Welcome to the iOS Reverse series.
- IOS reverse RSA theory
- IOS reverse hash theory
- IOS reverse application re-signature + wechat re-signature combat
- IOS reverse Shell script + script re-signature
- IOS reverse code injection +Hook
- IOS reverse MachO file
- IOS reverse dyLD process
- IOS reverse HOOK principle of Fishhook
- IOS reverse LLDB debugging
Writing in the front
LLDB debugging is often used in daily development. Po is probably the most commonly used command. In the reverse world, it is impossible to debug your code with breakpoints, so LLDB becomes a very important tool
A, LLDB
LLDB (Low Lever Debug) is a dynamic debugging tool built into XCode by default. It exists in the console at the bottom of the main window together with the LLVM compiler, bringing us richer process control and data detection debugging functions
The standard LLDB provides an extensive set of commands designed to be compatible with older versions of GDB commands. In addition to using standard configurations, you can easily customize the LLDB to suit your needs
LLDB command
1. LLDB syntax
<command> [<subcommand> [<subcommand>...]] <action> [-options [option-value]] [argument[argument...]]
Copy the code<command>(Command) and<subcommand>Subcommand: name of the LLDB debugging command<action>: Executing a command<options>: Command options<arguement>: Command parameter[]: Indicates that the command is optional
Such as breakpoint set -n test
commandBreakpoint: breakpoint commandaction: set Sets a breakpointoption-n sets a breakpoint according to method namearguement: test Indicates that the method name is test
2. LLDB primary use
The LLDB command takes effect only when you enter the LLDB state (click Pause symbol in the running state)
- Viewing the breakpoint list
whereIs where the breakpoint isaddressIs the breakpoint addressoption disableBreakpoints disabled
(lldb) breakpoint list
Copy the code
- Setting a single breakpoint
Breakpoint set -n "[ViewController ocMethod1]" breakpoint set -n"Copy the code
- Set a set of breakpoints
(lldb) breakpoint set -n "[ViewController ocMethod1]" -n "[ViewController ocMethod2]" -n "[ViewController ocMethod3]"
Copy the code
- Disable/enable a set of breakpoints
// Disable (LLDB) breakPoint disable 1 // Enable (LLDB) breakpoint enable 1Copy the code
- Disable/enable a breakpoint
// Disable breakPoint disable 1.1 // Enable breakPoint enable 1.1Copy the code
- Delete all breakpoints
(lldb) breakpoint delete
Copy the code
- “Delete” a set of breakpoints (cannot delete a breakpoint, can only disable a breakpoint)
(lldb) breakpoint delete 1.1
Copy the code
- Set a breakpoint for a method
(lldb) breakpoint set --selector touchesBegan:withEvent:
Copy the code
- Sets a breakpoint for a method in a file
(lldb) breakpoint set --file ViewController.m --selector touchesBegan:withEvent:
Copy the code
- Set breakpoints for all matching method names
(lldb) breakpoint set -r ocMethod
Copy the code
- Exit the LLDB mode
(lldb) c
Copy the code
- See the help
Breakpoint help (LLDB) breakpoint help (LLDB) breakpoint help (LLDBCopy the code3. Summary of LLDB primary use
- Manual breakpoints will also appear
LLDBThe breakpoint list, butLLDBThe breakpoint does not appear in Xcode’s breakpoint list - Manually set breakpoints can be disabled/cancelled by clicking/holding down, or can pass
LLDBCommand to operate, butLLDBA breakpoint can only be passedLLDBTo operate - The deleted breakpoints are not in the list, but the new breakpoints are sorted after the previous breakpoints
| The command | meaning | shorthand |
|---|---|---|
| breakpoint list | Viewing the breakpoint list | breakpoint l |
| breakpoint set -n cMethod | Setting a single breakpoint | b -n cMethod |
| breakpoint set -n “[ViewController ocMethod1]” -n “[ViewController ocMethod2]” |
Set a set of breakpoints | b -n “[ViewController ocMethod1]” -n “[ViewController ocMethod2]” |
| breakpoint set –selector touchesBegan:withEvent: | Set a breakpoint for a method | b -selector touchesBegan:withEvent: |
| breakpoint set –file ViewController.m –selector touchesBegan:withEvent: | Sets a breakpoint for a method in a file | b -f ViewController.m –selector touchesBegan:withEvent: |
| breakpoint set -r ocMethod | Set breakpoints for all matching method names | b -r ocMethod |
| breakpoint enable 1 | Enable a set of breakpoints | breakpoint en 1 |
| breakpoint disable 1 | Disable a set of breakpoints | breakpoint dis 1 |
| Breakpoint enable 1.1 | Enable a breakpoint | Breakpoint en 1.1 |
| Breakpoint disable 1.1 | Disable a breakpoint | Breakpoint dis 1.1 |
| breakpoint delete | Delete all breakpoints | breakpoint d |
| continue | Exit the LLDB mode | c |
| next | Step by step, executing the subfunctions together as a whole | n |
| stpe | Step by step, executing the subfunctions together as a whole | s |
About abbreviations:
b:breakpoint setl:list-n:--name-f:--filedis:disableen:enable
LLDB execution code
Print-out expression –object- Expression is the most commonly used Po instruction in development
