xia0LLDB
1.0.0
https://github.com/4ch12dy/xia0LLDB
Welcome to xia0LLDB - Python3 Edition
,--. ,--. ,--. ,--. ,------. ,-----.
,--. ,--.`--' ,--,--. / | | | | | .-. | |) /_
`' / ,--.' ,-. || () || | | | | | :| .-.
/ /. | | '-' | / | '--.| '--.| '--' /| '--' /
'--' '--'`--' `--`--' `--' `-----'`-----'`-------' `------'
[xia0LLDB] * Version: v3.1
[xia0LLDB] + Loading all scripts from ~/xia0/iOSRE/LLDB/xia0LLDB
[xia0LLDB] * Finished
마지막 MacOS의 LLDB 기본값이 Python3을 사용하기 때문에 LLDB가 Last MacOS Catalina에서 XIA0LLDB를 가져 오는 데 문제가 있습니다. 다음은 Python2로 변경하는 방법입니다
defaults write com.apple.dt.lldb DefaultPythonVersion 2
XIA0LLDB -Python3 Edition에 오신 것을 환영합니다
Python3로 포팅 해 주신 @lakr에게 감사드립니다!
터미널을 열고 아래에서 실행하십시오
git clone https://github.com/4ch12dy/xia0LLDB.git && cd xia0LLDB && ./install.sh
아래는 CMD입니다. CMD.txt에서 별명을 사용합니다
mload [dylib_in_the_iphone_device_path]
Dylib를 현재 프로세스에로드하십시오
RR
빠른 중요한 레지퍼를 보여주십시오
pwindow
현재 키 윈드를 인쇄하십시오
xi [code_address]
주소를 보여주십시오. disassmble +/- 8
dfuc [addr_of_func]
주어진 주소별로 모든 분해 기능을 표시하십시오
pclass [oc_object]
OC 객체 클래스 이름을 인쇄하십시오
PBCopy
iOS 장치 페이스트 보드에서 문자열을 가져옵니다
pbpaste [String]
문자열을 iOS 장치 페이스트 보드에 붙여 넣습니다
데이터 [objebt_of_nsdata]
NSDATA 객체를 인쇄하십시오
PCC
process connect connect://127.0.0.1:1234
WPC
EXE 프로세스를 제어하기 위해 PC 레지스터를 작성하십시오
OC 스크립트를 실행할 수있는 ENV로 이동하십시오. 이 CMD는 백보드 디버그 LUANC 앱, 디버 기 단지 ATTCH ON에서 항상 사용됩니다. 포인트는 앱 코드가 실행되지 않으며 lldb 명령을 실행할 수 있습니다. 따라서 Backboard Debug Luanch 앱에서 사용해보십시오.
OC 객체의 모든 ivars (iOS 만 해당)를 인쇄하면 MACOS 버전이 곧 올 것입니다!
(lldb) ivars 0x2835c4d00
<CContactMgr: 0x2835c4d00>:
in CContactMgr:
m_oLock (NSRecursiveLock*): <NSRecursiveLock: 0x2830aaca0>
m_uiLoadedType (unsigned int): 0
m_oContactDB (CContactDB*): <CContactDB: 0x2819b07e0>
m_oNewContactDB (NewContactDB*): <NewContactDB: 0x28156b7e0>
m_oContactOPLog (CContactOPLog*): <CContactOPLog: 0x2819b07f0>
m_openImContactMgr (OpenImContactMgr*): <OpenImContactMgr: 0x281bc07a0>
m_dicRemark (NSMutableDictionary*): <__NSDictionaryM: 0x281bc0a00>
m_dicLastAccessTime (NSMutableDictionary*): <__NSDictionaryM: 0x281bc0a60>
m_dicContacts (NSMutableDictionary*): <__NSDictionaryM: 0x281bc09e0>
...
OC 객체의 모든 메소드 (iOS 만 해당) 및 MACOS 버전을 곧 인쇄하십시오!
OBJC 클래스 이름에 "M"또는 다른 홀수 문자와 같은 공간이 포함 된 경우. "방법 -n the_odd_class_name"을 사용할 수 있습니다.
(lldb) methods CContactMgr
<CContactMgr: 0x1071caa28>:
in CContactMgr:
Properties:
@property (readonly) unsigned long hash;
@property (readonly) Class superclass;
@property (readonly, copy) NSString* description;
@property (readonly, copy) NSString* debugDescription;
Instance Methods:
- (void) MessageReturn:(id)arg1 Event:(unsigned int)arg2; (0x1005cb338)
- (id) getContactByName:(id)arg1; (0x1000f4e74)
- (void) OnGetNewXmlMsg:(id)arg1 Type:(id)arg2 MsgWrap:(id)arg3; (0x1001de380)
- (void) onServiceReloadData; (0x102d10934)
...
