我现在分析一个字段,字段■■的触发点找到了
v16 = unk_100D0BB00;
v17 = unk_100D0BB08;
v18 = qword_100D0BB10;
swift_unknownRetain(qword_100D0BB10);
v19 = _T0SS10FoundationE19_bridgeToObjectiveCSo8NSStringCyF(v16, v17, v18);
swift_unknownRelease(v18);
就在
swift_unknownRelease(v18);执行完毕的时候,检测到会有关键字的■■操作。
但是我找了半天找不到类似网络传输和字段赋值之类的方法
多线程和回调方式都有考虑,没发现相关的东西。 swift_unknownRelease(v18);明显只是释放内存的操作吧,为什么在这一句会发送数据。
v18如果是对象,为什么一释放就会发送网络数据??
最搞笑的是这个v18里面显示nil
希望有大神给点思路
你确定■■的代码在同一个线程?
在不再一个线程不是关键,只要■■操作可以被这个线程暂停,说明肯定有相关的对象启动。不是么
你怎么确定■■操作被这个线程暂停了, 而且既然有■■行为, 不是应该去断一下■■最底层的API来确认吗
如果是网页发的包, 是WebKit的话, 还不是在本进程发的
也是,不过还想知道,我确定我已经到了用户代码封装的最里面了,那理论上来讲我单步走后出现的数据包应该就跟线程启动有关吧,或是发送数据
系统api怎么找地址方便啊,lldb不大会用。不是要反编译库吧,还是在用户代码的导入表里找,
(lldb) help breakpoint set
Sets a breakpoint or set of breakpoints in the executable.
Syntax: breakpoint set <cmd-options>
Command Options Usage:
breakpoint set [-DHo] -l <linenum> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>] [-m <boolean>]
breakpoint set [-DHo] -a <address-expression> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-N <breakpoint-name>]
breakpoint set [-DHo] -n <function-name> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-DHo] -F <fullname> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-DHo] -S <selector> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-DHo] -M <method> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-DHo] -r <regular-expression> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-DHo] -b <function-name> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-L <source-language>] [-K <boolean>] [-N <breakpoint-name>] [-R <address>]
breakpoint set [-ADHo] -p <regular-expression> [-s <shlib-name>] [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-f <filename>] [-X <function-name>] [-N <breakpoint-name>] [-m <boolean>]
breakpoint set [-DHo] -E <source-language> [-i <count>] [-c <expr>] [-x <thread-index>] [-t <thread-id>] [-T <thread-name>] [-q <queue-name>] [-w <boolean>] [-h <boolean>] [-N <breakpoint-name>]
-A ( --all-files )
All files are searched for source pattern matches.
-D ( --dummy-breakpoints )
Sets Dummy breakpoints - i.e. breakpoints set before a file is provided, which prime new targets.
-E <source-language> ( --language-exception <source-language> )
Set the breakpoint on exceptions thrown by the specified language (without options, on throw but not
catch.)
-F <fullname> ( --fullname <fullname> )
Set the breakpoint by fully qualified function names. For C++ this means namespaces and all arguments,
and for Objective C this means a full function prototype with class and selector. Can be repeated
multiple times to make one breakpoint for multiple names.
-H ( --hardware )
Require the breakpoint to use hardware breakpoints.
-K <boolean> ( --skip-prologue <boolean> )
sKip the prologue if the breakpoint is at the beginning of a function. If not set the
target.skip-prologue setting is used.
-L <source-language> ( --language <source-language> )
Specifies the Language to use when interpreting the breakpoint's expression (note: currently only
implemented for setting breakpoints on identifiers). If not set the target.language setting is used.
-M <method> ( --method <method> )
Set the breakpoint by C++ method names. Can be repeated multiple times to make one breakpoint for
multiple methods.
-N <breakpoint-name> ( --breakpoint-name <breakpoint-name> )
Adds this to the list of names for this breakpoint.
-R <address> ( --address-slide <address> )
Add the specified offset to whatever address(es) the breakpoint resolves to. At present this applies
the offset directly as given, and doesn't try to align it to instruction boundaries.
-S <selector> ( --selector <selector> )
Set the breakpoint by ObjC selector name. Can be repeated multiple times to make one breakpoint for
multiple Selectors.
-T <thread-name> ( --thread-name <thread-name> )
The breakpoint stops only for the thread whose thread name matches this argument.
