被检测调试，如何反查到相关代码

需求: 重签名某APP，启动的时候自动崩溃，问如何才能正常启动

使用越狱机重签名的时候会crash，在非越狱机上重签名启动不会crash。
已经尝试在IDA全局检索是否越狱的关键字如：Jailbroken、Jail、Cydia、libsystem_kernel、MobileSubstrate等无果

**日志:
新人无法帖图0.0,勉强看报错和堆栈吧

    libsystem_kernel.dylib`__pthread_kill:
    0x18a47100c <+0>:  mov    x16, #0x148
    0x18a471010 <+4>:  svc    #0x80
->  0x18a471014 <+8>:  b.lo   0x18a47102c               ; <+32>
    0x18a471018 <+12>: stp    x29, x30, [sp, #-0x10]!
    0x18a47101c <+16>: mov    x29, sp
    0x18a471020 <+20>: bl     0x18a45486c               ; cerror_nocancel
    0x18a471024 <+24>: mov    sp, x29
    0x18a471028 <+28>: ldp    x29, x30, [sp], #0x10
    0x18a47102c <+32>: ret    

***** Terminating app due to uncaught exception 'NSRangeException', reason: '*** -[__NSArrayM objectAtIndex:]: index 0 beyond bounds for empty array'**

***** First throw call stack:**

**(0x18b476fe0 0x189ed8538 0x18b355200 0x10010c2d0 0x100415a0c 0x1004120d8 0x1915c0838 0x1915c05a8 0x19166009c 0x19165f870 0x19165f424 0x19165f388 0x1915a5cc0 0x18e796274 0x18e78ade8 0x18e78aca8 0x18e70634c 0x18e72d3ac 0x18e72de78 0x18b4249a8 0x18b422630 0x18b352dc4 0x191612fc8 0x19160dc9c 0x100268678 0x18a36159c)**

**libc++abi.dylib: terminating with uncaught exception of type NSException**

 (lldb) sbt
frame #0 : 0x18a471014 libsystem_kernel.dylib`__pthread_kill + 8
frame #1 : 0x18a53b264 libsystem_pthread.dylib`pthread_kill + 112
frame #2 : 0x18a3e59c4 libsystem_c.dylib`abort + 140
frame #3 : 0x189eb11b0 libc++abi.dylib`__cxa_bad_cast 
frame #4 : 0x189ecac04 libc++abi.dylib`default_unexpected_handler() 
frame #5 : 0x189ed8820 libobjc.A.dylib`_objc_terminate() + 124
frame #6 : 0x189ec75d4 libc++abi.dylib`std::__terminate(void (*)()) + 16
frame #7 : 0x189ec71a8 libc++abi.dylib`__cxa_rethrow + 144
frame #8 : 0x189ed86f8 libobjc.A.dylib`objc_exception_rethrow + 44
frame #9 : 0x18b352e10 CoreFoundation`CFRunLoopRunSpecific + 532
frame #10: 0x191612fc8 UIKit`-[UIApplication _run] + 652
frame #11: 0x19160dc9c UIKit`UIApplicationMain + 208
frame #12: 0x100268678 xxxx `___lldb_unnamed_symbol610$$xxxx ... unresolved womp womp + 88
frame #13: 0x18a36159c libdyld.dylib`start + 4

**代码: 目前没有任何代码

** 环境: Monkey 系统10.3.3 设备iPhone6

报价：500

大佬别这样，萌新饭都要吃不起了，给个思路呗

***** Terminating app due to uncaught exception ‘NSRangeException’, reason: ‘*** -[__NSArrayM objectAtIndex:]: index 0 beyond bounds for empty array’**

数组访问越界，具体原因不知道

看得出来是数组越界，肯定是检测到了我在调试他，然后故意写了个越界，问题是怎么找到在哪检测到了我

lldb挂起来，挂了就bt。就能找到了

(lldb) bt
* thread #1, queue = ‘com.apple.main-thread’, stop reason = signal SIGABRT
* frame #0: 0x000000018a471014 libsystem_kernel.dylib__pthread_kill + 8 frame #1: 0x000000018a53b264 libsystem_pthread.dylibpthread_kill + 112
frame #2: 0x000000018a3e59c4 libsystem_c.dylibabort + 140 frame #3: 0x0000000189eb11b0 libc++abi.dylibabort_message + 132
frame #4: 0x0000000189ecac04 libc++abi.dylibdefault_terminate_handler() + 304 frame #5: 0x0000000189ed8820 libobjc.A.dylib_objc_terminate() + 124
frame #6: 0x0000000189ec75d4 libc++abi.dylibstd::__terminate(void (*)()) + 16 frame #7: 0x0000000189ec71a8 libc++abi.dylib__cxa_rethrow + 144
frame #8: 0x0000000189ed86f8 libobjc.A.dylibobjc_exception_rethrow + 44 frame #9: 0x000000018b352e10 CoreFoundationCFRunLoopRunSpecific + 532
frame #10: 0x0000000191612fc8 UIKit-[UIApplication _run] + 652 frame #11: 0x000000019160dc9c UIKitUIApplicationMain + 208
frame #12: 0x0000000100268678 xxxx ___lldb_unnamed_symbol610$$xxxx + 88 frame #13: 0x000000018a36159c libdyld.dylibstart + 4