(lldb) methods -n " m"
[*] will get methods for class:" m"
< m: 0x10d6f86f0>:
in m:
Properties:
@property (retain, nonatomic) N* kManager; (@synthesize kManager = _configManager;)
@property (retain, nonatomic) h* payloadStore; (@synthesize payloadStore = _payloadStore;)
@property (retain, nonatomic) 5* sensorAgent; (@synthesize sensorAgent = _sensorAgent;)
@property (retain, nonatomic) NSObject<OS_dispatch_queue>* scriptMsgQueue; (@synthesize scriptMsgQueue = _scriptMsgQueue;)
...
Instance Methods:
- (void) setConfigManager:(id)arg1; (0x10d65b68c)
- (void) setSensorAgent:(id)arg1; (0x10d5c86d0)
- (void) lb; (0x10d60aa04)
- (void) setKernelCode:(id)arg1; (0x10d6d9330)
- (void) setIsBaseKernel:(BOOL)arg1; (0x10d606168)
...
lldbinit에서 xia0lldb를 가져옵니다
bt 를 교체하면 StackFrame에서 프레임 OC 기호를 복원 할 수 있습니다. 블록 기호를 복원하려면 제공된 IDA Python 스크립트를 사용하여 블록 기호 JSON 파일을 얻을 수 있습니다. 그런 다음 lldb에서 sbt -f block_json_file_path 입력하십시오. 옆에 더 많은 정보를 표시 할 수 있습니다 : MEM 주소, 파일 주소
// also you can spcail -f block_json_file to restore block symbol
(lldb) sbt
==========================================xia0LLDB=========================================
BlockSymbolFile Not Set The Block Symbol Json File, Try 'sbt -f'
===========================================================================================
frame #0: [file:0x100009740 mem:0x100fb1740] WeChat`-[MMServiceCenter getService:] + 0
frame #1: [file:0x100017cd4 mem:0x100fbfcd4] WeChat`+[SettingUtil getMainSetting] + 88
frame #2: [file:0x10004eef0 mem:0x100ff6ef0] WeChat`-[CDownloadVoiceMgr TimerCheckDownloadQueue] + 44
frame #3: [file:0x1800a3604 mem:0x1ccb33604] libobjc.A.dylib`-[NSObject performSelector:withObject:] + 68
frame #4: [file:0x10002e92c mem:0x100fd692c] WeChat`-[MMNoRetainTimerTarget onNoRetainTimer:] + 84
frame #5: [file:0x1819750bc mem:0x1ce4050bc] Foundation`__NSFireTimer + 88
frame #6: [file:0x180e3d0a4 mem:0x1cd8cd0a4] CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32
frame #7: [file:0x180e3cdd0 mem:0x1cd8ccdd0] CoreFoundation`__CFRunLoopDoTimer + 884
frame #8: [file:0x180e3c5c4 mem:0x1cd8cc5c4] CoreFoundation`__CFRunLoopDoTimers + 252
frame #9: [file:0x180e37284 mem:0x1cd8c7284] CoreFoundation`__CFRunLoopRun + 1832
frame #10: [file:0x180e36844 mem:0x1cd8c6844] CoreFoundation`CFRunLoopRunSpecific + 452
frame #11: [file:0x1830e5be8 mem:0x1cfb75be8] GraphicsServices`GSEventRunModal + 104
frame #12: [file:0x1ae78431c mem:0x1fb21431c] UIKitCore`UIApplicationMain + 216
frame #13: [file:0x10022ee88 mem:0x1011d6e88] WeChat`main + 556
frame #14: [file:0x1808ec020 mem:0x1cd37c020] libdyld.dylib`start + 4
주어진 클래스 이름의 인스턴스 개체, cycript의 선택 명령의 lldb 버전
(lldb) choose CContactMgr
====>xia0LLDB NSArray Address: 0x2815a8540 size: 0x1
| | | | | | | | | | | | | | | | | | | |
V V V V V V V V V V V V V V V V V V V V
======>xia0LLDB Object Address: 0x2835c4d00
<CContactMgr: 0x2835c4d00>
XIA0 슈퍼 세트 브레이크 포인트 명령 : 스트립 기호 등 OC 클래스 메소드에서 중단 점을 설정
// set breakpoint at oc methold even symbol stripped
(lldb) xbr "-[MMServiceCenter getService:]"
[*] className:MMServiceCenter methodName:getService:
[+] found class address:0x10803d208
[+] found selector address:0x106425b4c
[+] found method address:0x100fb1740
Breakpoint 1: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at address of ida, auto add slide
(lldb) xbr 0x100009740
[*] you not specail the module, default is main module
[*] ida's address:0x100009740 main module slide:0xfa8000 target breakpoint address:0x100fb1740
Breakpoint 3: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at memory address
(lldb) xbr -a 0x100fb1740
[*] breakpoint at address:0x100fb1740
Breakpoint 4: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at main function
(lldb) xbr -E main
[*] breakpoint at main function:0x1011d6c5c
Breakpoint 5: where = WeChat`___lldb_unnamed_symbol7390$$WeChat, address = 0x00000001011d6c5c
// set breakpoint at first mod_init function
(lldb) xbr -E init
[*] breakpoint at mod int first function:0x1044553dc
Breakpoint 6: where = WeChat`___lldb_unnamed_symbol143513$$WeChat, address = 0x00000001044553dc
// set breakpoint at adresses of all methods of given class name
(lldb) xbr UPLivePlayerVC
Breakpoint 1: where = TestPaly`-[UPLivePlayerVC progressSliderSeekTime:] at UPLivePlayerVC.m:205, address = 0x0000000102dc134c
Breakpoint 2: where = TestPaly`-[UPLivePlayerVC progressSliderTouchDown:] at UPLivePlayerVC.m:197, address = 0x0000000102dc1184
Breakpoint 3: where = TestPaly`-[UPLivePlayerVC progressSliderValueChanged:] at UPLivePlayerVC.m:201, address = 0x0000000102dc11ec
...
