xia0LLDB
1.0.0
https://github.com/4ch12dy/xia0LLDB
Welcome to xia0LLDB - Python3 Edition
,--. ,--. ,--. ,--. ,------. ,-----.
,--. ,--.`--' ,--,--. / | | | | | .-. | |) /_
`' / ,--.' ,-. || () || | | | | | :| .-.
/ /. | | '-' | / | '--.| '--.| '--' /| '--' /
'--' '--'`--' `--`--' `--' `-----'`-----'`-------' `------'
[xia0LLDB] * Version: v3.1
[xia0LLDB] + Loading all scripts from ~/xia0/iOSRE/LLDB/xia0LLDB
[xia0LLDB] * Finished
LLDB在最后一个MacOS Catalina中导入了Xia0lldb的问题,因为最后一个MacOS的LLDB默认使用Python3。这是将其更改为Python2的一种方法
defaults write com.apple.dt.lldb DefaultPythonVersion 2
欢迎来到xia0lldb -Python3版
非常感谢@lakr将其移植到Python3!
只需打开终端并在命令下运行
git clone https://github.com/4ch12dy/xia0LLDB.git && cd xia0LLDB && ./install.sh
以下是CMD,只需在cmd.txt中使用别名
mload [dylib_in_the_iphone_device_path]
将Dylib加载到当前过程中
RR
快速展示一些重要的登记仪
pwindow
打印当前的钥匙Windown
xi [code_address]
只需显示地址拆卸+/- 8
DFUC [addr_of_func]
显示功能全部通过给定地址拆卸
pClass [oc_object]
打印OC对象类名称
pbcopy
从iOS设备粘贴中获取字符串
pbpaste [string]
将字符串粘贴到iOS设备粘贴板
数据[Object_of_nsdata]
打印NSDATA对象
PCC
这只是process connect connect://127.0.0.1:1234
WPC
编写PC寄存器以控制EXE进程
转到可以运行OC脚本的Env。当后台调试LUANCH应用程序,Debuger Just Attch On时,始终使用此CMD。在App Code不执行并可以运行LLDB命令之间。
打印OC对象的所有IVAR(仅IOS), MacOS版本将很快出现!
(lldb) ivars 0x2835c4d00
<CContactMgr: 0x2835c4d00>:
in CContactMgr:
m_oLock (NSRecursiveLock*): <NSRecursiveLock: 0x2830aaca0>
m_uiLoadedType (unsigned int): 0
m_oContactDB (CContactDB*): <CContactDB: 0x2819b07e0>
m_oNewContactDB (NewContactDB*): <NewContactDB: 0x28156b7e0>
m_oContactOPLog (CContactOPLog*): <CContactOPLog: 0x2819b07f0>
m_openImContactMgr (OpenImContactMgr*): <OpenImContactMgr: 0x281bc07a0>
m_dicRemark (NSMutableDictionary*): <__NSDictionaryM: 0x281bc0a00>
m_dicLastAccessTime (NSMutableDictionary*): <__NSDictionaryM: 0x281bc0a60>
m_dicContacts (NSMutableDictionary*): <__NSDictionaryM: 0x281bc09e0>
...
打印所有OC对象的所有方法(仅IOS), MacOS版本将很快出现!
如果OBJC类名称包含“ M”或其他奇数字符之类的空间。您可以使用“方法-N the_odd_class_name”。
(lldb) methods CContactMgr
<CContactMgr: 0x1071caa28>:
in CContactMgr:
Properties:
@property (readonly) unsigned long hash;
@property (readonly) Class superclass;
@property (readonly, copy) NSString* description;
@property (readonly, copy) NSString* debugDescription;
Instance Methods:
- (void) MessageReturn:(id)arg1 Event:(unsigned int)arg2; (0x1005cb338)
- (id) getContactByName:(id)arg1; (0x1000f4e74)
- (void) OnGetNewXmlMsg:(id)arg1 Type:(id)arg2 MsgWrap:(id)arg3; (0x1001de380)
- (void) onServiceReloadData; (0x102d10934)
...
(lldb) methods -n " m"
[*] will get methods for class:" m"
< m: 0x10d6f86f0>:
in m:
Properties:
@property (retain, nonatomic) N* kManager; (@synthesize kManager = _configManager;)
@property (retain, nonatomic) h* payloadStore; (@synthesize payloadStore = _payloadStore;)
@property (retain, nonatomic) 5* sensorAgent; (@synthesize sensorAgent = _sensorAgent;)
@property (retain, nonatomic) NSObject<OS_dispatch_queue>* scriptMsgQueue; (@synthesize scriptMsgQueue = _scriptMsgQueue;)
...