堆栈长这样，好像是被处理过了

你去看崩溃日志

frame #12: 0x100268678 xxxx `___lldb_unnamed_symbol610$$xxxx … unresolved womp womp + 88
这不是有吗

这个没有符号，不知道是哪个方法啊

。。。。。把ida里基地址，改成崩溃日志里的基地址，0x100268678 看下那个函数

ida 改一次基地址需要太久了
我重现这个crash 拿到ASLR：0x0000000000038000
frame #12: 0x10027c678 xxxx `___lldb_unnamed_symbol610$$xxxx … unresolved womp womp + 88

所以我拿到最后的地址为0x10027c678-0x0000000000038000 = 0x0000000100244678

我在ida中找到0x0000000100244678

发现是这样的，什么信息也没有。。。

__text:0000000100244620 ; =============== S U B R O U T I N E =======================================
__text:0000000100244620
__text:0000000100244620 ; Attributes: bp-based frame
__text:0000000100244620
__text:0000000100244620                 EXPORT start
__text:0000000100244620 start
__text:0000000100244620
__text:0000000100244620 var_20          = -0x20
__text:0000000100244620 var_10          = -0x10
__text:0000000100244620 var_s0          =  0
__text:0000000100244620
__text:0000000100244620                 STP             X22, X21, [SP,#-0x10+var_20]!
__text:0000000100244624                 STP             X20, X19, [SP,#0x20+var_10]
__text:0000000100244628                 STP             X29, X30, [SP,#0x20+var_s0]
__text:000000010024462C                 ADD             X29, SP, #0x20
__text:0000000100244630                 MOV             X19, X1
__text:0000000100244634                 MOV             X20, X0
__text:0000000100244638                 BL              _objc_autoreleasePoolPush
__text:000000010024463C                 MOV             X21, X0
__text:0000000100244640                 ADRP            X8, #classRef_AppDelegate@PAGE
__text:0000000100244644                 LDR             X0, [X8,#classRef_AppDelegate@PAGEOFF] ; void *
__text:0000000100244648                 ADRP            X8, #selRef_class@PAGE
__text:000000010024464C                 LDR             X1, [X8,#selRef_class@PAGEOFF] ; char *
__text:0000000100244650                 BL              _objc_msgSend
__text:0000000100244654                 BL              _NSStringFromClass
__text:0000000100244658                 MOV             X29, X29
__text:000000010024465C                 BL              _objc_retainAutoreleasedReturnValue
__text:0000000100244660                 MOV             X22, X0
__text:0000000100244664                 MOV             X0, X20
__text:0000000100244668                 MOV             X1, X19
__text:000000010024466C                 MOV             X2, #0
__text:0000000100244670                 MOV             X3, X22
__text:0000000100244674                 BL              _UIApplicationMain
__text:0000000100244678                 MOV             X19, X0
__text:000000010024467C                 MOV             X0, X22
__text:0000000100244680                 BL              _objc_release
__text:0000000100244684                 MOV             X0, X21
__text:0000000100244688                 BL              _objc_autoreleasePoolPop
__text:000000010024468C                 MOV             X0, X19
__text:0000000100244690                 LDP             X29, X30, [SP,#0x20+var_s0]
__text:0000000100244694                 LDP             X20, X19, [SP,#0x20+var_10]
__text:0000000100244698                 LDP             X22, X21, [SP+0x20+var_20],#0x30
__text:000000010024469C                 RET
__text:000000010024469C ; End of function start
__text:000000010024469C
__text:00000001002446A0
__text:00000001002446A0 ; =============== S U B R O U T I N E =======================================


__int64 __fastcall start(__int64 a1, __int64 a2)
{
  __int64 v2; // x21
  void *v3; // x0
  __int64 v4; // x0
  __int64 v5; // x22
  __int64 v6; // x19

  v2 = objc_autoreleasePoolPush();
  v3 = objc_msgSend(&OBJC_CLASS___AppDelegate, "class");
  v4 = NSStringFromClass(v3);
  v5 = objc_retainAutoreleasedReturnValue(v4);
  v6 = UIApplicationMain();
  objc_release(v5);
  objc_autoreleasePoolPop(v2);
  return v6;
}

进去之后没有发现什么有价值的内容。。
具体信息如楼上

大佬们再给点提示，应该如何继续下去。。。

先查看系统log，找对对应的偏移，加上最新的aslr，得到0xXXXXXXX，然后使用

image lookup -v --address 0xXXXXXXX

查看具体的代码即可找到相关线索。

target modules lookup -a %1

GitHub - chenfanfang/AvoidCrash: This framework can effective avoid crash by potential error code. For example : If you insert a nil into a mutable array, this framework can avoid crash and note you that where cause crash. 把这个加上去就好了

这是正向开发吧？

系统log，指的是image list这个？ 还是？

忘了在哪见到过这种，重签名的bundleid 不能改，用原来的bundleid