iOS逆向备忘录iOS日常积累

iOS开发之LLDB常用命令

2021-03-31  本文已影响0人  张聪_2048

一、前言

1、简介

LLDB是新一代高性能调试器。它构建为一组可重用的组件,可以高度利用较大的LLVM项目中的现有库,例如Clang表达式解析器和LLVM反汇编程序。LLDB是Mac OS X上Xcode的默认调试器,支持在桌面和iOS设备和模拟器上调试C,Objective-C和C ++。LLDB项目中的所有代码都是在标准LLVM许可证下提供的,这是一种开源的“BSD风格”许可证。

对于开发测试同学来说,学习iOS代码调试LLDB命令,能更好地辅助我们通过各种手段如修改变量返回值创造实际难以模拟的环境进行测试,甚至能协助开发同学定位bug。下面小编来分享一些平时常用到的iOS代码调试LLDB命令,希望能对做iOS测试的同学有所帮助。

2、指令格式

LLDB命令的各部分由空格分割,如果参数中包含空格,则需要使用双引号括起参数,如果参数中包含双引号或者反斜杠,则需要使用反斜杠进行转义。

 <command> [<subcommand> [<subcommand>...]] <action> [-options [option-
value]] [argument [argument...]]

二、常用指令

1、help(帮助)

LLDB命令有非常多的功能,完全背下来不太容易,也没必要。开发者可以使用help命令查看相关命令的用法,甚至可以查看help命令的用法。

所有命令可以通过help <command> [<subcommand>]查看详细文档。比如help breakpointhelp breakpoint set

(lldb) help breakpoint
     Commands for operating on breakpoints (see 'help b' for shorthand.)

Syntax: breakpoint <subcommand> [<command-options>]

The following subcommands are supported:

      clear   -- Delete or disable breakpoints matching the specified source
                 file and line.
      command -- Commands for adding, removing and listing LLDB commands
                 executed when a breakpoint is hit.
      delete  -- Delete the specified breakpoint(s).  If no breakpoints are
                 specified, delete them all.
      disable -- Disable the specified breakpoint(s) without deleting them.  If
                 none are specified, disable all breakpoints.
      enable  -- Enable the specified disabled breakpoint(s). If no breakpoints
                 are specified, enable all of them.
      list    -- List some or all breakpoints at configurable levels of detail.
      modify  -- Modify the options on a breakpoint or set of breakpoints in
                 the executable.  If no breakpoint is specified, acts on the
                 last created breakpoint.  With the exception of -e, -d and -I,
                 passing an empty argument clears the modification.
      name    -- Commands to manage name tags for breakpoints
      read    -- Read and set the breakpoints previously saved to a file with
                 "breakpoint write".  
      set     -- Sets a breakpoint or set of breakpoints in the executable.
      write   -- Write the breakpoints listed to a file that can be read in
                 with "breakpoint read".  If given no arguments, writes all
                 breakpoints.

For more help on any particular subcommand, type 'help <command> <subcommand>'.
(lldb) 

2、p和po(打印)

p 命令: print 命令的简写,使用p 命令可以查看基本数据类型的值;如果使用p命令查看的是对象,那么只会返回对象的指针地址。 p命令后面除了可以接变量、常量,还可以接表达式。

po 命令:print object的缩写,可以理解为打印对象。功能与p命令类似,也可以打印常量、变量,打印表达式返回的对象等。p 和 po 的区别在于使用 po 只会输出对应的值,而 p 则会返回值的类型以及命令结果的引用名。

图1:p和po的使用.png

在输出结果中有类似于0,1这样的符号,它是指向对象的一个引用,在控制面板中可以直接使用这个符号来操作对应的对象,它们存在于LLDB的全名空间中,目的是为了辅助调试。$后面的数值是递增的,每打印一个与对象相关的命令,这个值都会加1。打印对象除了以上命令外,也可以在控制台左侧区域,点击变量右键点击 Print Deion of “xxx”,或者选中变量后,点击下边栏的i按钮,即可在控制台区看到打印结果。

另外,开发者可以按照print/的语法为print命令指定打印格式:

p    //!< 默认打印十进制
p/x  //!< 以十六进制打印整数 
p/d  //!< 以带符号的十进制打印整数 
p/u  //!< 以无符号的十进制打印整数 
p/o  //!< 以八进制打印整数 
p/t  //!< 以二进制打印整数 
p/a  //!< 以十六进制打印地址 
p/c  //!< 打印字符常量 
p/f  //!< 打印浮点数 
p/s  //!< 打印字符串 
p/r  //!< 格式化打印 

