你完整的操作是怎么样的?把命令和输出贴上来看看
有可能是网络原因 后来换USB连接就好了 谢谢!
sudo scp root@192.168.207.17:/Developer/usr/bin/debugserver ~/debugserver
ssh: connect to host 192.168.207.17 port 22: Connection refused
这个是什么问题
ssh的问题,iOS上没有安装ssh服务?
执行这句的时候 td:~ root# debugserver *:1234 -a “SpringBoard”
提示错误
-sh: /usr/bin/debugserver: Bad CPU type in executable
你这个debugserver有问题吧?在OSX上用
otool -h
看看它的指令集
已解决,是因为ARM不匹配造成的
我用bt all打印为什么微信里的方法名一个都看不到:
thread #1: tid = 0x1f03, 0x0113afb4 MicroMessenger, queue = ‘com.apple.main-thread’, stop reason = instruction step over
- frame #0: 0x0113afb4 MicroMessenger
thread #4: tid = 0x2203, 0x3982e648 libsystem_kernel.dylibkevent64 + 24, queue = 'com.apple.libdispatch-manager' frame #0: 0x3982e648 libsystem_kernel.dylib
kevent64 + 24
frame #1: 0x397674f0 libdispatch.dylib_dispatch_mgr_invoke + 796 frame #2: 0x39759df8 libdispatch.dylib
_dispatch_mgr_thread$VARIANT$up + 36
thread #5: tid = 0x2303, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b8242c MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib_pthread_start + 308 frame #8: 0x397971d8 libsystem_c.dylib
thread_start + 8
thread #6: tid = 0x2403, 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20, name = 'WebThread' frame #0: 0x3982deb4 libsystem_kernel.dylib
mach_msg_trap + 20
frame #1: 0x3982e04c libsystem_kernel.dylibmach_msg + 40 frame #2: 0x31695044 CoreFoundation
__CFRunLoopServiceMachPort + 128
frame #3: 0x31693da2 CoreFoundation__CFRunLoopRun + 882 frame #4: 0x31606ebc CoreFoundation
CFRunLoopRunSpecific + 356
frame #5: 0x31606d48 CoreFoundationCFRunLoopRunInMode + 104 frame #6: 0x375f6504 WebCore
+ 444
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #9: tid = 0x2703, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b46666 MicroMessenger
frame #5: 0x01b46c38 MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #10: tid = 0x2803, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b46666 MicroMessenger
frame #5: 0x01b47078 MicroMessenger
frame #6: 0x01b8551c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #11: tid = 0x2903, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b85666 MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #12: tid = 0x2a03, 0x3983e594 libsystem_kernel.dylib__select + 20 frame #0: 0x3983e594 libsystem_kernel.dylib
__select + 20
frame #1: 0x01b4a738 MicroMessenger
frame #2: 0x01bd952a MicroMessenger
frame #3: 0x01bd60c0 MicroMessenger
frame #4: 0x01b8551c MicroMessenger
frame #5: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #13: tid = 0x2b03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b856f0 MicroMessenger
frame #5: 0x01b5ed50 MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #14: tid = 0x2c03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b133c0 MicroMessenger
frame #5: 0x01b8551c MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #15: tid = 0x2d03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x01b7095e MicroMessenger
frame #4: 0x01b19b22 MicroMessenger
frame #5: 0x01b8551c MicroMessenger
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #19: tid = 0x3103, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24 frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x39799f18 libsystem_c.dylib
pthread_cond_wait + 40
frame #3: 0x31f534d6 Foundation-[NSCondition wait] + 194 frame #4: 0x00a07a7a MicroMessenger frame #5: 0x31fd6e84 Foundation
NSThread__main + 972
frame #6: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #24: tid = 0x3603, 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24 frame #0: 0x3983e6a4 libsystem_kernel.dylib