Instance Methods:
- (void) setConfigManager:(id)arg1; (0x10d65b68c)
- (void) setSensorAgent:(id)arg1; (0x10d5c86d0)
- (void) lb; (0x10d60aa04)
- (void) setKernelCode:(id)arg1; (0x10d6d9330)
- (void) setIsBaseKernel:(BOOL)arg1; (0x10d606168)
...
从lldbinit导入xia0lldb
替换bt可以在StackFrame上恢复框架OC符号。如果要还原块符号,则可以使用提供的IDA Python脚本来获取块符号JSON文件。然后在lldb中输入sbt -f block_json_file_path 。除了它可以显示更多信息:MEM地址,文件地址
// also you can spcail -f block_json_file to restore block symbol
(lldb) sbt
==========================================xia0LLDB=========================================
BlockSymbolFile Not Set The Block Symbol Json File, Try 'sbt -f'
===========================================================================================
frame #0: [file:0x100009740 mem:0x100fb1740] WeChat`-[MMServiceCenter getService:] + 0
frame #1: [file:0x100017cd4 mem:0x100fbfcd4] WeChat`+[SettingUtil getMainSetting] + 88
frame #2: [file:0x10004eef0 mem:0x100ff6ef0] WeChat`-[CDownloadVoiceMgr TimerCheckDownloadQueue] + 44
frame #3: [file:0x1800a3604 mem:0x1ccb33604] libobjc.A.dylib`-[NSObject performSelector:withObject:] + 68
frame #4: [file:0x10002e92c mem:0x100fd692c] WeChat`-[MMNoRetainTimerTarget onNoRetainTimer:] + 84
frame #5: [file:0x1819750bc mem:0x1ce4050bc] Foundation`__NSFireTimer + 88
frame #6: [file:0x180e3d0a4 mem:0x1cd8cd0a4] CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32
frame #7: [file:0x180e3cdd0 mem:0x1cd8ccdd0] CoreFoundation`__CFRunLoopDoTimer + 884
frame #8: [file:0x180e3c5c4 mem:0x1cd8cc5c4] CoreFoundation`__CFRunLoopDoTimers + 252
frame #9: [file:0x180e37284 mem:0x1cd8c7284] CoreFoundation`__CFRunLoopRun + 1832
frame #10: [file:0x180e36844 mem:0x1cd8c6844] CoreFoundation`CFRunLoopRunSpecific + 452
frame #11: [file:0x1830e5be8 mem:0x1cfb75be8] GraphicsServices`GSEventRunModal + 104
frame #12: [file:0x1ae78431c mem:0x1fb21431c] UIKitCore`UIApplicationMain + 216
frame #13: [file:0x10022ee88 mem:0x1011d6e88] WeChat`main + 556
frame #14: [file:0x1808ec020 mem:0x1cd37c020] libdyld.dylib`start + 4
获取给定类名的实例对象,Cycript的选择命令的LLDB版本
(lldb) choose CContactMgr
====>xia0LLDB NSArray Address: 0x2815a8540 size: 0x1
| | | | | | | | | | | | | | | | | | | |
V V V V V V V V V V V V V V V V V V V V
======>xia0LLDB Object Address: 0x2835c4d00
<CContactMgr: 0x2835c4d00>
XIA0超级设置断点命令:在OC类方法上设置断点,尽管带符号等等
// set breakpoint at oc methold even symbol stripped
(lldb) xbr "-[MMServiceCenter getService:]"
[*] className:MMServiceCenter methodName:getService:
[+] found class address:0x10803d208
[+] found selector address:0x106425b4c
[+] found method address:0x100fb1740
Breakpoint 1: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at address of ida, auto add slide
(lldb) xbr 0x100009740
[*] you not specail the module, default is main module
[*] ida's address:0x100009740 main module slide:0xfa8000 target breakpoint address:0x100fb1740
Breakpoint 3: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at memory address
(lldb) xbr -a 0x100fb1740
[*] breakpoint at address:0x100fb1740
Breakpoint 4: where = WeChat`___lldb_unnamed_symbol50$$WeChat, address = 0x0000000100fb1740
// set breakpoint at main function
(lldb) xbr -E main
[*] breakpoint at main function:0x1011d6c5c
Breakpoint 5: where = WeChat`___lldb_unnamed_symbol7390$$WeChat, address = 0x00000001011d6c5c
// set breakpoint at first mod_init function
(lldb) xbr -E init
[*] breakpoint at mod int first function:0x1044553dc
Breakpoint 6: where = WeChat`___lldb_unnamed_symbol143513$$WeChat, address = 0x00000001044553dc
// set breakpoint at adresses of all methods of given class name
(lldb) xbr UPLivePlayerVC
Breakpoint 1: where = TestPaly`-[UPLivePlayerVC progressSliderSeekTime:] at UPLivePlayerVC.m:205, address = 0x0000000102dc134c
Breakpoint 2: where = TestPaly`-[UPLivePlayerVC progressSliderTouchDown:] at UPLivePlayerVC.m:197, address = 0x0000000102dc1184
Breakpoint 3: where = TestPaly`-[UPLivePlayerVC progressSliderValueChanged:] at UPLivePlayerVC.m:201, address = 0x0000000102dc11ec
...