Breakpoint 45: where = TestPaly`-[UPLivePlayerVC setUrl:] at UPLivePlayerVC.h:13, address = 0x0000000102dc2990
Breakpoint 46: where = TestPaly`-[UPLivePlayerVC play] at UPLivePlayerVC.m:124, address = 0x0000000102dbfd84
Breakpoint 47: where = TestPaly`-[UPLivePlayerVC pause] at UPLivePlayerVC.m:132, address = 0x0000000102dbfe1c
Set 47 breakpoints of UPLivePlayerVC
// set breakpoint at all +[* load] methods
(lldb) xbr -E load
[*] will set breakpoint at all +[* load] methold, count:2
Breakpoint 2: where = TestAPP`+[OCTest load] at OCTest.m:19, address = 0x00000001042df674
[+] set br at:0x1042df674
Breakpoint 3: where = TestAPP`+[OCClassDemo load] at OCClassDemo.m:19, address = 0x000000010430272c
[+] set br at:0x10430272c
안티 버그 우회 : PTRACE 및 InlineHook SVC를 연결하여 안티 디버그를 죽일 수 있습니다. 너무 강해요 !!!
[*] start patch ptrace funtion to bypass antiDebug
[+] success ptrace funtion to bypass antiDebug
[*] start patch svc ins to bypass antiDebug
[+] get text segment start address:0x100017430 and end address:0x10001a398
[+] found svc address:0x100017528
[*] start hook svc at address:0x100017528
[+] success hook svc at address:0x100017528
[+] found svc address:0x100017540
[*] start hook svc at address:0x100017540
[+] success hook svc at address:0x100017540
[*] all patch done
[x] happy debugging~ kill antiDebug by xia0@2019
주소/기능/모듈의 정보를 얻는 데 매우 유용한 명령
// get info of image
(lldb) info -m WeChat
=======
Module Path : /var/containers/Bundle/Application/747A9704-6252-45A9-AE55-59690DAD60BB/WeChat.app/WeChat
Module Silde: 0x7d4000
Module base : 0x1007d4000
=======
// get info of address of function
(lldb) info -a 0x00000001cd4ca3b8
Module Path: /usr/lib/system/libsystem_kernel.dylib
Module base: 0x1cd4a8000
Symbol name: __getpid
Symbol addr: 0x1cd4ca3b8
// get info of function
(lldb) info -f getpid
Func name: getpid
Func addr: 0x1cd4ca3b8
Module Path: /usr/lib/system/libsystem_kernel.dylib
Module base: 0x1cd4a8000
Symbol name: __getpid
Symbol addr: 0x1cd4ca3b8
lldb에서 마초 이미지를 덤프하고, 기본 덤프 모든 마초 이미지.
? 매우 중요합니다 !!!
주목 : 탈옥 감지처럼 앱 충돌이 발생하면 -x 백보드 런치 앱을 사용하고 dumpdecrypted -X 만 입력해야합니다.
(lldb) dumpdecrypted
[*] start dump image:/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/com_kwai_gif
[+] Dumping com_kwai_gif
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100014980(from 0x100014000) = 980
[+] Found encrypted data at address 00004000 of length 16384 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/com_kwai_gif for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/com_kwai_gif.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 980
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/com_kwai_gif.decrypted
[*] start dump image:/private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/Frameworks/gifIMFramework.framework/gifIMFramework
[+] Dumping gifIMFramework
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100064bd0(from 0x100064000) = bd0
[+] Found encrypted data at address 00004000 of length 2752512 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/Frameworks/gifIMFramework.framework/gifIMFramework for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/gifIMFramework.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset bd0
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/gifIMFramework.decrypted
...