p: as aexpressionAn abbreviation for “express execution.oIs:objectThe abbreviation of “pass”help expressionView command)po: Execute object – outputs information about this object
Now that we know that the p instruction has the function of executing code, let’s play with it
-
Changing background color dynamically (I was not successful on machOS 10.15.5+Xcode11)
- Enter manual breakpoint (do not click pause symbol or self will not be retrieved)
- Console input
p self.view.backgroundColor = [UIColor redColor]; - You can go over the break point and see the effect
-
Dynamically create objects and assign values
- Set a global variable
FXPerson *p - Also enter the manual breakpoint
- Console input
p self.p = [FXPerson new]; self.p.name = @"Felix"; - See the effect
- Set a global variable
Function call stack
Next debug in the following code, click on the screen to call test, test1, test2, and set a breakpoint at test2
- (void)testWithStr:(NSString *)str {
NSLog(@"test");
[self test1WithStr:str];
}
- (void)test1WithStr:(NSString *)str {
NSLog(@"test1");
[self test2WithStr:str];
}
- (void)test2WithStr:(NSString *)str {
NSLog(@"test2");
NSLog(@ "% @", str);
}
- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
[self testWithStr:@"test"];
}
Copy the codebtView the function call stack to see the order of function calls
up/downMove function calls up and down
Frame the select digital— Jump function call (0 means current method, 2 means before 2 methods)
frame variableView the current function properties: memory address, method name, parameters
thread returnEnd the current function call, jump back to the next step on the previous call stack (currently jump back to line 30, ready to execute line 31)
From this, you can try to modify the parameter’s value in the call to print the new value
Up Modifies the parameters of a function that has already been called- use
upThe command goes back to the previous step and usesp str = @"F";modified
- use
Modify function parameters ahead of time- Set a breakpoint ahead of the last function call to modify it
Summary: Code that has already been executed can not be rolled back to change the value arbitrarily, should be set in advance to change the breakpoint
5. Memory breakpoints
Memory breakpoints, as the name implies, are breakpoints for memory
watchpoint set variable self->_p->_nameBreakpoints can be placed on the corresponding property memory
- Addr: indicates the memory address
- Size: memory bytes occupied
- State: Indicates whether the current state is available
- Memory breakpoints can also pass
watchpoint listTo view the list of memory outages - Also through
watchpoint deleteTo delete
Breakpoint add command
Similar to adding script commands to a program, breakpoint execution can also add commands
- through
breakpoint command add 1You can add commands to a specified breakpoint - through
DONEEnd the breakpoint command
Seven, target stop – hook
target stop-hookBreakpoint (watchpoint) – breakpoint (watchpoint) – breakpoint (watchpoint) – breakpoint (watchpoint)
As long astarget stop-hook addAny breakpoint will trigger the command to add
A single command can be abbreviated astarget stop-hook add -o "frame variable"(-oRepresents a single command.
Similarly, it can be usedtarget stop-hook listCheck the list
target stop-hook disableTo disable
target stop-hook delete/undisplay 1To disable
Next, a higher-order operation is introducedCopy the codeWhen the LLDB starts, it loads a file called.lldbinitThe document, in/ Users/usernamedirectory
If not, you can passvi .lldbinitCreate, and then add commands to the filetarget stop-hook add -o "frame variable"
Restart the xcode. lldbinit file to run the command will be loaded, a very convenient debugging tool!
Eight, ASLR
ASLR (Address Space Layout Randomization) is called Address space configuration random loading, which is a computer security technology to prevent memory damage vulnerability from being used. It has been applied in various platforms
ASLR makes use of functions by randomly placing the address space of a process’s critical data area to prevent an attacker from reliably jumping to a specific location in memory
Physical address = ASLR + virtual address
Let’s get to know this guy by example
- (void)fxTest {
NSLog(@"%s", __func__);
}
- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
[self fxTest];
}
Copy the codecmd+BCompile the generatedMachO file, the use ofHopperOpen, findfxTestmethods
0x1340 is a virtual address — it’s an offset from the MachO file (the 1 before it means the empty segment, so it doesn’t affect the address).
We just said that the physical address is equal to ASLR plus the virtual address, so what is the ASLR?
throughimage listI can print it out0x000000010301e000That’s the processASLR(See dLYD source code to know that the ASLR value is different every time run)
Physical address =0x000000010ae85000 + 0x1340 = 0x10AE86340
Write in the back
LLDB these commands like Xcode shortcut keys, not just as well, master is the icing on the cake, more than a debugging idea, can let you open the gap between peers