/xia0LLDB

LLDB Enhance Python Script by xia0(Progressing)

Primary LanguagePython

xia0's lldb python script (Progressing)

Install

git clone xia0LLDB_git_project

command script import git-xia0LLDB-path/xlldb.py in lldb or .lldbinit

you can run install.sh auto add command script import git-xia0LLDB-path/xlldb.py to your .lldbinit

Happy debugging~~

Commands

  • pcc is alias of process connect connect://127.0.0.1:1234

  • xbr set breakpoint at OC class method although strip symbol like:xbr "-[yourClass yourMethod]"

  • sbt the replacement of bt , it can restore frame OC symbol on stackframe. if you want to restore block symbol, you can use the ida python script provided to get block symbol json file. then input sbt -f block_json_file_path in lldb. Beside it can show more infomation: mem address, file address

  • xutil this command has some useful tools, like:xutil -s moduleName print the silde of given module

  • ivars print all ivars of OC object (iOS Only)

  • methodsprint all methods of OC object (iOS Only)

  • choose get instance object of given class name, a lldb version of cycript's choose command

TODO

  • Anti-anti-debug:反反调试,即绕过应用的反调试机制 (已完成70% 2019/08/13)
  • OCHOOK:在lldb中能够进行OC方法的HOOK等操作
  • NetworkLog:监控lldb中能够监控网络数据
  • UI Debug:一些UI相关的实用命令
  • xbr增加对类所有方法下断点(已完成!2019/08/11)
  • ...

Update

  • [2019/07/04] Update for sbt -x / xutil : xutil cmd and sbt -x to disable color output in Xcode
  • [2019/07/21] Update for choose : lldb's choose command version of cycript's choose command
  • [2019/08/07] Fix critical bugs in choose : Fix critical bugs
  • [2019/08/11] Update for xbr : xbr className can set breakpoint at adresses of all methods of class
  • [2019/08/13] New debugme commad: kill anti debug in lldb

Update for sbt -x 2019/07/04

disable color output for Xcode terminal not support color output.

由于Xcode的终端不支持颜色输出,所以sbt命令增加了-x选项,设置以后会禁用颜色输出。

sbt

Usage: sbt -f block-json-file-path

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  special the block json file
  -x, --XcodeNoColor    disable color output for Xcode
  -r, --reset           reset block file to None

xutil

(lldb) xutil -h
Usage: xutil [options] args

Options:
  -h, --help            show this help message and exit
  -b MAINMODULEADDRESS, --breakpointAtMainModule=MAINMODULEADDRESS
                        set a breakpoint at main module of given address
  -s SILDEMODULE, --slide=SILDEMODULE
                        get slide of given module
  -l LOADMODULE, --load=LOADMODULE
                        load a macho file

  • xutil -b mainModuleAddress: auto set breakpoint of address on main image (auto add the main image slide)

    (lldb) xutil -b 0x0000000100009b60
Breakpoint 2: where = choose`-[ViewController onClick:] at ViewController.m:53, address = 0x000000010001db60

  • xutil -s moduleName: get silde of given module name

    (lldb) xutil -s choose
Module:/var/containers/Bundle/Application/2E718F3A-CCBF-4251-9BB6-BBF57267CABB/choose.app/choose
Silde:0x14000

  • xutil -l machoFilePath: load the macho file like dylib in the process

    (lldb) xutil -l /Library/MobileSubstrate/DynamicLibraries/test.dylib
Success

Update for choose 2019/07/21

choose

lldb's choose command version of cycript's choose command, test on iPhone6P in iOS10. enjoy~

从cycript移植到lldb的choose命令,在iOS10 iPhone6p测试通过。 enjoy~

(lldb) choose
[usage] choose className

(lldb) choose AppDelegate
<__NSArrayM 0x170054370>(
<AppDelegate: 0x17403e840>
)

(lldb) choose ViewController
<__NSArrayM 0x174054a90>(
<ViewController: 0x109e10550>
)

一些解释:

关于那两个计算公式的解释:iOS的malloc分配内存的时候会有tiny和small两种region。其中tiny以16B为quantum,small以512B为quantum。并且tiny在32位、64位机器上size分别为496B和1008B。所以,needed <= boundary是在检查分配内存是否小于tiny的size。(needed + 15) / 16 * 16 != size)主要是检查分配大小needed是否为16的倍数。更多关于苹果堆设计可以看我分析的一遍文章:

http://4ch12dy.site/2019/04/01/%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3macos-heap/%E6%B7%B1%E5%85%A5%E7%90%86%E8%A7%A3macos-heap/

Tips: It seemdifferent of heap layout by malloc in iOS12, So choose cmd maybe has some bugs

说明:iOS12可能是malloc的布局发生了一些变化,导致choose的时候可能出现bug,后面有时间在适配一下。

是我自己代码写得有问题导致得….其他设备或者系统如果有问题的话,欢迎issue 或pr

Fix critical bugs in choose 2019/08/07

fix need check and something error when choose NSString

Update for xbr 2019/08/11

xbr className can set breakpoint at adresses of all methods of given class name.

xbr命令增加一个功能,xbr className就能够自动对该类的所有方法下断点,获取其方法调用顺序。

(lldb) xbr UPLivePlayerVC
Breakpoint 1: where = TestPaly`-[UPLivePlayerVC progressSliderSeekTime:] at UPLivePlayerVC.m:205, address = 0x0000000102dc134c
Breakpoint 2: where = TestPaly`-[UPLivePlayerVC progressSliderTouchDown:] at UPLivePlayerVC.m:197, address = 0x0000000102dc1184
Breakpoint 3: where = TestPaly`-[UPLivePlayerVC progressSliderValueChanged:] at UPLivePlayerVC.m:201, address = 0x0000000102dc11ec
...
Breakpoint 45: where = TestPaly`-[UPLivePlayerVC setUrl:] at UPLivePlayerVC.h:13, address = 0x0000000102dc2990
Breakpoint 46: where = TestPaly`-[UPLivePlayerVC play] at UPLivePlayerVC.m:124, address = 0x0000000102dbfd84
Breakpoint 47: where = TestPaly`-[UPLivePlayerVC pause] at UPLivePlayerVC.m:132, address = 0x0000000102dbfe1c
Set 47 breakpoints of UPLivePlayerVC

这里可以看出,已经对UPLivePlayerVC类的47个方法下了断点。

usage is above. Enjoy~

New debugme 2019/08/13

Base single instruction patch to anti-anti-debug in lldb

基于内存patch的单指令patch反反调试

(lldb) debugme
Kill antiDebug by xia0:
[*] target address: 6501024128 and offset: 384
[*] mmap new page: 4572217344 success! 
[+] vm_copy success!
[+] mach_vm_write success!
[*] set new page back to r-x success!
[*] vm_region_recurse_64 success!
[*] get page info success!
[+] remap success!
[*] clear cache success!
[+] all done! happy debug~

相关分析见:http://4ch12dy.site/2019/08/12/xia0lldb-anti-anti-debug/xia0lldb-anti-anti-debug/

Screenshot

bt

orig_bt

sbt

sbt-noblockfile

sbt -f block_json_file

sbt-blockfile

Document

Credits