3、expression(执行表达式)

expression命令是调试过程中最有价值有命令了,既可以打印值也可以修改值,简写为expr或者e。它能够在调试时,动态的修改变量的值,同时打印出结果,在调试想要让应用执行异常路径(如执行某else情况)或者修改某些中间变量值如(如修改返回状态码以查看客户端相关响应等)非常有用,可以创造各种实际中难以遇到的测试环境辅助测试。用法举例如下图:

图2:expression的使用.png

expression命令是动态修改变量的值,Xcode还支持动态调用函数。在控制台执行call命令,可以在不修改代码,不重新编译的情况下,在断点调用某个方法,并输出此方法的返回值。

expression、expression --和指令print、p、call的效果一样
expression -O --和指令po的效果一样

4、thread和frame(线程和栈帧)

在进程停止后,LLDB会选择一个当前线程和线程中当前帧(frame)。很多检测状态的命令可以用于这个线程或帧。

1)thread list (列出所有线程)

用于列出所有线程,如下所示,其中星号(*)表示thread#1为当前线程。

(lldb) thread list
Process 18671 stopped
* thread #1: tid = 0x5fe79, 0x000000010a4f3e28 LLDBTest`-[ViewController viewDidLoad](self=0x00007fb21c1091f0, _cmd="viewDidLoad") at ViewController.m:21:18, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  thread #2: tid = 0x5ff6c, 0x00007fff5e73c458 libsystem_pthread.dylib`start_wqthread
  thread #3: tid = 0x5ff6d, 0x00007fff5e70253e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #4: tid = 0x5ff6e, 0x00007fff5e73c458 libsystem_pthread.dylib`start_wqthread
  thread #5: tid = 0x5ff6f, 0x00007fff5e73c458 libsystem_pthread.dylib`start_wqthread
  thread #6: tid = 0x5ff70, 0x00007fff5e700e7e libsystem_kernel.dylib`mach_msg_trap + 10, name = 'com.apple.uikit.eventfetch-thread'
  thread #7: tid = 0x5ff71, 0x00007fff5e70253e libsystem_kernel.dylib`__workq_kernreturn + 10
  thread #8: tid = 0x5ff72, 0x00007fff5e73c458 libsystem_pthread.dylib`start_wqthread
  thread #9: tid = 0x5ff74, 0x00007fff5e70253e libsystem_kernel.dylib`__workq_kernreturn + 10
(lldb) 
2)thread backtrace(堆栈打印,简写bt)

bt命令可以打印出线程的堆栈信息,bt命令是打印当前线程的堆栈信息,如下图所示。该信息比左侧的Debug Navigator 看到的还要详细一些。如果嫌堆栈打印太长,可以加一个值限制,如bt 10bt all 命令可以打印所有线程的堆栈信息。

图3:bt指令.png
3)thread return(跳出当前方法的执行)

thread return主要用于控制程序流程,如想要直接跳过执行某个方法,或者直接让某方法返回一个想要的值,thread return后有一个可选参数,在执行时它会把可选参数加载进返回寄存器里,然后立刻执行返回命令,跳出当前栈帧(如:numberOfSectionsInTableView:方法直接thread return 10,就可以直接跳过方法执行,返回10)。

4)frame variable(查看帧变量)

frame variable命令显示当前帧的变量,默认输出当前帧所有参数和所有局部变量,如下所示:

(lldb) frame variable
(ViewController *) self = 0x00007fd09f405ed0
(SEL) _cmd = "viewDidLoad"
(__NSArrayI *) temArr = 0x0000600002094ff0 @"3 elements"
(lldb) 
5)frame variable(流程控制)

前面四个对应Xcode工具栏的前四个:

图4:流程控制.png

5、breakpoint(断点)

1)breakpoint set(设置断点,可以简写为br
(lldb) breakpoint set -a 0x000000010189bde7
Breakpoint 3: where = LLDBTest`-[ViewController test] + 23 at ViewController.m:26:5, address = 0x000000010189bde7
(lldb) breakpoint set -n "-[ViewController viewDidLoad]"
Breakpoint 4: where = LLDBTest`-[ViewController viewDidLoad] + 30 at ViewController.m:17:5, address = 0x000000010189bcfe
(lldb)  breakpoint set -n touchesBegan:withEvent:
Breakpoint 5: 97 locations.
(lldb) 
2)breakpoint list(列出所有的断点)

下面有4个断点,每个断点都有一个整数编号

(lldb) breakpoint list
Current breakpoints:
1: file = '/Users/zhangjh48/Desktop/LLDBTest/LLDBTest/ViewController.m', line = 21, exact_match = 0, locations = 1, resolved = 1, hit count = 1

  1.1: where = LLDBTest`-[ViewController viewDidLoad] + 152 at ViewController.m:21:18, address = 0x000000010189bd78, resolved, hit count = 1 

3: address = LLDBTest[0x0000000100001de7], locations = 1, resolved = 1, hit count = 0
  3.1: where = LLDBTest`-[ViewController test] + 23 at ViewController.m:26:5, address = 0x000000010189bde7, resolved, hit count = 0 

4: name = '-[ViewController viewDidLoad]', locations = 1, resolved = 1, hit count = 0
  4.1: where = LLDBTest`-[ViewController viewDidLoad] + 30 at ViewController.m:17:5, address = 0x000000010189bcfe, resolved, hit count = 0 

6: file = '/Users/zhangjh48/Desktop/LLDBTest/LLDBTest/ViewController.m', line = 30, exact_match = 0, locations = 1, resolved = 1, hit count = 1

  6.1: where = LLDBTest`-[ViewController touchesBegan:withEvent:] + 70 at ViewController.m:30:6, address = 0x000000010189be46, resolved, hit count = 1 

(lldb) 
3)设置断点状态
(lldb) breakpoint disable 1
1 breakpoints disabled.
(lldb) breakpoint enable 1
1 breakpoints enabled.
(lldb) breakpoint delete 3
1 breakpoints deleted; 0 breakpoint locations disabled.
(lldb) 
4)断点命令
(lldb) breakpoint set -n "-[ViewController test]"
Breakpoint 3: where = LLDBTest`-[ViewController test] + 23 at ViewController.m:26:5, address = 0x0000000100cf8de7
(lldb) breakpoint command add 3
Enter your debugger command(s).  Type 'DONE' to end.
> print "断点命中了"
> print "断点参数为"
> po self
> DONE
2021-03-31 08:54:15.029736+0800 LLDBTest[2178:59045] (
    "\U5317\U4eac",
    "\U4e0a\U6d77",
    "\U5e7f\U5dde"
)
 print "断点命中了"
(const char [16]) $0 = "断点命中了"

 print "断点参数为"
(const char [16]) $1 = "断点参数为"

 po self
<ViewController: 0x7fe7f3107810>


(lldb) 
(lldb) breakpoint command list 3
Breakpoint 3:
    Breakpoint commands:
      print "断点命中了"
      print "断点参数为"
      po self
(lldb) breakpoint command delete 3
(lldb) breakpoint command list 3
Breakpoint 3 does not have an associated command.
(lldb) 

6、watchpoint(内存断点)

相比较于breakpoint是对方法生效的断点,watchpoint则是对地址生效的断点。watchpoint类似于KVO的工作原理,当观察到属性地址里面的东西改变时,就让程序中断。

图5:内存断点.png

7、image(镜像寻址)

image命令主要用于寻址,一般是通过各种组合命令实现不同功能。

1)image list(列出所有模块信息)

image list -o -f 打印出模块的偏移地址、全路径。可以使用grep过滤

(lldb) image list
[  0] D87C3A17-73C3-3DFE-8A60-B423A0E92269 0x00000001059bf000 /Users/zhangjh48/Library/Developer/Xcode/DerivedData/LLDBTest-fkdakpzatewwmvdojsurqlcdeomb/Build/Products/Debug-iphonesimulator/LLDBTest.app/LLDBTest 
[  1] DEA51514-B4E8-3368-979B-89D0F8397ABC 0x000000010b7ba000 /usr/lib/dyld 

(lldb) image list -o -f
[  0] 0x00000000059bf000 /Users/zhangjh48/Library/Developer/Xcode/DerivedData/LLDBTest-fkdakpzatewwmvdojsurqlcdeomb/Build/Products/Debug-iphonesimulator/LLDBTest.app/LLDBTest
[  1] 0x000000010b7ba000 /usr/lib/dyld

(lldb) image list -o -f | grep LLDBTest
[  0] 0x00000000059bf000 /Users/zhangjh48/Library/Developer/Xcode/DerivedData/LLDBTest-fkdakpzatewwmvdojsurqlcdeomb/Build/Products/Debug-iphonesimulator/LLDBTest.app/LLDBTest
(lldb) 

可以使用image list命令查看ASLR偏移地址,上面表示LLDBTest文件的偏移地址为0x00000000059bf000,MachO的TEXT段的偏移地址为0x00000000059bf000(ASLR+PAGEZERO)

2)image lookup(查找模块)
(lldb) image lookup -t AppDelegate
Best match found in /Users/zhangjh48/Library/Developer/Xcode/DerivedData/LLDBTest-fkdakpzatewwmvdojsurqlcdeomb/Build/Products/Debug-iphonesimulator/LLDBTest.app/LLDBTest:
id = {0x200000033}, name = "AppDelegate", byte-size = 8, decl = AppDelegate.h:10, compiler_type = "@interface AppDelegate : UIResponder
@end"

(lldb) image lookup -n "-[ViewController test]"
1 match found in /Users/zhangjh48/Library/Developer/Xcode/DerivedData/LLDBTest-fkdakpzatewwmvdojsurqlcdeomb/Build/Products/Debug-iphonesimulator/LLDBTest.app/LLDBTest:
        Address: LLDBTest[0x0000000100001df0] (LLDBTest.__TEXT.__text + 144)
        Summary: LLDBTest`-[ViewController test] at ViewController.m:25
(lldb) image lookup -a 0x0000000100a68e07
      Address: LLDBTest[0x0000000100001e07] (LLDBTest.__TEXT.__text + 167)
      Summary: LLDBTest`-[ViewController test] + 23 at ViewController.m:26:5
(lldb) 

其中image lookup -a 地址经常用于查询崩溃位置,通过地址查询崩溃的地方位于哪个模块哪个文件哪个位置

8、register(寄存器)

register指令能够获取和修改各个寄存器的信息

1)register read (读取所有寄存器信息)

注意:真机调试和模拟器调试,打印的值可能不一样,因为他们寄存器不一样

(lldb) register read
General Purpose Registers:
        x0 = 0x0000000105109d20
        x1 = 0x0000000104bbe5f0  "testWithA:b:"
        x2 = 0x0000000000000003
        x3 = 0x0000000000000004
        x4 = 0x000000016b2459c8
        x5 = 0x0000000000000040
        x6 = 0x0000000000000044
        x7 = 0x0000000000000800
        x8 = 0x0000000104bc52b8  "testWithA:b:"
        x9 = 0x0000000000000303
       x10 = 0x000000010681ddb0
       x11 = 0x000000000007b700
       x12 = 0x000000000000003b
       x13 = 0x0000000000000000
       x14 = 0x0000000000000000
       x15 = 0xffffffffffffffff
       x16 = 0x0000000104bc52f2  (void *)0xf3f00000000104bc
       x17 = 0x0000000104bbdd18  LLDBTest`-[ViewController testWithA:b:] at ViewController.m:27
       x18 = 0x0000000000000000
       x19 = 0x0000000105109d20
       x20 = 0x0000000000000000
       x21 = 0x00000001e5f70000  (void *)0x00000001d5623100
       x22 = 0x00000001d1d341fc  
       x23 = 0x0000000000000001
       x24 = 0x0000000000000001
       x25 = 0x00000001dbd44000  UIKitCore`_UIPreviewInteractionController._currentCommitTransition
       x26 = 0x000000028301ff80
       x27 = 0x00000001e1d384a8  CoreFoundation`__NSArray0__struct
       x28 = 0x00000001d24cdffc  
        fp = 0x000000016b245b30
        lr = 0x0000000104bbdcfc  LLDBTest`-[ViewController viewDidLoad] + 192 at ViewController.m:24:5
        sp = 0x000000016b245b00
        pc = 0x0000000104bbdd34  LLDBTest`-[ViewController testWithA:b:] + 28 at ViewController.m:28:43
      cpsr = 0x40000000

(lldb) 
2)register read/格式 寄存器名称
图6:打印寄存器的值.png
3)register write 寄存器名称 数值

如下,修改寄存器$x3的值为5

(lldb) register read $x3
      x3 = 0x0000000000000004
(lldb) register write $x3 5
(lldb) register read $x3
      x3 = 0x0000000000000005
(lldb) po $x3
5

(lldb) 

9、缩写

lldb大部分命令都支持缩写:

更多命令可参考:https://lldb.llvm.org/use/map.html



参考链接:
https://www.dllhook.com/post/51.html#toc_11
https://blog.bombox.org/2019-08-06/ios-lldb/
https://www.sohu.com/a/301595611_216613
https://zhuanlan.51cto.com/art/201904/595593.htm

上一篇 下一篇

猜你喜欢

热点阅读