一步一步用debugserver + lldb代替gdb进行动态调试

iphone6 使用 arm64 作为lipo的的体系架构,尝试了,没有问题。

iphone 6本来就是arm64架构的

SunJoy-Mac:bin root# lldb
(lldb) process connect connect://192.168.2.93:1234
c
error: unable to find section for section 34
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 35
error: unable to find section for section 33
error: unable to find section for section 33
error: unable to find section for section 33
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 34
error: unable to find section for section 33

这是什么情况 一直这样

这是调试的哪个进程?换个进程看看有这问题吗

我已经发帖了,就是http://bbs.iosre.com/t/oplayer-lite-lldb/617 这个帖子
是OPlayer Lite广告 例子中的。 使用lldb调试

看论坛用lldb调试,
SunJoyde-iPad:~ root# debugserver *:321 -a “OPlayerHD Lite”
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for arm64.
Attaching to process OPlayerHD Lite…
Listening to port 321 for a connection from *…
Waiting for debugger instructions for process 0.

已经成功进入了,但是MAC端一直出错

lldb-320.4.152
调试出现的指令和IDA的不同
0x46d578: strls r4, [r8], #-1667
0x46d57c: adcshs pc, lr, r2, asr #12
0x46d580: subsne pc, r9, r0, asr #5
0x46d584: ldrbtmi r4, [r8], #-1565

IDA:
__text:0046D578 MOV R11, R0
__text:0046D57A STR R4, [SP,#0xA4+var_84]
__text:0046D57C MOV R0, #(___stack_chk_guard_ptr - 0x46D58A)
__text:0046D584 MOV R5, R3

offset=0

是因为lldb版本问题吗?
调试机:IOS8 iPhone5
瘦身用的armv7s

是LLDB的版本问题,本帖里有解决方案

@snakeninny

我对一个按钮事件下断点 我算对地址了 但是点击后没没有停止 求解

0] 0x0008b000
-[SVDowningCell pauseOrResume:] __text 000AAA00 00000452 00000040 00000000 R . . . B T .
计算后出得0x135A00 下命令

(lldb) br s -a 0x135A00
Breakpoint 3: where = PiQu`PiQu[0x000aaa00], address = 0x00135a00

断点信息
3: address = 0x00135a00, locations = 1, resolved = 1, hit count = 0
3.1: where = PiQu`PiQu[0x000aaa00], address = 0x00135a00, resolved, hit count = 0

但是点击按钮没反应 lldb-320.4.124.10 xcode6.01

中文名字的应用怎么 用debugserver *:1234 -a “中文” 这个命令根本没法用,ssh到设备terminal 里 根本无法写中文,
ps -e: /var/mobile/Containers/Bundle/Application/828DE761-9F9E-4BB4-AE92-E4070F0C237A/M-eM^MM^CM-gM^BM-.M-fM^MM^UM-iM-1M-<.app/M-eM^MM^CM-gM^BM-.M-fM^MM^UM-iM-1M-<
根本就无法attach到额

1 个赞

warning: unable to find and load segment named ‘__DATA’ at 0x36c98000 in ‘’ in macosx dynamic loader plug-in.
warning: unable to find and load segment named ‘__LINKEDIT’ at 0x39132000 in ‘’ in macosx dynamic loader plug-in.
warning: unable to find and load segment named ‘__DATA’ at 0x37b67000 in ‘’ in macosx dynamic loader plug-in.
warning: unable to find and load segment named ‘__LINKEDIT’ at 0x39132000 in ‘’ in macosx dynamic loader plug-in.
Process 1571 stopped

  • thread #1: tid = 0x1299a, 0x36b534f0 libsystem_kernel.dylib, stop reason = signal SIGSTOP
    frame #0: 0x36b534f0 libsystem_kernel.dylib
    error: error reading data from section __text
    (lldb) next
    Process 1571 exited with status = -1 (0xffffffff) lost connection

请问这种报错是咋回事?

