一个lldb trace的疑惑?

分析一个具有jumpout特征的函数,本来是基于这篇帖子进行了一些脚本的修改:

但trace过程,每当执行到br x27 这样的寄存器跳转指令时就挂了,原因是寄存器x27中存储的地址值打印出来根本就是个错误的,完全不在当前程序的内存地址范畴中,相当的奇怪,有大佬懂的指点下!!

目标函数的反汇编代码如下:【其中有多处的br指令】

XXX[0x1046e9f8c]: sub    sp, sp, #0xc0             ; =0xc0
XXX[0x1046e9f90]: stp    x28, x27, [sp, #0x60]
XXX[0x1046e9f94]: stp    x26, x25, [sp, #0x70]
XXX[0x1046e9f98]: stp    x24, x23, [sp, #0x80]
XXX[0x1046e9f9c]: stp    x22, x21, [sp, #0x90]
XXX[0x1046e9fa0]: stp    x20, x19, [sp, #0xa0]
XXX[0x1046e9fa4]: stp    x29, x30, [sp, #0xb0]
XXX[0x1046e9fa8]: add    x29, sp, #0xb0            ; =0xb0
XXX[0x1046e9fac]: mov    x19, x7
XXX[0x1046e9fb0]: mov    x21, x6
XXX[0x1046e9fb4]: mov    x23, x5
XXX[0x1046e9fb8]: mov    x22, x4
XXX[0x1046e9fbc]: mov    x24, x3
XXX[0x1046e9fc0]: mov    x20, x0
XXX[0x1046e9fc4]: ldr    x28, [x29, #0x10]
XXX[0x1046e9fc8]: mov    w8, #0xb5
XXX[0x1046e9fcc]: str    w8, [sp, #0x20]
XXX[0x1046e9fd0]: add    x8, sp, #0x24             ; =0x24
XXX[0x1046e9fd4]: add    x9, sp, #0x20             ; =0x20
XXX[0x1046e9fd8]: adr    x27, #0x4
XXX[0x1046e9fdc]: ldrsw  x1, 0x1046ea008
XXX[0x1046e9fe0]: mov    x15, #0x55
XXX[0x1046e9fe4]: eor    x1, x1, x15
XXX[0x1046e9fe8]: mov    x25, #0x4d
XXX[0x1046e9fec]: eor    x1, x1, x25
XXX[0x1046e9ff0]: ldrsw  x3, [x9]
XXX[0x1046e9ff4]: eor    x1, x1, x3
XXX[0x1046e9ff8]: add    x27, x27, x1
XXX[0x1046e9ffc]: mov    w13, #0x66
XXX[0x1046ea000]: str    w13, [x8]
XXX[0x1046ea004]: br     x27
XXX[0x1046ea008]: udf    #0xed
XXX[0x1046ea00c]: .long  0xf5c3e516                ; unknown opcode
XXX[0x1046ea010]: .long  0xe49b0825                ; unknown opcode
XXX[0x1046ea014]: .long  0xcea5a7b5                ; unknown opcode
XXX[0x1046ea018]: ldrb   w12, [x10, #0xee9]
XXX[0x1046ea01c]: mov    x0, x2
XXX[0x1046ea020]: bl     0x105c5f070
XXX[0x1046ea024]: mov    x25, x0
XXX[0x1046ea028]: mov    x0, x24
XXX[0x1046ea02c]: bl     0x105c5f070
XXX[0x1046ea030]: mov    x26, x0
XXX[0x1046ea034]: mov    x0, x22
XXX[0x1046ea038]: bl     0x105c5f070
XXX[0x1046ea03c]: mov    x24, x0
XXX[0x1046ea040]: str    wzr, [sp, #0x58]
XXX[0x1046ea044]: ldr    w8, [sp, #0x24]
XXX[0x1046ea048]: cmp    w8, #0xcb                 ; =0xcb
XXX[0x1046ea04c]: b.hi   0x1046ea184
XXX[0x1046ea050]: mov    x0, x23
XXX[0x1046ea054]: bl     0x105c5f070
XXX[0x1046ea058]: mov    x23, x0
XXX[0x1046ea05c]: mov    x0, x26
XXX[0x1046ea060]: bl     0x105c5f07c
XXX[0x1046ea064]: mov    x26, x0
XXX[0x1046ea068]: adrp   x8, 10211
XXX[0x1046ea06c]: ldr    x22, [x8, #0xd80]
XXX[0x1046ea070]: mov    x1, x22
XXX[0x1046ea074]: bl     0x105c5f028
XXX[0x1046ea078]: mov    x27, x0
XXX[0x1046ea07c]: mov    x0, x26
XXX[0x1046ea080]: bl     0x105c5f058
XXX[0x1046ea084]: str    x27, [sp, #0x28]
