第一个上手的项目,如何解析函数的参数?

技能讨论
1

终于几口气把书全部看完了,就像论坛里面另一个伙伴说的,好像拿个App试试手,可是比划了几下,感觉好像还是有力使不上,具体问题如下:

目标App就是某某视频播放器,我想得到某个函数的传入参数
环境是iTouch6,IOS9.0

砸壳过程就不再说了,相对来说比较简单,得到 MGVideo.decrypted文件后迫不急待的class-dump和IDA伺侯了。

然后传统姿势lldb+debugserver搞起:

【debugserver】

debugserver *:1234 -a MGVideo
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-340.3.51.1
for arm64.
Attaching to process MGVideo…
Listening to port 1234 for a connection from *…

【lldb】

(lldb) process connect connect://10.0.0.8:1234
Process 1198 stopped

  • thread #1: tid = 0x10547, 0x000000019a794c30 libsystem_kernel.dylibmach_msg_trap + 8, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP frame #0: 0x000000019a794c30 libsystem_kernel.dylibmach_msg_trap + 8
    libsystem_kernel.dylib`mach_msg_trap:
    → 0x19a794c30 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x19a794c34 <+0>: movn x16, #0x1f
0x19a794c38 <+4>: svc #0x80
0x19a794c3c <+8>: ret
(lldb) image list -o -f
[ 0] 0x0000000000038000 /var/mobile/Containers/Bundle/Application/867391E0-B0AE-49EF-BF7B-7BC8298F81B7/MGVideo.app/MGVideo(0x0000000100038000)
[ 1] 0x0000000101764000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000101764000)
[ 2] 0x00000000037d4000 /Users/xiongzhend/Library/Developer/Xcode/iOS DeviceSupport/9.0 (13A344)/Symbols/usr/lib/libsqlite3.dylib
.
.
.

下断点
(lldb) br s -a ‘0x38000+0x100266CE8’
Breakpoint 1: where = MGVideo`___lldb_unnamed_function12875$$MGVideo, address = 0x000000010029ece8
(lldb) c
Process 1198 resuming
Process 1198 stopped

  • thread #1: tid = 0x10547, 0x000000010029ece8 MGVideo___lldb_unnamed_function12875$$MGVideo, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x000000010029ece8 MGVideo___lldb_unnamed_function12875$$MGVideo
    MGVideo`___lldb_unnamed_function12875$$MGVideo:
    → 0x10029ece8 <+0>: stp x28, x27, [sp, #-96]!
    0x10029ecec <+4>: stp x26, x25, [sp, #16]
    0x10029ecf0 <+8>: stp x24, x23, [sp, #32]
    0x10029ecf4 <+12>: stp x22, x21, [sp, #48]
    成功进入断点,然后看看$x2的值
    (lldb) po $x2
    <URLFetcherRequestItem: 0x1401aafd0>

再然后,我想知道具体这个URLFetcherRequestItem是什么,怎么办?

我查看了URLFetcherRequestItem的头文件,如下:
@interface URLFetcherRequestItem : RequestItem
{
NSString *_metaUrl;R
NSString *_metaContent;
NSString *_webUrl;
NSString *_siteId;
long long _configType;
long long _fetchType;
long long _videoType;
NSString *_videoID;
long long _episode;
NSString *_albumDate;
NSString *_a;
}

  • (void).cxx_destruct;
    @property(copy, nonatomic) NSString *a; // @synthesize a=_a;
    @property(copy, nonatomic) NSString *albumDate; // @synthesize albumDate=_albumDate;
    @property(nonatomic) long long configType; // @synthesize configType=_configType;
    @property(nonatomic) long long episode; // @synthesize episode=_episode;
    @property(nonatomic) long long fetchType; // @synthesize fetchType=_fetchType;
  • (_Bool)isEqualToRequestItem:(id)arg1;
    @property(copy, nonatomic) NSString *metaContent; // @synthesize metaContent=_metaContent;
    @property(copy, nonatomic) NSString *metaUrl; // @synthesize metaUrl=_metaUrl;
  • (id)requestParameters;
    @property(copy, nonatomic) NSString *siteId; // @synthesize siteId=_siteId;
    @property(copy, nonatomic) NSString *videoID; // @synthesize videoID=_videoID;
    @property(nonatomic) long long videoType; // @synthesize videoType=_videoType;
    @property(copy, nonatomic) NSString *webUrl; // @synthesize webUrl=_webUrl;

但是,

我尝试 po [$x2 a]返回nil,并且尝试各个property都基本上是nil,到了这个步骤之后应该怎么办呢?

求大家指教:P

2

你的目的是什么?你先要搞清楚你想做什么,再朝那个方向试探。
可能X2寄存器在这个时候就是一个刚刚初始化的URLFetcherRequestItem对象,里面的各个property在后面才set;至于到底是不是这样,你得继续逆向才知道