IDA显示函数已经变成了常量,怎么破?


#1

我用lldb调试这个app时,发现程序跑到了一个函数里面,我把它的地址转换成ASLR之前的地址0x10272aaa0(这步骤没有问题,我用py脚本转的),IDA识别不出这是个函数。

lldb停在这里

Process 5882 resuming
Process 5882 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x00000001027f2aa0 Asdf`isascii + 13308
Asdf`isascii:
->  0x1027f2aa0 <+13308>: stur   x0, [x29, #-0x20]
    0x1027f2aa4 <+13312>: sub    sp, sp, #0x50             ; =0x50
    0x1027f2aa8 <+13316>: stp    x29, x30, [sp, #0x40]
    0x1027f2aac <+13320>: stp    x0, x1, [sp]

为了确认,我把这个指令的字节码打印出来

(lldb) script
Python Interactive Interpreter. To exit, type 'quit()', 'exit()' or Ctrl-D.
>>> target = lldb.debugger.GetSelectedTarget()
>>> process = target.GetProcess()
>>> thread = process.GetSelectedThread()
>>> frame = thread.GetFrameAtIndex(0)
>>> insn = target.ReadInstructions(frame.addr, 1)[0]
>>> data = insn.GetData()
>>> u = data._read_all_uint32()
>>> u
[4162716576]

得到数据为,转成十六进制等于 0xF81E03A0, 跟IDA里面的相吻合.
请问下各位,这是什么原因造成的?怎么破?


#2

c一下
(括号内凑字数)


#3

识别错误的,右键undef或者是U键取消定义,按C识别data为code,函数头处按P识别为函数