XXX[0x1046ea088]: mov    x0, x25
XXX[0x1046ea08c]: bl     0x105c5f07c
XXX[0x1046ea090]: mov    x25, x0
XXX[0x1046ea094]: mov    x1, x22
XXX[0x1046ea098]: bl     0x105c5f028
XXX[0x1046ea09c]: mov    x26, x0
XXX[0x1046ea0a0]: mov    x0, x25
XXX[0x1046ea0a4]: bl     0x105c5f058
XXX[0x1046ea0a8]: str    x26, [sp, #0x30]
XXX[0x1046ea0ac]: str    w21, [sp, #0x38]
XXX[0x1046ea0b0]: mov    x0, x24
XXX[0x1046ea0b4]: bl     0x105c5f07c
XXX[0x1046ea0b8]: mov    x21, x0
XXX[0x1046ea0bc]: mov    x1, x22
XXX[0x1046ea0c0]: bl     0x105c5f028
XXX[0x1046ea0c4]: mov    x24, x0
XXX[0x1046ea0c8]: mov    x0, x21
XXX[0x1046ea0cc]: bl     0x105c5f058
XXX[0x1046ea0d0]: str    x24, [sp, #0x40]
XXX[0x1046ea0d4]: adrp   x8, 10385
XXX[0x1046ea0d8]: ldr    x1, [x8, #0x2f0]
XXX[0x1046ea0dc]: mov    x0, x20
XXX[0x1046ea0e0]: mov    x2, x23
XXX[0x1046ea0e4]: bl     0x105c5f028
XXX[0x1046ea0e8]: bl     0x105c5f094
XXX[0x1046ea0ec]: mov    x20, x0
XXX[0x1046ea0f0]: mov    x0, x23
XXX[0x1046ea0f4]: bl     0x105c5f058
XXX[0x1046ea0f8]: mov    x0, x20
XXX[0x1046ea0fc]: bl     0x105c5f07c
XXX[0x1046ea100]: mov    x20, x0
XXX[0x1046ea104]: mov    x1, x22
XXX[0x1046ea108]: bl     0x105c5f028
XXX[0x1046ea10c]: str    x0, [sp, #0x48]
XXX[0x1046ea110]: str    w19, [sp, #0x50]
XXX[0x1046ea114]: mov    x0, x20
XXX[0x1046ea118]: bl     0x105c5f058
XXX[0x1046ea11c]: mov    w8, #0x53
XXX[0x1046ea120]: stur   w8, [x29, #-0x54]
XXX[0x1046ea124]: sub    x8, x29, #0x54            ; =0x54
XXX[0x1046ea128]: adr    x7, #0x4
XXX[0x1046ea12c]: ldrsw  x23, 0x1046ea150
XXX[0x1046ea130]: add    x23, x23, #0xb9           ; =0xb9
XXX[0x1046ea134]: add    x23, x23, #0x20           ; =0x20
XXX[0x1046ea138]: sub    x23, x23, #0xf6           ; =0xf6
XXX[0x1046ea13c]: ldrsw  x5, [x8]
XXX[0x1046ea140]: add    x23, x23, x5
XXX[0x1046ea144]: add    x7, x7, x23
XXX[0x1046ea148]: mov    x8, #0x4
XXX[0x1046ea14c]: br     x7
XXX[0x1046ea150]: udf    #0x2
XXX[0x1046ea154]: .long  0x32676ab5                ; unknown opcode
XXX[0x1046ea158]: b      0xfe3b4074
XXX[0x1046ea15c]: .long  0x7188dbe6                ; unknown opcode
XXX[0x1046ea160]: stp    s13, s26, [x15], #0x40
XXX[0x1046ea164]: adrp   x8, 11287
XXX[0x1046ea168]: ldr    x8, [x8, #0x790]
XXX[0x1046ea16c]: mov    w0, #0x558e
XXX[0x1046ea170]: add    x1, sp, #0x28             ; =0x28
XXX[0x1046ea174]: add    x2, sp, #0x58             ; =0x58
XXX[0x1046ea178]: blr    x8
XXX[0x1046ea17c]: mov    x22, x0
XXX[0x1046ea180]: cbz    x22, 0x1046ea27c
XXX[0x1046ea184]: ldr    x8, [x22]
XXX[0x1046ea188]: cbz    x8, 0x1046ea1c0
XXX[0x1046ea18c]: adrp   x9, 10428
XXX[0x1046ea190]: ldr    x0, [x9, #0x978]
XXX[0x1046ea194]: adrp   x9, 10212
XXX[0x1046ea198]: ldr    x1, [x9, #0xc0]
