lldb打印微信函数参数,显示数字

技能讨论
1

刚开始逆向微信的红包,定位到 -[BaseMsgContentViewController touchesBegan_TableView:withEvent:]:这个方法,想要查看下这个方法的入参。 分别执行行了$ register read 和 $ po $x0 命令查看x0参数是什么,但是打印出来是数字,试了其他的也是,除了x/s $x2是输出“ touchesBegan_TableView:withEvent:”,求解怎么回事?

(lldb) register read
General Purpose Registers:
x0 = 0x000000013512c000
x1 = 0x000000010300a848 “touchesBegan_TableView:withEvent:”
x2 = 0x0000000135dcf6c0
x3 = 0x0000000136302c60
x4 = 0x0000000000000001
x5 = 0x0000000000000001
x6 = 0xc000000000000716
x7 = 0x0000000000000cf0
x8 = 0x0000000000000001
x9 = 0x0000000135ec9230
x10 = 0x0000000135253a00
x11 = 0x00000123000001ff
x12 = 0x0000000135253dc0
x13 = 0x000005a135ec9237
x14 = 0xffffffffffffc000
x15 = 0x0000000000003fff
x16 = 0x000000010300a848 “touchesBegan_TableView:withEvent:”
x17 = 0x000000010206c050 WeChat___lldb_unnamed_symbol122979$$WeChat x18 = 0x0000000000000000 x19 = 0x0000000135dcf6c0 x20 = 0x0000000136302c60 x21 = 0x000000013512c000 x22 = 0x0000000104aae028 "m_delegate" x23 = 0x000000010300a848 "touchesBegan_TableView:withEvent:" x24 = 0x000000013512c000 x25 = 0x000000013512c000 x26 = 0x0000000000000001 x27 = 0x0000000188e2ab8a "_addTouch:forDelayedDelivery:" x28 = 0x0000000136324e80 fp = 0x000000016fd45050 lr = 0x0000000102a725cc WeChat___lldb_unnamed_symbol161687$$WeChat + 248
sp = 0x000000016fd45000
pc = 0x000000010206c050 WeChat`___lldb_unnamed_symbol122979$$WeChat
cpsr = 0x60000000

(lldb) po $x0
5185388544

(lldb) x/s $x1
0x10300a848: “touchesBegan_TableView:withEvent:”
(lldb) po $x1
4345342024

2

Hopper查看 -[BaseMsgContentViewController touchesBegan_TableView:withEvent:]:如下:
0000000101fb4050 stp x22, x21, [sp, #-0x30]! ; Objective C Implementation defined at 0x103de1b68 (instance method), DATA XREF=0x103de1b68

设置断点和触发断点:
(lldb) breakpoint set -a 0x00000000000b8000+0x0000000101fb4050
Breakpoint 7: where = WeChat`___lldb_unnamed_symbol122979$$WeChat, address = 0x000000010206c050
Process 724 stopped

  • thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 7.1
    frame #0: 0x000000010206c050 WeChat___lldb_unnamed_symbol122979$$WeChat WeChat___lldb_unnamed_symbol122979$$WeChat:
    → 0x10206c050 <+0>: stp x22, x21, [sp, #-0x30]!
    0x10206c054 <+4>: stp x20, x19, [sp, #0x10]
    0x10206c058 <+8>: stp x29, x30, [sp, #0x20]
    0x10206c05c <+12>: add x29, sp, #0x20 ; =0x20
    Target 0: (WeChat) stopped.

求大佬解惑:pleading_face:

3

也是跟着网上的教程做的,教程直接po $x0就可以输出第一个参数,但是我输出的是数字

4

现在从公司回家了,然后在家里的电脑试了一下,用相同的流程,然后‘po $x0’就可以打印出对象。如下:

(lldb) image list -o -f | grep WeChat
[ 0] 0x00000000000a4000 /var/mobile/Containers/Bundle/Application/BBD0191B-D2A6-4E8B-A25C-8799A41D1CA6/WeChat.app/WeChat(0x00000001000a4000)
(lldb) breakpoint set -a 0x00000000000a4000+0x0000000101fb4050
Breakpoint 1: where = WeChat`ClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892, address = 0x0000000102058050
Process 1157 stopped

  • thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 1.1
    frame #0: 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4276892 WeChatClearDataItem::compareTime:
    → 0x102058050 <+4276892>: stp x22, x21, [sp, #-0x30]!
    0x102058054 <+4276896>: stp x20, x19, [sp, #0x10]
    0x102058058 <+4276900>: stp x29, x30, [sp, #0x20]
    0x10205805c <+4276904>: add x29, sp, #0x20 ; =0x20
    Target 0: (WeChat) stopped.
    (lldb) register read
    General Purpose Registers:
    x0 = 0x00000001580bea00
    x1 = 0x0000000102ff6848 “touchesBegan_TableView:withEvent:”
    x2 = 0x000000015912ca50
    x3 = 0x0000000159105cf0
    x4 = 0x0000000000000043
    x5 = 0x0000000000000041
    x6 = 0x0000000000000000
    x7 = 0x0000000000000f80
    x8 = 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4276892 x9 = 0x0000000000001000 x10 = 0x0000000157be8000 x11 = 0x0000000000000fff x12 = 0x0000000157be8000 x13 = 0x0000000000003fff x14 = 0xffffffffffffc000 x15 = 0x0000000000003fff x16 = 0x0000000198408178 libsystem_malloc.dylibfree
    x17 = 0x0000000000000000
    x18 = 0x0000000000000000
    x19 = 0x000000015912ca50
    x20 = 0x0000000159105cf0
    x21 = 0x00000001580bea00
    x22 = 0x0000000104aa6028 “m_delegate”
    x23 = 0x0000000102ff6848 “touchesBegan_TableView:withEvent:”
    x24 = 0x00000001580bea00
    x25 = 0x00000001580bea00
    x26 = 0x0000000000000001
    x27 = 0x0000000188e2ab8a “_addTouch:forDelayedDelivery:”
    x28 = 0x0000000159376f40
    fp = 0x000000016fd59c00
    lr = 0x00000001060821b8 LLWXExtension.dylib_logos_method$_ungrouped$BaseMsgContentViewController$touchesBegan_TableView$withEvent$(BaseMsgContentViewController*, objc_selector*, objc_object*, objc_object*) + 248 sp = 0x000000016fd59b90 pc = 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892
    cpsr = 0x20000000

(lldb) po $x0
<BaseMsgContentViewController: 0x1580bea00>

公司电脑和家里电脑的区域就是Xcode版本不一样,家里是X10.1 公司是X11.2.1。 其它软件和插件都是按照教程安装的,有大神知道啥情况吗?

5

两次设置断点,反馈设置断点成功反馈信息不一样的,在家里是
(lldb) breakpoint set -a 0x0000000000034000+0x0000000101fb4050
Breakpoint 1: where = WeChat`ClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892, address = 0x0000000101fe8050

在公司是
(lldb) breakpoint set -a 0x00000000000b8000+0x0000000101fb4068
Breakpoint 8: where = WeChat`___lldb_unnamed_symbol122979$$WeChat + 24, address = 0x000000010206c068

‘___lldb_unnamed_symbol122979’ 之前就怀疑这个,断电后,说未命名的符号,:pensive:,咋回事? 萌新求解惑

6

你把帖子用markdown语法重新编辑一下,现在看着太乱了,愿意帮你解答的人也吓跑了

8

好哒, 感谢 :grinning::grinning::grinning:

9

开了一个新帖子,大神能帮我看下吗?:rofl::rofl::rofl: