在ios逆向过程中,善于运用lldb,会给逆向带来很大的方便
一般的命令:
1、image list -o -f 看看各个模块在内存中的基址
2、register read r0 读取寄存器r0的值。register read 读取所有寄存器的值
3、expression(或者缩写expr) 表达式
例子:
expression $r6 = 1 // 设置r6寄存器的值
expression $r6 // 查看r6寄存器的值
expression username(源代码中变量) = @"11111"
expression [self btnTest] // 调用某类某方法
4、po 表达式
例子:
po $r6
po username
po [[NSString alloc] initWithData:$r2 encoding:4] // 打印$r2寄存器的明文数据
po [$r5 base64EncodedStringWithOptions:0]; // 打印$r5寄存器(NSData)类型的base64明文数据
5、print (type)表达式
例子:
print (int)$r6
print username
6、bt [all] --- 打印调用堆栈
例子:
bt
返回如下:
* thread #1: tid = 0x1ee09, 0x00035e80 debug`-[ViewController loginWithUserName:password:](self=0x15d7be60, _cmd=0x00036441, username=0x15db0120, password=0x0003768c) + 168 at ViewController.m:34, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
* frame #0: 0x00035e80 debug`-[ViewController loginWithUserName:password:](self=0x15d7be60, _cmd=0x00036441, username=0x15db0120, password=0x0003768c) + 168 at ViewController.m:34
7、breakpoint list //打印断点列表
例子:br l
8、s 源码级别单步执行,遇到子函数则进入
9、si 单步执行,遇到子函数则进入
10、n 源码级别单步执行,遇到子函数不进入,直接步过
11、ni 单步执行,遇到子函数不进入,直接步过
12、finish/f 退出子函数
13、thread list 打印线程列表
14、image lookup -a 表达式、image list
例子:
image lookup -a $pc
返回如下:
Address: debug[0x0000b236] (debug.__TEXT.__text + 1254)
Summary: debug`main + 58 at main.m:16
15、查找某个函数:
对于有调试符号的这样使用
image lookup -r -n <FUNC_REGEX>
对于无调试符号的这样使用:
image lookup -r -s <FUNC_REGEX>
16、disassemble(简写di) -a 地址
disassemble -A thumb
可选:
thumbv4t
thumbv5
thumbv5e
等等一系列
17、memory read(简写x) [起始地址 结束地址]/寄存器 -outfile 输出路径
(lldb) memory read -f s $x1
或者
(lldb) x -f s $x1
(lldb) x -f A $sp $fp
sp是上级函数即调用者的堆栈首地址,fp是上级函数的堆栈结束地址,所以根据sp和fp就可以一级一级得出调用关系
( lldb ) memory read –format x –size 4 0xbffff3c0
以16进制格式显示0xbffff3c0开始的内存数据,数据是4个字节为一个单位的
(lldb)memory read –outfile /tmp/mem.bin –binary 0x1000 0x1200
把0x100 到 0x1200的内存数据输出到文件
18、内存断点 watchpoint set expression 地址 / watchpoint set variable 变量名称 -- (源码调试用到,略过)
例子:
watchpoint set expression 0x1457fa70
命中后得到结果:
Watchpoint 3 hit:
old value: 3
new value: 4
18.1、内存访问断点 watchpoint set expression -w read -- 内存地址
watchpoint set expression -w read -- 0x16b9dd91
18.2、内存写入断点 watchpoint set expression -w write -- 内存地址
watchpoint set expression -w read -- 0x16b9dd91
18.3、条件断点 watchpoint modify -c 表达式
例子:
watchpoint modify -c '*(int *)0x1457fa70 == 20'
命中后得到结果:
Watchpoint 3 hit:
old value: 15
new value: 20
19、找按钮事件 po [按钮名称/内存地址 allTargets]
例子:
(lldb) po [[self btnTest] allTargets]
{(
<ViewController: 0x166af1f0>
)}
(lldb) po [[self btnTest] actionsForTarget:(id)0x166af1f0 forControlEvent:0]
<__NSArrayM 0x165b8950>(
testAction:
)
Bash
// 在机器上实战一下:
(lldb) po [[[UIApplication sharedApplication] keyWindow] recursiveDescription]
<UIWindow:
0x15e771c0; frame = (0 0; 320 568); gestureRecognizers = <NSArray:
0x15e96210>; layer = <UIWindowLayer: 0x15e988e0>>
| <UIView: 0x15eb4180; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x15eb4300>>
| | <UIButton: 0x15eb32d0; frame = (277 285; 46 30); opaque = NO;
autoresize = RM+BM; layer = <CALayer: 0x15eb2e30>>
|
| | <UIButtonLabel: 0x15db5220; frame = (0 6; 46 18); text =
'Button'; opaque = NO; userInteractionEnabled = NO; layer =
<_UILabelLayer: 0x15db5410>>
| | <_UILayoutGuide: 0x15eb4360; frame = (0 0; 0 20); hidden = YES; layer = <CALayer: 0x15eb4540>>
| | <_UILayoutGuide: 0x15eb4af0; frame = (0 568; 0 0); hidden = YES; layer = <CALayer: 0x15eb4b70>>
(lldb) po [(UIButton *)0x15eb32d0 allTargets]
{(
<ViewController: 0x15e93250>
)}
(lldb) po [(UIButton *)0x15eb32d0 allTargets]
{(
<ViewController: 0x15e93250>
)}
(lldb) po [(UIButton *)0x15eb32d0 actionsForTarget:(id)0x15e93250 forControlEvent:0]
<__NSArrayM 0x15dbfc50>(
testAction:
)
// 调用--
(lldb) po [0x15e93250 testAction:nil]
0x00210c18
// 再来一发,对按钮属性操作
Bash
(lldb) po [[[UIApplication sharedApplication] keyWindow] recursiveDescription]
<UIWindow: 0x15e771c0; frame = (0 0; 320 568); gestureRecognizers = <NSArray: 0x15e96210>; layer = <UIWindowLayer: 0x15e988e0>>
| <UIView: 0x15eb4180; frame = (0 0; 320 568); autoresize = W+H; layer = <CALayer: 0x15eb4300>>
| | <UIButton: 0x15eb32d0; frame = (277 285; 46 30); opaque = NO; autoresize = RM+BM; layer = <CALayer: 0x15eb2e30>>
| | | <UIButtonLabel: 0x15db5220; frame = (0 6; 46 18); text = 'Button'; opaque = NO; userInteractionEnabled = NO; layer = <_UILabelLayer: 0x15db5410>>
| | <_UILayoutGuide: 0x15eb4360; frame = (0 0; 0 20); hidden = YES; layer = <CALayer: 0x15eb4540>>
| | <_UILayoutGuide: 0x15eb4af0; frame = (0 568; 0 0); hidden = YES; layer = <CALayer: 0x15eb4b70>>
(lldb) expression UIButton *$btn = (UIButton *)0x15eb32d0
(lldb) expression [$btn setHidden:YES]
20、std::string 读取方式:从内存+8的地方开始 64bit自行变通
例:
Bash
(lldb) x $r0+8
0x02db9248: 20 82 e3 14 71 00 00 00 61 00 00 00 c0 82 d3 14 .惝q...a...喇赢
0x02db9258: 71 00 00 00 2b 00 00 00 20 f9 e6 14 61 00 00 00 q...+... .a...
(lldb) x/s 0x14e38220
0x14e38220: "hello!piaoyun"
