前言
https://medium.com/flawless-a...
_shortMethodDescription 用于LLDB 进行打断点的步骤:
- LLDB连接到程序
- 找到需要下断点的类,如CMessageMgr,然后在LLDB命令行输入po [className
_shortMethodDescription]。
找到对应放的内存地址,避免了之前的地址计算。
测试环境
- 使用iPhone5
主要是因为CPU是32位,32位arm汇编。IDA免费版不能反汇编64位程序
debugserver的开启与LLDB的连接
devzkndeMacBook-Pro:doc devzkn$ sshusb
iPhone:~ root# debugserver *:12345 -a "WeChat"
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Attaching to process WeChat...
Listening to port 12345 for a connection from *...devzkndeMacBook-Pro:python-client devzkn$ python tcprelay.py -t 12345:12345
devzkndeMacBook-Pro:demo devzkn$ relay12345
Forwarding local port 12345 to remote port 12345- Mac端LLDB的接入
进行端口转发后,接下来我们就开始进入lldb模式,然后进行debugserver的连接了。
首先在terminal上输入lldb命令,然后输入下方的地址进行连接。因为我们使用usbmuxd进行了端口的转发,因此可以使用本地的环回测试地址来进行debugserver的连接。
process connect connect://127.0.0.1:12345(lldb) process connect connect://127.0.0.1:12345
(lldb)
error: Process 347 is currently being debugged, kill the process before connecting.
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x373e9e90 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage((anonymous namespace)::AutoreleasePoolPage*) + 4
libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage:
-> 0x373e9e90 <+4>: add r12, pc, r12
0x373e9e94 <+8>: ldr pc, [r12]
0x373e9e98 <+12>: sbceq r3, r9, #16, #8
libobjc.A.dylib`defaultBadAllocHandler:
0x373e9e9c <+0>: ldr r12, [pc, #0x4] ; <+12>
Target 0: (WeChat) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
* frame #0: 0x373e9e90 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage((anonymous namespace)::AutoreleasePoolPage*) + 4
frame #1: 0x373e7daa libobjc.A.dylib`objc_object::sidetable_clearDeallocating() + 46
frame #2: 0x373d6606 libobjc.A.dylib`objc_destructInstance + 50
frame #3: 0x29b2a012 CoreFoundation`CFRelease + 1038
frame #4: 0x373e81a8 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::pop(void*) + 404
frame #5: 0x29b34f98 CoreFoundation`_CFAutoreleasePoolPop + 16
frame #6: 0x2a866dc8 Foundation`-[NSAutoreleasePool release] + 120
frame #7: 0x2d146380 UIKit`-[UIApplication _run] + 448
frame #8: 0x2d1411d0 UIKit`UIApplicationMain + 1440
frame #9: 0x001cacac WeChat`_mh_execute_header + 859308
frame #10: 0x3794daae libdyld.dylib`start + 2register read --all
General Purpose Registers:
r0 = 0x3a086600 libobjc.A.dylib`(anonymous namespace)::SideTable::table_buf
r1 = 0x00000380
r2 = 0x182f5214
r3 = 0x00000000
r4 = 0x182f5210
(lldb) c
Process 347 resuming
(lldb) (lldb) po [CMessageMgr _shortMethodDescription]
(lldb) po [CMessageMgr _shortMethodDescription]
error: Process is running. Use 'process interrupt' to pause execution.
(lldb) process interrupt
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x37a004f0 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
-> 0x37a004f0 <+20>: pop {r4, r5, r6, r8}
0x37a004f4 <+24>: bx lr
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x37a004f8 <+0>: mov r12, sp
0x37a004fc <+4>: push {r4, r5, r6, r8}
Target 0: (WeChat) stopped.(lldb) po [CMessageMgr _shortMethodDescription]
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
<CMessageMgr: 0x35ae230>:
in CMessageMgr:
Class Methods:
+ (void) csendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x522b0e5)
+ (void) modifyUsrInfo:(id)arg1; (0x522ad45)
+ (id) getUserImgUrl; (0x522a2dd)
+ (id) getUserm_taskDataDic; (0x522a0a1)
+ (id) getm_nsNickName; (0x5229481)
+ (void) uploadHDHeadImgWithUrl:(id)arg1; (0x52291a1)
+ (void) sendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x5228c41)
+ (id) GetPathOfOpenUploadFile; (0x263ede3)
+ (id) GetPathOfOpenUploadCDNFile; (0x263ee4d)
Properties:
@property (retain, nonatomic) NSString* playingVideoPath; (@synthesize playingVideoPath = _playingVideoPath;)
@property (readonly) unsigned int hash;
@property (readonly) Class superclass;
@property (readonly, copy) NSString* description;
@property (readonly, copy) NSString* debugDescription;