-X <function-name> ( --source-regexp-function <function-name> )
When used with '-p' limits the source regex to source contained in the named functions. Can be
repeated multiple times.
-a <address-expression> ( --address <address-expression> )
Set the breakpoint at the specified address. If the address maps uniquely to a particular binary,
then the address will be converted to a "file" address, so that the breakpoint will track that
binary+offset no matter where the binary eventually loads. Alternately, if you also specify the
module - with the -s option - then the address will be treated as a file address in that module, and
resolved accordingly. Again, this will allow lldb to track that offset on subsequent reloads. The
module need not have been loaded at the time you specify this breakpoint, and will get resolved when
the module is loaded.
-b <function-name> ( --basename <function-name> )
Set the breakpoint by function basename (C++ namespaces and arguments will be ignored). Can be
repeated multiple times to make one breakpoint for multiple symbols.
-c <expr> ( --condition <expr> )
The breakpoint stops only if this condition expression evaluates to true.
-f <filename> ( --file <filename> )
Specifies the source file in which to set this breakpoint. Note, by default lldb only looks for files
that are #included if they use the standard include file extensions. To set breakpoints on
.c/.cpp/.m/.mm files that are #included, set target.inline-breakpoint-strategy to "always".
-h <boolean> ( --on-catch <boolean> )
Set the breakpoint on exception catcH.
-i <count> ( --ignore-count <count> )
Set the number of times this breakpoint is skipped before stopping.
-l <linenum> ( --line <linenum> )
Specifies the line number on which to set this breakpoint.
-m <boolean> ( --move-to-nearest-code <boolean> )
Move breakpoints to nearest code. If not set the target.move-to-nearest-code setting is used.
-n <function-name> ( --name <function-name> )
Set the breakpoint by function name. Can be repeated multiple times to make one breakpoint for
multiple names
-o ( --one-shot )
The breakpoint is deleted the first time it causes a stop.
-p <regular-expression> ( --source-pattern-regexp <regular-expression> )
Set the breakpoint by specifying a regular expression which is matched against the source text in a
source file or files specified with the -f option. The -f option can be specified more than once. If
no source files are specified, uses the current "default source file". If you want to match against
all source files, pass the "--all-files" option.
-q <queue-name> ( --queue-name <queue-name> )
The breakpoint stops only for threads in the queue whose name is given by this argument.
-r <regular-expression> ( --func-regex <regular-expression> )
Set the breakpoint by function name, evaluating a regular-expression to find the function name(s).
-s <shlib-name> ( --shlib <shlib-name> )
Set the breakpoint only in this shared library. Can repeat this option multiple times to specify
multiple shared libraries.
-t <thread-id> ( --thread-id <thread-id> )
The breakpoint stops only for the thread whose TID matches this argument.
-w <boolean> ( --on-throw <boolean> )
Set the breakpoint on exception throW.
-x <thread-index> ( --thread-index <thread-index> )
The breakpoint stops only for the thread whose indeX matches this argument.
按名字下断点
b send
b recv
懂了,非常感谢
(lldb) bt
send frame #1: 0x0000000183167260 libsystem_network.dylibget_host_counts + 244tcp_connection_destination_create + 268 frame #3: 0x0000000183194118 libsystem_network.dylibnetwork_proxy_start + 268tcp_connection_handle_path_changed + 2228 frame #5: 0x000000018317ef64 libsystem_network.dylib__net_helper_endpoint_deliver_block_invoke_2 + 44_dispatch_call_block_and_release + 24 frame #7: 0x0000000182fd147c libdispatch.dylib_dispatch_client_callout + 16_dispatch_queue_drain + 864 frame #9: 0x0000000182fd4f80 libdispatch.dylib_dispatch_queue_invoke + 464_dispatch_root_queue_drain + 728 frame #11: 0x0000000182fdf0b0 libdispatch.dylib_dispatch_worker_thread3 + 112_pthread_wqthread + 1092 frame #13: 0x00000001831e9020 libsystem_pthread.dylibstart_wqthread + 4再请教个问题,断下了,可是栈信息里找不到用户代码位置了,没其他信息了,咋办
bt all找到了@Ouroboros
help其实一点不好用,很多看不明白,不如直接给个例子
除了help,就是源码了,网上例子太少