XXX[0x1046ea19c]: str    x8, [sp]
XXX[0x1046ea1a0]: adrp   x2, 6291
XXX[0x1046ea1a4]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea1a8]: bl     0x105c5f028
XXX[0x1046ea1ac]: bl     0x105c5f094
XXX[0x1046ea1b0]: mov    x19, x0
XXX[0x1046ea1b4]: ldr    x0, [x22]
XXX[0x1046ea1b8]: bl     0x105c5df84
XXX[0x1046ea1bc]: b      0x1046ea1c4
XXX[0x1046ea1c0]: mov    x19, #0x0
XXX[0x1046ea1c4]: mov    x0, x22
XXX[0x1046ea1c8]: bl     0x105c5df84
XXX[0x1046ea1cc]: adrp   x8, 10211
XXX[0x1046ea1d0]: ldr    x21, [x8, #0xde8]
XXX[0x1046ea1d4]: mov    x0, x19
XXX[0x1046ea1d8]: mov    x1, x21
XXX[0x1046ea1dc]: bl     0x105c5f028
XXX[0x1046ea1e0]: cbnz   x0, 0x1046ea338
XXX[0x1046ea1e4]: ldr    w26, [sp, #0x58]
XXX[0x1046ea1e8]: cbz    w26, 0x1046ea338
XXX[0x1046ea1ec]: adrp   x27, 10428
XXX[0x1046ea1f0]: ldr    x22, [x27, #0x978]
XXX[0x1046ea1f4]: adrp   x8, 10212
XXX[0x1046ea1f8]: ldr    x20, [x8, #0xc0]
XXX[0x1046ea1fc]: adrp   x23, 11287
XXX[0x1046ea200]: add    x23, x23, #0xe77          ; =0xe77
XXX[0x1046ea204]: ldrb   w8, [x23, #0x9d]
XXX[0x1046ea208]: tbnz   w8, #0x0, 0x1046ea23c
XXX[0x1046ea20c]: adrp   x0, 11287
XXX[0x1046ea210]: add    x0, x0, #0xd6e            ; =0xd6e
XXX[0x1046ea214]: adrp   x2, 12731
XXX[0x1046ea218]: add    x2, x2, #0x804            ; =0x804
XXX[0x1046ea21c]: adrp   x3, 12731
XXX[0x1046ea220]: add    x3, x3, #0x7ff            ; =0x7ff
XXX[0x1046ea224]: orr    w1, wzr, #0xe
XXX[0x1046ea228]: orr    w4, wzr, #0x4
XXX[0x1046ea22c]: mov    w5, #0xaf
XXX[0x1046ea230]: bl     0x1046f15cc
XXX[0x1046ea234]: orr    w8, wzr, #0x1
XXX[0x1046ea238]: strb   w8, [x23, #0x9d]
XXX[0x1046ea23c]: str    x19, [sp, #0x18]
XXX[0x1046ea240]: adrp   x8, 11287
XXX[0x1046ea244]: add    x8, x8, #0xd6e            ; =0xd6e
XXX[0x1046ea248]: str    x8, [sp]
XXX[0x1046ea24c]: adrp   x2, 6291
XXX[0x1046ea250]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea254]: mov    x0, x22
XXX[0x1046ea258]: mov    x1, x20
XXX[0x1046ea25c]: bl     0x105c5f028
XXX[0x1046ea260]: bl     0x105c5f094
XXX[0x1046ea264]: mov    x22, x0
XXX[0x1046ea268]: cbz    x22, 0x1046ea284
XXX[0x1046ea26c]: mov    w8, #0x0
XXX[0x1046ea270]: mov    w24, #0x88
XXX[0x1046ea274]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea278]: b      0x1046ea41c
XXX[0x1046ea27c]: mov    x19, #0x0
XXX[0x1046ea280]: b      0x1046ea1cc
XXX[0x1046ea284]: orr    w24, wzr, #0x7c
XXX[0x1046ea288]: b      0x1046ea41c
XXX[0x1046ea28c]: adrp   x8, 10428
XXX[0x1046ea290]: ldr    x21, [x8, #0xd80]
XXX[0x1046ea294]: ldr    x22, [x27, #0x978]
XXX[0x1046ea298]: adrp   x23, 11287
XXX[0x1046ea29c]: add    x23, x23, #0xe77          ; =0xe77
XXX[0x1046ea2a0]: ldrb   w8, [x23, #0x9e]
XXX[0x1046ea2a4]: tbnz   w8, #0x0, 0x1046ea2d8
