Where to locate the binaries we're remote debugging

English Only
1

Hi all,
When we’re remote debugging on iOS, someone may get confused that he can’t locate the library binaries of the debugged process on iOS. For example, when I’m debugging SpringBoard on iOS 6.1.3, iPhone 4s:

(lldb) im li -o -f
[  0] 0x00027000 /System/Library/CoreServices/SpringBoard.app/SpringBoard(0x0000000000028000)
[  1] 0x002cf000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x00000000002cf000)
[  2] 0x00279000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices

SpringBoard imports StoreServices.framework but there’s no /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices on iOS, as shown below:

FunMaker-4s:~ root# ls /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices
ls: cannot access /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices: No such file or directory

So under such circumstance, how can we successfully locate our target binary? It’s quite obvious: actually, the above output from LLDB has already stated the full path of the binary, i.e. /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices, which is on OSX:

snakeninnys-iMac:~ snakeninny$ ls "/Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices"
/Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices

Head to the corresponding document and we can see the binary.
P.S. If the binary is fat, remember to choose the right slice in your favorite disassembler according to this image:

And the latest devices are all shipped with arm64 processors.
The same rules apply to libraries on iOS, too.

Special note:

In earlier days, all libraries can be found on iOS rather than OSX, they’re either located at their own paths like /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices or inside a big cache at /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armXXX. If it’s in the cache, you have to decache and extract the separate binaries for analysis.
The situation changed nowadays that some of the binaries are found locally on OSX, and my guess is that the binaries on OSX contain debug symbols that debuggers need. Be noted on this and everything should work as expected :smile:
Thanks,
snakeninny

10 个赞