一步一步用debugserver + lldb代替gdb进行动态调试

你完整的操作是怎么样的?把命令和输出贴上来看看

有可能是网络原因 后来换USB连接就好了 谢谢!

sudo scp root@192.168.207.17:/Developer/usr/bin/debugserver ~/debugserver

ssh: connect to host 192.168.207.17 port 22: Connection refused

这个是什么问题

ssh的问题,iOS上没有安装ssh服务?

执行这句的时候 td:~ root# debugserver *:1234 -a “SpringBoard”

提示错误
-sh: /usr/bin/debugserver: Bad CPU type in executable

你这个debugserver有问题吧?在OSX上用

otool -h

看看它的指令集

已解决,是因为ARM不匹配造成的

我用bt all打印为什么微信里的方法名一个都看不到:

thread #1: tid = 0x1f03, 0x0113afb4 MicroMessenger, queue = ‘com.apple.main-thread’, stop reason = instruction step over

  • frame #0: 0x0113afb4 MicroMessenger

thread #4: tid = 0x2203, 0x3982e648 libsystem_kernel.dylibkevent64 + 24, queue = 'com.apple.libdispatch-manager' frame #0: 0x3982e648 libsystem_kernel.dylibkevent64 + 24
frame #1: 0x397674f0 libdispatch.dylib_dispatch_mgr_invoke + 796 frame #2: 0x39759df8 libdispatch.dylib_dispatch_mgr_thread$VARIANT$up + 36

thread #5: tid = 0x2303, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b8242c MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib_pthread_start + 308 frame #8: 0x397971d8 libsystem_c.dylibthread_start + 8

thread #6: tid = 0x2403, 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20, name = 'WebThread' frame #0: 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20
frame #1: 0x3982e04c libsystem_kernel.dylibmach_msg + 40 frame #2: 0x31695044 CoreFoundation__CFRunLoopServiceMachPort + 128
frame #3: 0x31693da2 CoreFoundation__CFRunLoopRun + 882 frame #4: 0x31606ebc CoreFoundationCFRunLoopRunSpecific + 356
frame #5: 0x31606d48 CoreFoundationCFRunLoopRunInMode + 104 frame #6: 0x375f6504 WebCore + 444
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #9: tid = 0x2703, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b46666 MicroMessenger
frame #5: 0x01b46c38 MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #10: tid = 0x2803, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b46666 MicroMessenger
frame #5: 0x01b47078 MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #11: tid = 0x2903, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b85666 MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #12: tid = 0x2a03, 0x3983e594 libsystem_kernel.dylib__select + 20 frame #0: 0x3983e594 libsystem_kernel.dylib__select + 20
frame #1: 0x01b4a738 MicroMessenger
frame #2: 0x01bd952a MicroMessenger
frame #3: 0x01bd60c0 MicroMessenger
frame #4: 0x01b8551c MicroMessenger
frame #5: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #13: tid = 0x2b03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b5ed50 MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #14: tid = 0x2c03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b133c0 MicroMessenger
frame #5: 0x01b8551c MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #15: tid = 0x2d03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b19b22 MicroMessenger
frame #5: 0x01b8551c MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #19: tid = 0x3103, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x39799f18 libsystem_c.dylibpthread_cond_wait + 40
frame #3: 0x31f534d6 Foundation-[NSCondition wait] + 194 frame #4: 0x00a07a7a MicroMessenger frame #5: 0x31fd6e84 FoundationNSThread__main + 972
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #24: tid = 0x3603, 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24 frame #0: 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24
frame #1: 0x3979c3d2 libsystem_c.dylibnanosleep + 142 frame #2: 0x3979c33e libsystem_c.dylibusleep + 50
frame #3: 0x01b2e7f6 MicroMessenger
frame #4: 0x01b2e90c MicroMessenger
frame #5: 0x01b2e4c8 MicroMessenger
frame #6: 0x01f6c05c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #27: tid = 0x3903, 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24 frame #0: 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24
frame #1: 0x3979c3d2 libsystem_c.dylibnanosleep + 142 frame #2: 0x397fcdea libsystem_c.dylibsleep + 46
frame #3: 0x01a198be MicroMessenger#H??Y??/??)??D ????* + 500514 frame #4: 0x31fd6e84 FoundationNSThread__main + 972
frame #5: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #28: tid = 0x3a03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24, name = 'JavaScriptCore::BlockFree' frame #0: 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylibpthread_cond_timedwait + 44
frame #3: 0x355b0c74 JavaScriptCoreWTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 108 frame #4: 0x356c2556 JavaScriptCore + 82
frame #5: 0x356d4faa JavaScriptCore<redacted> + 14 frame #6: 0x39797310 libsystem_c.dylib_pthread_start + 308

thread #29: tid = 0x3e1b, 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20 frame #0: 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20
frame #1: 0x3982e04c libsystem_kernel.dylibmach_msg + 40 frame #2: 0x31695044 CoreFoundation__CFRunLoopServiceMachPort + 128
frame #3: 0x31693da2 CoreFoundation__CFRunLoopRun + 882 frame #4: 0x31606ebc CoreFoundationCFRunLoopRunSpecific + 356
frame #5: 0x316659ba CoreFoundationCFRunLoopRun + 98 frame #6: 0x31c81bce CoreMotionCLMotionCore::runMotionThread(void*) + 954
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308

thread #30: tid = 0x3f1b, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib_pthread_wqthread + 366
frame #3: 0x3978c8a4 libsystem_c.dylib`start_wqthread + 8

thread #31: tid = 0x4003, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib_pthread_wqthread + 366

thread #32: tid = 0x4103, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib_pthread_wqthread + 366

ida有edit->segments->Rebase program 的功能,不用每次都算吧?:smile:

rebase是干嘛用的呢?我没用过……

获取ASLR的offset之后,用offset的值在ida里rebase一下,ida里的地址就和调度器里的地址对应了

我刚试了一下,rebase果然很有用,但貌似这样输入之后:

整个image不是加上了0x36000,而是把原来的base换成了0x36000。所以如果要rebase的话,rebase的值应该是

image base address + ASLR offset

而不是

ASLR offset

(lldb) image list -o -f
  0] 0x00078000 /private/var/db/stash/_.29LMeZ/Applications/Preferences.app/Preferences(0x000000000007c000)

里的0x78000,而不是括号里的0x7c000,对吧?

对的,我表达的有点问题,不好意思

狗神,我在使用lldb 的时候, image list -o -f 只能看到相关系统库的地址信息,为什么没有其他应用的地址信息?应该使用什么命令进行查找?

你用lldb注入的是某一个进程,当然只能看到这个进程内部的信息,而不能看到这个进程以外的其他信息了

哦哦 我知道了,感谢狗神啊。现在已经搞定了。还有,第二版什么时候出啊,着急等着看呢。

  1. 给debugserver添加task_for_pid权限
    这里代码里的debugserver 应该是路径吧 不单单是名称
    我用名称试了很多次都失败了 根据报错改为路径,就对了

我也停在了这里不动了 手机也彻底死了
iPhone:/usr/bin root# debugserver *:1234 -a “SpringBoard”
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Attaching to process SpringBoard…
Listening to port 1234 for a connection from *…

怎么连回去 能用代码具体写一下吗