1. Configure the DebugServer

  • Both are configured to proceed directly to step 3
  1. Xcode debugServer location:/ Applications/Xcode. App/Contents/Developer/Platforms/iPhoneOS platform/DeviceSupport / 14.4, you need to modify 14.4 to be the same as your mobile phone system version;

  1. Double click on theDeveloperDiskImage.dmgTo viewdebugserverLocation:/usr/bin/debugserver.

  1. After finding the file, you need to process it and copy it to the phone directory;
  2. Create one with Xcodesample.plistFile, and copy the following contents into it;
<? The XML version = "1.0" encoding = "utf-8"? > <! DOCTYPE plist PUBLIC "- / / / / DTD plist Apple / 1.0 / EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" > < plist Version = "1.0" > < dict > < key > com. Apple. The springboard. Debugapplications < / key > < true / >, < the key > run unsigned - code < / key > < true / > <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> </dict> </plist>Copy the code
  1. Save afterdebugserverThe signature,codesign -s - --entitlements en.plist -f debugserver;
  2. Enter this command todebugserverSlim down, need to bearm64Change it to the CPU architecture of your current phone,lipo -thin arm64 debugserver -output debugserver;
  3. willdebugserverCopy it to your phone,scp -r -P2222 /Users/xx/Desktop/debugserver root@localhost:/usr/bin/That will be/Users/xx/Desktop/debugserverReplace it with your own computerdebugserverPath, here you need to connect the phone with the COMPUTER by USB.

2. Install xia0LLDB

  1. Execute the command at the terminal,git clone https://github.com/4ch12dy/xia0LLDB.git && cd xia0LLDB && ./install.sh.

3. Debugging steps

  • Note that the phone needs to be connected to the computer by USB throughout the whole process, and wifi debugging is too slow.
  1. First, open a terminal for two port forwarding:iproxy 2222 22iproxy 1234 1111(Mapping iPhone port 1111 to Mac port 1234), as shown in the following figure, the status is successful;

  1. Second terminal inputssh -p 2222 root@localhostThe default password isalpine), directly launch the cracked or third-party APP with the following command:Debugserver localhost:1111 -x backboard [app path](The third party APP needs to start the APP first and then passps -ACommand to view the APP name, passCD /usr/bin&&. / debugServer 127.0.0.1:1111 -a "[App name]"Execute);

  1. The cracked APP will run automatically, and then enter in the third terminallldbAfter the LLDB is started, run the following command to connect:process connect connect://localhost:1234;

  1. At this point, the debugging connection is successfulcroc debugme cCommand to start debugging.

The LLDB command is also used

Po [className _shortMethodDescription] // Set breakpoint br s -a 0x452C96 // Delete all breakpoints br del // Disable the third breakpoint (enable en) br dis 3 -c to set the breakpoint condition -o to set a single breakpointCopy the code