__semwait_signal + 24
frame #1: 0x3979c3d2 libsystem_c.dylibnanosleep + 142 frame #2: 0x3979c33e libsystem_c.dylib
usleep + 50
frame #3: 0x01b2e7f6 MicroMessenger
frame #4: 0x01b2e90c MicroMessenger
frame #5: 0x01b2e4c8 MicroMessenger
frame #6: 0x01f6c05c MicroMessenger
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #27: tid = 0x3903, 0x3983e6a4 libsystem_kernel.dylib__semwait_signal + 24 frame #0: 0x3983e6a4 libsystem_kernel.dylib
__semwait_signal + 24
frame #1: 0x3979c3d2 libsystem_c.dylibnanosleep + 142 frame #2: 0x397fcdea libsystem_c.dylib
sleep + 46
frame #3: 0x01a198be MicroMessenger#H??Y??/??)??D ????* + 500514 frame #4: 0x31fd6e84 Foundation
NSThread__main + 972
frame #5: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #28: tid = 0x3a03, 0x3983e08c libsystem_kernel.dylib__psynch_cvwait + 24, name = 'JavaScriptCore::BlockFree' frame #0: 0x3983e08c libsystem_kernel.dylib
__psynch_cvwait + 24
frame #1: 0x3978fd2e libsystem_c.dylib_pthread_cond_wait + 646 frame #2: 0x3978faa4 libsystem_c.dylib
pthread_cond_timedwait + 44
frame #3: 0x355b0c74 JavaScriptCoreWTF::ThreadCondition::timedWait(WTF::Mutex&, double) + 108 frame #4: 0x356c2556 JavaScriptCore
+ 82
frame #5: 0x356d4faa JavaScriptCore<redacted> + 14 frame #6: 0x39797310 libsystem_c.dylib
_pthread_start + 308
thread #29: tid = 0x3e1b, 0x3982deb4 libsystem_kernel.dylibmach_msg_trap + 20 frame #0: 0x3982deb4 libsystem_kernel.dylib
mach_msg_trap + 20
frame #1: 0x3982e04c libsystem_kernel.dylibmach_msg + 40 frame #2: 0x31695044 CoreFoundation
__CFRunLoopServiceMachPort + 128
frame #3: 0x31693da2 CoreFoundation__CFRunLoopRun + 882 frame #4: 0x31606ebc CoreFoundation
CFRunLoopRunSpecific + 356
frame #5: 0x316659ba CoreFoundationCFRunLoopRun + 98 frame #6: 0x31c81bce CoreMotion
CLMotionCore::runMotionThread(void*) + 954
frame #7: 0x39797310 libsystem_c.dylib`_pthread_start + 308
thread #30: tid = 0x3f1b, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib
__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib
_pthread_wqthread + 366
frame #3: 0x3978c8a4 libsystem_c.dylib`start_wqthread + 8
thread #31: tid = 0x4003, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib
__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib
_pthread_wqthread + 366
thread #32: tid = 0x4103, 0x3983ed98 libsystem_kernel.dylib__workq_kernreturn + 8 frame #0: 0x3983ed98 libsystem_kernel.dylib
__workq_kernreturn + 8
frame #1: 0x3978ccfa libsystem_c.dylib_pthread_workq_return + 18 frame #2: 0x3978ca16 libsystem_c.dylib
_pthread_wqthread + 366
ida有edit->segments->Rebase program 的功能,不用每次都算吧?
rebase是干嘛用的呢?我没用过……
获取ASLR的offset之后,用offset的值在ida里rebase一下,ida里的地址就和调度器里的地址对应了
我刚试了一下,rebase果然很有用,但貌似这样输入之后:
整个image不是加上了0x36000,而是把原来的base换成了0x36000。所以如果要rebase的话,rebase的值应该是
image base address + ASLR offset
而不是
ASLR offset
即
(lldb) image list -o -f
0] 0x00078000 /private/var/db/stash/_.29LMeZ/Applications/Preferences.app/Preferences(0x000000000007c000)
里的0x78000,而不是括号里的0x7c000,对吧?
对的,我表达的有点问题,不好意思
狗神,我在使用lldb 的时候, image list -o -f 只能看到相关系统库的地址信息,为什么没有其他应用的地址信息?应该使用什么命令进行查找?
你用lldb注入的是某一个进程,当然只能看到这个进程内部的信息,而不能看到这个进程以外的其他信息了
哦哦 我知道了,感谢狗神啊。现在已经搞定了。还有,第二版什么时候出啊,着急等着看呢。
- 给debugserver添加task_for_pid权限
这里代码里的debugserver 应该是路径吧 不单单是名称
我用名称试了很多次都失败了 根据报错改为路径,就对了
我也停在了这里不动了 手机也彻底死了
iPhone:/usr/bin root# debugserver *:1234 -a “SpringBoard”
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Attaching to process SpringBoard…
Listening to port 1234 for a connection from *…
怎么连回去 能用代码具体写一下吗