Instance Methods:
- (void) sendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x52286e1)
- (void) REQUEST_TYPE_MAKE_FRIENDS:(id)arg1; (0x5227fc1)
- (void) setupREQUEST_TYPE_MAKE_FRIENDS:(id)arg1 m_nsFromUsrCContact:(id)arg2; (0x5227da1)
- (void) addAutoVerifyWithArray:(id)arg1 arrayType:(unsigned int)arg2; (0x52274c9)
- (void) addAutoVerifyWithMessageInfo:(id)arg1; (0x5227301)
- (void) deleteFriendList:(id)arg1; (0x522708d)
- (void) setupzombiepowderWithwrap:(id)arg1; (0x5226e49)
- (void) ShowInContactBookWithchatroomId:(id)arg1; (0x5226ad1)
- (void) reportchatroomInfoWithWrap:(id)arg1; (0x5226915)
- (void) reportRESPONSE_TYPE_COLLECT_FRIENDS; (0x5224a05)
- (void) reportRESPONSE_TYPE_INSPECT_FRIENDS:(id)arg1; (0x5223fc9)
- (void) reportRESPONSE_TYPE_MAKE_FRIENDS:(id)arg1; (0x5223a85)
- (BOOL) SetChatRoomDesc:(id)arg1 Desc:(id)arg2; (0x52238bd)
- (BOOL) SetGroupTopic:(id)arg1 withTopic:(id)arg2; (0x52236fd)
- (void) setupUPDATE_ROOM:(int)arg1 RoomGuid:(id)arg2 NewValue:(id)arg3; (0x5223375)
- (void) setupRESPONSE_TYPE:(id)arg1; (0x5222dd1)
- (void) setupRESPONSE_TYPENOTIFY:(id)arg1; (0x5222c65)
- (void) AddMsg:(id)arg1 MsgWrap:(id)arg2; (0x26337fd)
- (void) StartDownloadShortVideo:(id)arg1; (0x26391a7)
- (void) MessageReturn:(id)arg1 Event:(unsigned long)arg2; (0x263cd5d)
//中间还有很多方法
- (id) GetImgNextMsg:(id)arg1 FromID:(unsigned long)arg2 CreateTime:(unsigned long)arg3; (0x263e0a5)
- (id) GetImgLastMsg:(id)arg1 FromID:(unsigned long)arg2 CreateTime:(unsigned long)arg3; (0x263e105)
- (BOOL) runTransaction:(^block)arg1 event:(^block)arg2; (0x263eed5)
- (void) onServiceInit; (0x263dfbf)
- (void) onServiceReloadData; (0x263e095)
- (void) onServiceEnterBackground; (0x263e085)
- (BOOL) onServiceMemoryWarning; (0x263e063)
- (void) onServiceClearData; (0x263e067)
- (BOOL) runTransaction:(^block)arg1; (0x263eeb7)
- (void) enterBackground; (0x2640827)
- (void) dealloc; (0x52223d9)
- (id) init; (0x5222549)
- (void) .cxx_destruct; (0x26416dd)
(MMService ...)对MessageReturn:MessageInfo:Event: 进行断点
- (void) MessageReturn:(id)arg1 Event:(unsigned long)arg2; (0x263cd5d)
- (void) MessageReturn:(unsigned long)arg1 MessageInfo:(id)arg2 Event:(unsigned long)arg3; (0x52260f9)
(lldb) b 0x52260f9
Breakpoint 2: where = wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) + 1 at wlentrust.xm:785, address = 0x052260f9- resuming Process
(lldb) c
Process 347 resuming
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x052260f8 wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(self=0x18261030, _cmd="\x18", arg1=55569772, info=0xb06c2007, arg3=973629440) at wlentrust.xm:785
782
783 #pragma mark - ******** 处理群信息
784
-> 785 - (void)MessageReturn:(unsigned int)arg1 MessageInfo:(NSDictionary *)info Event:(unsigned int)arg3 {
786
787 %log();
788 %orig;
Target 0: (WeChat) stopped.(lldb) po $r0
<CMessageMgr: 0x1814e890>
(lldb) po $r1
43804954
(lldb) po (char *)$r1
"MessageReturn:MessageInfo:Event:"(lldb) register read --all
General Purpose Registers:
r0 = 0x1814e890
r1 = 0x029c691a "MessageReturn:MessageInfo:Event:"
r2 = 0x000000e3
r3 = 0x184b8350
r4 = 0x1814e890
r5 = 0x00000001
r6 = 0x2d8b00ba "observer"
r7 = 0x03b0aae8
r8 = 0x00000001
r9 = 0x00000000
r10 = 0x00000000
r11 = 0x029c691a "MessageReturn:MessageInfo:Event:"
r12 = 0x052260f9 wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) + 1 at wlentrust.xm:785
sp = 0x03b0a9e0
lr = 0x015ff591 WeChat`__cxa_throw + 14624329
pc = 0x052260f8 wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) at wlentrust.xm:785
cpsr = 0x60000030
Floating Point Registers:
s0 = 0
s1 = 0补充
打印数据模型内容很有用的私有函数方法[模型对象 _ivarDescription];
更多黑科技私有函数,
常用命令
(lldb) breakpoint delete
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (2 breakpoints)(lldb) exit
Quitting LLDB will kill one or more processes. Do you really want to proceed: [Y/n] y
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。