XXX[0x1046ea2a8]: adrp   x0, 11287
XXX[0x1046ea2ac]: add    x0, x0, #0xd7c            ; =0xd7c
XXX[0x1046ea2b0]: adrp   x2, 12731
XXX[0x1046ea2b4]: add    x2, x2, #0x820            ; =0x820
XXX[0x1046ea2b8]: adrp   x3, 12096
XXX[0x1046ea2bc]: add    x3, x3, #0xa10            ; =0xa10
XXX[0x1046ea2c0]: orr    w19, wzr, #0x1
XXX[0x1046ea2c4]: orr    w1, wzr, #0x30
XXX[0x1046ea2c8]: orr    w5, wzr, #0x1
XXX[0x1046ea2cc]: mov    w4, #0x0
XXX[0x1046ea2d0]: bl     0x1046f1548
XXX[0x1046ea2d4]: strb   w19, [x23, #0x9e]
XXX[0x1046ea2d8]: adrp   x8, 11287
XXX[0x1046ea2dc]: add    x8, x8, #0xd7c            ; =0xd7c
XXX[0x1046ea2e0]: str    x8, [sp]
XXX[0x1046ea2e4]: adrp   x2, 6291
XXX[0x1046ea2e8]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea2ec]: mov    x0, x22
XXX[0x1046ea2f0]: mov    x1, x20
XXX[0x1046ea2f4]: bl     0x105c5f028
XXX[0x1046ea2f8]: bl     0x105c5f094
XXX[0x1046ea2fc]: mov    x20, x0
XXX[0x1046ea300]: ldrsw  x8, [sp, #0x58]
XXX[0x1046ea304]: add    x3, x8, #0x578            ; =0x578
XXX[0x1046ea308]: adrp   x8, 10213
XXX[0x1046ea30c]: ldr    x1, [x8, #0xf90]
XXX[0x1046ea310]: mov    x0, x21
XXX[0x1046ea314]: mov    x2, x20
XXX[0x1046ea318]: mov    x4, #0x0
XXX[0x1046ea31c]: bl     0x105c5f028
XXX[0x1046ea320]: bl     0x105c5f094
XXX[0x1046ea324]: bl     0x105c5eefc
XXX[0x1046ea328]: str    x0, [x28]
XXX[0x1046ea32c]: mov    x0, x20
XXX[0x1046ea330]: bl     0x105c5f058
XXX[0x1046ea334]: ldr    x19, [sp, #0x18]
XXX[0x1046ea338]: mov    x0, x19
XXX[0x1046ea33c]: ldp    x29, x30, [sp, #0xb0]
XXX[0x1046ea340]: ldp    x20, x19, [sp, #0xa0]
XXX[0x1046ea344]: ldp    x22, x21, [sp, #0x90]
XXX[0x1046ea348]: ldp    x24, x23, [sp, #0x80]
XXX[0x1046ea34c]: ldp    x26, x25, [sp, #0x70]
XXX[0x1046ea350]: ldp    x28, x27, [sp, #0x60]
XXX[0x1046ea354]: add    sp, sp, #0xc0             ; =0xc0
XXX[0x1046ea358]: b      0x105c5ef20
XXX[0x1046ea35c]: cmp    w25, #0x82                ; =0x82
XXX[0x1046ea360]: b.ne   0x1046ea374
XXX[0x1046ea364]: cmp    w19, #0x86                ; =0x86
XXX[0x1046ea368]: b.ne   0x1046ea3c8
XXX[0x1046ea36c]: mov    x24, x23
XXX[0x1046ea370]: b      0x1046ea3f8
XXX[0x1046ea374]: mov    w8, #0x7d
XXX[0x1046ea378]: str    w8, [sp, #0x20]
XXX[0x1046ea37c]: add    x8, sp, #0x24             ; =0x24
XXX[0x1046ea380]: add    x9, sp, #0x20             ; =0x20
XXX[0x1046ea384]: adr    x15, #0x4
XXX[0x1046ea388]: ldrsw  x5, 0x1046ea3ac
XXX[0x1046ea38c]: mvn    x5, x5
XXX[0x1046ea390]: add    x5, x5, #0xe1             ; =0xe1
XXX[0x1046ea394]: ldrsw  x13, [x9]
XXX[0x1046ea398]: eor    x5, x5, x13
XXX[0x1046ea39c]: add    x15, x15, x5
XXX[0x1046ea3a0]: mov    w4, #0x77
XXX[0x1046ea3a4]: str    w4, [x8]
XXX[0x1046ea3a8]: br     x15
XXX[0x1046ea3ac]: udf    #0x9b