[*] Developed By xia0@2019
LLDB의 런타임 패치 악기
// -a patch_address -i patch_instrument{nop/ret/mov0/mov1} -s instrument_count
(lldb) patcher -a 0x0000000100233a18 -i nop -s 8
[*] start patch text at address:0x100233a18 size:8 to ins:"nop" and data:0x1f, 0x20, 0x03, 0xd5
[*] make ins data:
{0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 }
[+] patch done
[x] power by xia0@2019
(lldb) x/12i 0x0000000100233a18
0x100233a18: 0xd503201f nop
0x100233a1c: 0xd503201f nop
0x100233a20: 0xd503201f nop
0x100233a24: 0xd503201f nop
0x100233a28: 0xd503201f nop
0x100233a2c: 0xd503201f nop
0x100233a30: 0xd503201f nop
0x100233a34: 0xd503201f nop
0x100233a38: 0xf941ac14 ldr x20, [x0, #0x358]
0x100233a3c: 0xf9419c15 ldr x21, [x0, #0x338]
0x100233a40: 0xf941a400 ldr x0, [x0, #0x348]
0x100233a44: 0xf9400008 ldr x8, [x0]
// 2019-10-27 update: -i option can receive raw instrument data like: "{0x20, 0x00, 0x80, 0xd2}"
(lldb) patcher -a 0x183a40fd8 -i "{0x20, 0x00, 0x80, 0xd2}"
[*] detect you manual set ins data:{0x20, 0x00, 0x80, 0xd2}
[*] start patch text at address:0x183a40fd8 size:1 to ins data:{0x20, 0x00, 0x80, 0xd2}
[x] power by xia0@2019
(lldb) x/12i $pc
-> 0x183a40fd8: 0xd2800020 mov x0, #0x1
0x183a40fdc: 0x928003f0 mov x16, #-0x20
0x183a40fe0: 0xd4001001 svc #0x80
0x183a40fe4: 0xd65f03c0 ret
0x183a40fe8: 0x92800410 mov x16, #-0x21
0x183a40fec: 0xd4001001 svc #0x80
0x183a40ff0: 0xd65f03c0 ret
0x183a40ff4: 0x92800430 mov x16, #-0x22
0x183a40ff8: 0xd4001001 svc #0x80
0x183a40ffc: 0xd65f03c0 ret
0x183a41000: 0x92800450 mov x16, #-0x23
0x183a41004: 0xd4001001 svc #0x80
[2019/07/04] SBT -X/Xutil 에 대한 업데이트 : Xcode에서 색상 출력을 비활성화하려면 Xutil CMD 및 SBT -X 업데이트
[2019/07/21] 선택 에 대한 업데이트 : lldb의 cycript의 선택 명령의 명령 버전 선택
[2019/08/07] 선택 에서 중요한 버그 수정 : 중요한 버그 수정
[2019/08/11] XBR 에 대한 업데이트 : xbr className 모든 클래스 방법의 접속에서 중단 점을 설정할 수 있습니다.
[2019/08/13] New Debugme : LLDB에서 Anti Debug를 킬
[2019/08/20] 새로운 정보 : 주소/기능/모듈의 정보 얻기 등
[2019/09/11] Debugme 업데이트 : Hook Ptrace 및 Inlinehook SVC Ins가 완료되었습니다.
[2019/09/22] New DumpDecrypted : LLDB의 덤프 마초 이미지
[2019/09/27] DumbDecrypted 업데이트 : App Dir에 모든 이미지를 덤프 할 수 있습니다.
[2019/10/17] New Patcher : LLDB의 런타임 패치 기기
[2022/04/18] MACOS 또는 iOS 시스템 프로세스에서 IVAR/메소드를 지원하지 않을 때 덤프 클래스를 활성화하기 위해 Xivars/Xmethods/Xprotocol을 추가합니다.
http://blog.imjun.net/posts/restore-symbol-of-ios-app/ ida_block_json.py 스크립트 덕분에
https://github.com/derekselander/lldb 특별 Derekselander의 LLDB 덕분에 코드 프레임 워크 제공
https://lldb.llvm.org/tutorial.html
https://github.com/hankbao/cycript/blob/bb99d698a27487af679f8c04c334d4ea840aea7a/objectivec/library.mm cycript에서 명령을 선택하십시오
https://opensource.apple.com/source/lldb/lldb-179.1/examples/darwin/heap_find/heap.py.auto.html
힙에 대한 Apple Lldb OpenSource
https://blog.0xbbc.com/2015/07/%E6%8A%BD%E7%A6%BBYCRIPT%E7%9A%844CHOOSE%E5%8A%9F%E8%83%BD/
