我的debug速查表(入门级)My debug cheatsheet

命令太多记不住,就整理了这个速查表,分享给大家。我只是看完了小黄书,这几个月没有再深入研究逆向。最近又想逆向几个app学习下怎么实现,发现很多命令都忘记了。于是整理了这个表。copy and paste就可以愉快的学习其他app的实现了。

命令都很基础、简单、常用,主要是我也只学了这么多哈。

先发在iosre.com上啦。等再整理下也发到我的博客上。顺便对刚写的一个开源的App做个广告。


debug cheetsheet

common

查找进程:

ps aux | grep /App
ps -e | grep /Applications

查找文件:

grep -r ToBeFind /System/Library/

分离fat binary

lipo -thin armv7 WeChat.decrypted -output WeChat_armv7.decrypted
lipo -thin armv64 xxx.decrypted -output xxx_arm64.decrypted

class dump

class-dump --list-arches AlipayWallet.decrypted

class-dump -S -s -H WeChat_armv7.decrypted -o dumparmv7
class-dump -s -S -H --arch armv7 AlipayWallet.decrypted -o dumpAlipay

lldb

参考

帮助

help frame

打印UI结构

po [[[UIWindow keyWindow] rootViewController] _printHierarchy]    (iOS 8)
po [[UIWindow keyWindow] recursiveDescription]

栈信息

bt (backtrace)
bt all (all threads)

objc_msgSend 参数打印

po $r0
p (char*)$r1
p (SEL)$r1

返回地址

p/x $lr

断点

br s -a 0x0023234f 
breakpoint set -F "-[NSArray objectAtIndex:]"

br s -a 0x02107730+0x000ab000 -c '(BOOL)[(NSString *)$r2 isEqualToString:@"snakeninny"]'

b ptrace

列举模块

image -o -f

lldb基础命令

c
n
s
frame info
expr

thread return
breakpoint command add 1

远程调试

debugserver *:1234 -a AlipayWallet
debugserver -x backboard *:1234 /var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app/AlipayWallet

lldb连接远程调试

(lldb) process connect connect://192.168.199.164:1234

lldb expr例子

(lldb) expr char *$str = (char *)malloc(8)
(lldb) expr (void)strcpy($str, "munkeys")
(lldb) expr $str[1] = 'o'
(char) $0 = 'o'
(lldb) p $str
(char *) $str = 0x00007fd04a900040 "monkeys"

(lldb) x/4c $str
(lldb) x/1w `$str + 3`
(lldb) expr (void)free($str)

(lldb) expr id $myView = (id)0x7f82b1d01fd0
(lldb) expr (void)[$myView setBackgroundColor:[UIColor blueColor]]
(lldb) expr (void)[CATransaction flush]

(lldb) po [$myButton allTargets]

(lldb) p (ptrdiff_t)ivar_getOffset((struct Ivar *)class_getInstanceVariable([MyView class], "_layer"))

观察点

(lldb) watchpoint set expression -- (int *)$myView + 8

arm64

param1 $x0
param2 $x1

po $x0
p (char*)$x1

cycript

参考: Cycript

开始

cycript -p BinaryName

打印UI结构

[[UIWindow keyWindow] recursiveDescription].toString()
[[[UIWindow keyWindow] rootViewController] _printHierarchy].toString()

打印沙盒Documents路径

[[NSFileManager defaultManager] URLsForDirectory:NSDocumentDirectory inDomains:NSUserDomainMask]

基本使用

cy# [#0xb226710 url]
@"ww4fd1rfRDShBo_4K6rqfwAAACMAAQED"

cy# c = #0x1752d8c0
cy#"<FavAudioPlayerController: 0x1752d8c0; frame = (0 0; 290 60); autoresize = W; layer = <CALayer: 0x172dc2b0>>"
cy# c->m_audioInfo
cy#"<FavAudioInfo: 0x172b2a30>"
cy# c->m_audioInfo.m_nsAudioPath

linker

-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
into Other link flag

Anti

iHex replace RESTRICT , restrict
ldid -S AppName
AppSync

Info.plist

输出bundle id

/var/mobile/Containers/Bundle/Application/9DB7CE45-3B4C-42A3-9D4D-49A3A5122903/AlipayWallet.app root# cat Info.plist | grep com.
    <string>com.alipay.iphoneclient</string>

dumpdecrypted

例子

scp -P 2222 Security/dumpdecrypted-master/dumpdecrypted.dylib root@localhost:/var/mobile/Containers/Data/Application/BA2644DB-450F-4DB0-A71F-A38F65488A48/Documents/

scp ~/sec/dumpdecrypted-master/dumpdecrypted.dylib root@192.168.199.164:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents/
dumpdecrypted.dylib

everettjfs-iPhone:/var/mobile/Containers/Data/Application/72AB36DD-2E9B-47C0-9695-099235E40C3C/Documents root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/2DAD493D-6275-4CED-8242-BDEF27F36740/AlipayWallet.app/AlipayWallet

theos

开始

everettjf@e WeChatVoiceSaver (master)]$ ~/sec/theos/bin/nic.pl

chisel

参考:GitHub - facebook/chisel: Chisel is a collection of LLDB commands to assist debugging iOS apps.

usbmuxd

First:

cd python-client 
python tcprelay.py -t 22:2222

Then:

ssh root@localhost -p 2222
11 个赞

已存,感谢分享

记录下,这个确实需要记录下,很多东西如果不是经常实用就会忘记

楼主你好,如果用lldb 命令给手机上的 App 添加 symbolic 断点 并添加断点行为 该怎么样写呢,不胜感激

1 个赞
(lldb) br command add 1
Enter your debugger command(s).  Type 'DONE' to end.
> register read $rdi 
> c 
> DONE
(lldb) 

就是 ZZZLA 的方法。

先加 断点,再加 command。
看看这个文章 http://objccn.io/issue-19-2/

多谢,哥们济南的啊?多交流哈

是滴。多交流

为什么我进入调试别人程序,进入某个函数时,frame variable无法打印这个函数里面的变量呢。但是我自己写的可以可以打印出方法里面的变量
。我用的是lldb调试

let str = "感谢分享"
print(str)

用 iTerm2 里面设置一下快捷键,可以很大地提高效率,连复制粘贴都不用了。

2 个赞

这方法不错

settings set target.x86-disassembly-flavor intel
settings set target.max-memory-read-size 0x1000

command alias bp breakpoint set -a %1
command alias bl breakpoint list
command alias rtc breakpoint set -o -a %1
command alias pof expression -OAv -- %1
command alias conn process connect --plugin gdb-remote connect://127.0.0.1:4321
command alias fo target modules lookup -a %1
1 个赞

膜膜膜

膜膜膜
iHex 是什么工具?github和homebrew上都没找到。。

德国人写的文本编辑器。你需要Google

只需要Mac App Store搜索