in real time without breakpoints

The Cycript library is available in the root directory of the Monkey opt file.

  • Connect to the Cycript library remotely with your own IP (default port 6666) : cycript-r 192.169.1.10:6666

  • Once connected, you can use the familiar OC syntax:

Cycript advanced syntax: APPID, pviews(), PVCS (), etc

CycriptAdvanced syntax is wrapped with a file suffix namedcy, you can configure it as follows

Import a custom encapsulated file: @import test.

Tool download address

Tools download address: pan.baidu.com/s/15J6nF7qk… Extraction code: 7VP7