需求: app在刚开始会检测越狱,然后跳到safari提示设备越狱. 现在已经hook了openURL函数,并成功进入断点. lldb调试信息如下:
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00000001052ee894 libfootballDylib.dylib`_logos_method$_ungrouped$UIApplication$openURL$options$completionHandler$(self=0x000000010631ea60, _cmd="openURL:options:completionHandler:", arg1="https://c-notification.klabgames.com/?BundleID=com.abiu.dev.football&DateTime=1579161505.277681&Carrier=(null)&Country=(null)&Platform=iPhone7%2C2&Version=12.4.4&Architecture=ARM64&Error=32", arg2=0x0000000280278080, arg3=0x0000000000000000) at footballDylib.xm:54:27
frame #1: 0x0000000102dbbeac captain283`___lldb_unnamed_symbol252863$$captain283 + 1104
frame #2: 0x00000001041fbe00 captain283
frame #3: 0x0000000103a8596c captain283`___lldb_unnamed_symbol302627$$captain283 + 36
frame #4: 0x000000010585f6f4 libdispatch.dylib`_dispatch_call_block_and_release + 24
frame #5: 0x0000000105860c78 libdispatch.dylib`_dispatch_client_callout + 16
frame #6: 0x000000010586e6fc libdispatch.dylib`_dispatch_main_queue_callback_4CF + 1360
frame #7: 0x0000000220f9cb20 CoreFoundation`__CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 12
frame #8: 0x0000000220f97a58 CoreFoundation`__CFRunLoopRun + 1924
frame #9: 0x0000000220f96fb4 CoreFoundation`CFRunLoopRunSpecific + 436
frame #10: 0x000000022319879c GraphicsServices`GSEventRunModal + 104
frame #11: 0x000000024d7f8c38 UIKitCore`UIApplicationMain + 212
frame #12: 0x0000000100c92f6c captain283`___lldb_unnamed_symbol1$$captain283 + 156
frame #13: 0x0000000220a5a8e0 libdyld.dylib`start + 4
做了三个尝试皆失败
-
frame #1: 0x0000000102dbbeac
这个函数确实是执行跳转的函数, 在ida中找到该函数地址为
sub_10212FA5C
, 却提示无xrefs. -
frame #2: 0x00000001041fbe00
这地址跳转到如下…
__objd:000000010356FDFD DCB 1
__objd:000000010356FDFE DCB 0x3F ; ?
__objd:000000010356FDFF DCB 0xD6
__objd:000000010356FE00 DCB 8
- 在
frame #1
函数的最下面打点,lldb 输入ni 程序退出了
请问 怎么正确找到上一层函数调用位置呢?