XXX[0x1046ea3b0]: .long  0xb1b5d51c                ; unknown opcode
XXX[0x1046ea3b4]: .long  0x75e9f1a9                ; unknown opcode
XXX[0x1046ea3b8]: .long  0x415dced2                ; unknown opcode
XXX[0x1046ea3bc]: .long  0xdcb45e74                ; unknown opcode
XXX[0x1046ea3c0]: b      0x1046ea334
XXX[0x1046ea3c4]: mov    w19, #0x62
XXX[0x1046ea3c8]: ldr    x0, [x27, #0x978]
XXX[0x1046ea3cc]: adrp   x8, 6286
XXX[0x1046ea3d0]: add    x8, x8, #0x468            ; =0x468
XXX[0x1046ea3d4]: stp    x23, x8, [sp]
XXX[0x1046ea3d8]: adrp   x2, 6338
XXX[0x1046ea3dc]: add    x2, x2, #0x2c8            ; =0x2c8
XXX[0x1046ea3e0]: mov    x1, x20
XXX[0x1046ea3e4]: bl     0x105c5f028
XXX[0x1046ea3e8]: bl     0x105c5f094
XXX[0x1046ea3ec]: mov    x24, x0
XXX[0x1046ea3f0]: mov    x0, x23
XXX[0x1046ea3f4]: bl     0x105c5f058
XXX[0x1046ea3f8]: str    x24, [sp]
XXX[0x1046ea3fc]: adrp   x0, 6286
XXX[0x1046ea400]: add    x0, x0, #0x3c8            ; =0x3c8
XXX[0x1046ea404]: bl     0x100149308
XXX[0x1046ea408]: mov    x0, x24
XXX[0x1046ea40c]: bl     0x105c5f058
XXX[0x1046ea410]: mov    w8, #0x0
XXX[0x1046ea414]: orr    w24, wzr, #0x7c
XXX[0x1046ea418]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea41c]: cmp    w24, #0x88                ; =0x88
XXX[0x1046ea420]: b.ne   0x1046ea46c
XXX[0x1046ea424]: sxtw   x8, w26
XXX[0x1046ea428]: add    x8, x8, #0x578            ; =0x578
XXX[0x1046ea42c]: ldr    x0, [x27, #0x978]
XXX[0x1046ea430]: str    x8, [sp]
XXX[0x1046ea434]: mov    x1, x20
XXX[0x1046ea438]: mov    x2, x22
XXX[0x1046ea43c]: bl     0x105c5f028
XXX[0x1046ea440]: bl     0x105c5f094
XXX[0x1046ea444]: mov    x23, x0
XXX[0x1046ea448]: adrp   x0, 6286
XXX[0x1046ea44c]: add    x0, x0, #0x468            ; =0x468
XXX[0x1046ea450]: mov    x1, x21
XXX[0x1046ea454]: bl     0x105c5f028
XXX[0x1046ea458]: cbnz   x0, 0x1046ea3c4
XXX[0x1046ea45c]: mov    w19, #0x86
XXX[0x1046ea460]: mov    w24, #0x88
XXX[0x1046ea464]: mov    w25, #0x82
XXX[0x1046ea468]: b      0x1046ea47c
XXX[0x1046ea46c]: mov    x0, x22
XXX[0x1046ea470]: bl     0x105c5f058
XXX[0x1046ea474]: cbnz   x28, 0x1046ea28c
XXX[0x1046ea478]: orr    w25, wzr, #0x7
XXX[0x1046ea47c]: orr    w8, wzr, #0x1
XXX[0x1046ea480]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea484]: b      0x1046ea41c

网上有说 在脚本里面欲改变被调试程序控制流程时,调试器控制被调试程序执行脚本是异步的“

因此我在断点的回调函数trace_callback中加了如下代码:【仍然没有什么作用】

def trace_callback(frame, bp_loc, internal_dict):
	thread = frame.GetThread()
	process = thread.GetProcess()
	debugger = process.GetTarget().GetDebugger()
	debugger.SetAsync(False)  # 设置为同步等待
	print(f"trace_callback {hex(bp_loc.GetAddress().load_addr)}")
	Tracer().onTrace(bp_loc.GetAddress().load_addr)

大佬们都不在了吗?

遇到了同样的问题,楼主后来解决了不?