影响调试吗?如果不影响就不用管

刚走了个next就挂掉了
Process 1571 exited with status = -1 (0xffffffff) lost connection

这有可能是信号不好的原因吧,你试试用USB连过去调试看看

大神 如果定位一个函数是从 springboard dylib 跳入 到另一个dylib 那么这个地址 如果要在IDA 搜索 怎么计算啊?
Process 3471 stopped

  • thread #1: tid = 0x181ac, 0x00000001003aa938 SpringBoard, queue = ‘com.apple.main-thread’, stop reason = instruction step into
    frame #0: 0x00000001003aa938 SpringBoard
    → 0x1003aa938: br x16
    0x1003aa93c: nop
    0x1003aa940: ldr x16, #985784 ; (void *)0x0000000196e9bce0: objc_msgSendSuper2
    0x1003aa944: br x16

(lldb) dis
libobjc.A.dylib`objc_msgSend:
→ 0x196e9bbc0: cmp x0, #0
0x196e9bbc4: b.le 0x196e9bc30 ; objc_msgSend + 112
0x196e9bbc8: ldr x13, [x0]
0x196e9bbcc: and x9, x13, #0x1fffffff8
0x196e9bbd0: ldp x10, x11, [x9, #16]
0x196e9bbd4: and w12, w1, w11
0x196e9bbd8: add x12, x10, x12, lsl #4
image list -o -f

[121] 0x0000000004ac4000 /Users/panda/Library/Developer/Xcode/iOS DeviceSupport/8.1.2 (12B440)/Symbols/usr/lib/libobjc.A.dylib

0x196e9bbc0 - 0x0000000004ac4000 算出的地址在IDA 没有
怎么搞?
libobjc.A.dylib 拖入 IDA 没有找到~~~~~~~~~~~~
另外我直接
(lldb) x 0x196e9bbc0
0x196e9bbc0: 1f 00 00 f1 6d 03 00 54 0d 00 40 f9 a9 75 7d 92 …m…T…@…u}.
0x196e9bbd0: 2a 2d 41 a9 2c 00 0b 0a 4c 11 0c 8b 90 45 40 a9 *-A.,…L…E@.

搜索二进制码也没有找到?????

/Symbols/usr/lib/libobjc.A.dylib 用 dyld_decache 导出的armv7s中libobjc.A.dylib
我IDA 导入 搜索到
EXPORT _objc_msgSend
_objc_msgSend _objc_msgSend ; CODE XREF: _redacted__53+56p
_objc_msgSend ; _redacted__54+3Ep …
_objc_msgSend CBZ R0, loc_2F122F7E
_objc_msgSend+2 LDR.W R9, [R0]
_objc_msgSend+6 LDRH.W R12, [R9,#0xC]
_objc_msgSend+A LDR.W R9, [R9,#8]
_objc_msgSend+E AND.W R12, R12, R1
_objc_msgSend+12 ADD.W R9, R9, R12,LSL#3
_objc_msgSend+16 LDR.W R12, [R9]

跟我正在调试代码不同???怎么回事?

代码不同是因为地址搞错了吧

大神,怎么计算 从 SpringBoard 到 libobjc.A.dylib 的地址~~~~
Process 3471 stopped

  • thread #1: tid = 0x181ac, 0x00000001003aa938 SpringBoard, queue = ‘com.apple.main-thread’, stop reason = instruction step into
    frame #0: 0x00000001003aa938 SpringBoard
    → 0x1003aa938: br x16
    0x1003aa93c: nop
    0x1003aa940: ldr x16, #985784 ; (void *)0x0000000196e9bce0: objc_msgSendSuper2
    0x1003aa944: br x16

(lldb) dis
libobjc.A.dylib`objc_msgSend:
→ 0x196e9bbc0: cmp x0, #0
0x196e9bbc4: b.le 0x196e9bc30 ; objc_msgSend + 112
0x196e9bbc8: ldr x13, [x0]
0x196e9bbcc: and x9, x13, #0x1fffffff8
0x196e9bbd0: ldp x10, x11, [x9, #16]
0x196e9bbd4: and w12, w1, w11
0x196e9bbd8: add x12, x10, x12, lsl #4
image list -o -f

你现在到了libobjc.A.dylib里
用0x196e9bbc0 - libobjc.A.dylib的ASLR偏移,得出的结果就是它在IDA里的地址

那么问题来了。
0x196e9bbc0 - 0x0000000004ac4000 为什么算出的地址在IDA 没有查到呢?
IDA 显示 Command “JumpAsk” failed
主要是我搜索二进制都搜不到结果~~~
IDA 中直接搜索libobjc.A.dylib 的_objc_msgSend函数
EXPORT _objc_msgSend 得到的跟正在调试的代码不同
我怀疑,我用dyld_decache 导出的dylib跟正在调试的dylib不同
大神,你怎么看?

不可能吧,你的cache文件是从本机拷出来的吗?