Breakpoint 45: where = TestPaly`-[UPLivePlayerVC setUrl:] at UPLivePlayerVC.h:13, address = 0x0000000102dc2990
Breakpoint 46: where = TestPaly`-[UPLivePlayerVC play] at UPLivePlayerVC.m:124, address = 0x0000000102dbfd84
Breakpoint 47: where = TestPaly`-[UPLivePlayerVC pause] at UPLivePlayerVC.m:132, address = 0x0000000102dbfe1c
Set 47 breakpoints of UPLivePlayerVC
// set breakpoint at all +[* load] methods
(lldb) xbr -E load
[*] will set breakpoint at all +[* load] methold, count:2
Breakpoint 2: where = TestAPP`+[OCTest load] at OCTest.m:19, address = 0x00000001042df674
[+] set br at:0x1042df674
Breakpoint 3: where = TestAPP`+[OCClassDemo load] at OCClassDemo.m:19, address = 0x000000010430272c
[+] set br at:0x10430272c
绕过反咬伤:可以将ptrace和inlinehook SVC钩住反调试。这是如此强大!!!
[*] start patch ptrace funtion to bypass antiDebug
[+] success ptrace funtion to bypass antiDebug
[*] start patch svc ins to bypass antiDebug
[+] get text segment start address:0x100017430 and end address:0x10001a398
[+] found svc address:0x100017528
[*] start hook svc at address:0x100017528
[+] success hook svc at address:0x100017528
[+] found svc address:0x100017540
[*] start hook svc at address:0x100017540
[+] success hook svc at address:0x100017540
[*] all patch done
[x] happy debugging~ kill antiDebug by xia0@2019
非常有用的命令以获取地址/功能/模块的信息等等
// get info of image
(lldb) info -m WeChat
=======
Module Path : /var/containers/Bundle/Application/747A9704-6252-45A9-AE55-59690DAD60BB/WeChat.app/WeChat
Module Silde: 0x7d4000
Module base : 0x1007d4000
=======
// get info of address of function
(lldb) info -a 0x00000001cd4ca3b8
Module Path: /usr/lib/system/libsystem_kernel.dylib
Module base: 0x1cd4a8000
Symbol name: __getpid
Symbol addr: 0x1cd4ca3b8
// get info of function
(lldb) info -f getpid
Func name: getpid
Func addr: 0x1cd4ca3b8
Module Path: /usr/lib/system/libsystem_kernel.dylib
Module base: 0x1cd4a8000
Symbol name: __getpid
Symbol addr: 0x1cd4ca3b8
在LLDB中转储MACHO图像,默认转储所有Macho图像。
???非常重要!!!
Notice: if app crash at launch like detect jailbreak, you should use -x backboard launch app, and just input dumpdecrypted -X see more: http://4ch12dy.site/2020/02/26/lldb-how-to-dump-gracefully/lldb-how-to-dump-gracefully/
(lldb) dumpdecrypted
[*] start dump image:/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/com_kwai_gif
[+] Dumping com_kwai_gif
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100014980(from 0x100014000) = 980
[+] Found encrypted data at address 00004000 of length 16384 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/com_kwai_gif for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/com_kwai_gif.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset 980
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/com_kwai_gif.decrypted
[*] start dump image:/private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/Frameworks/gifIMFramework.framework/gifIMFramework
[+] Dumping gifIMFramework
[+] detected 64bit ARM binary in memory.
[+] offset to cryptid found: @0x100064bd0(from 0x100064000) = bd0
[+] Found encrypted data at address 00004000 of length 2752512 bytes - type 1.
[+] Opening /private/var/containers/Bundle/Application/701B4574-1606-41F3-B0DB-92D34F92E886/com_kwai_gif.app/Frameworks/gifIMFramework.framework/gifIMFramework for reading.
[+] Reading header
[+] Detecting header type
[+] Executable is a plain MACH-O image
[+] Opening /var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/gifIMFramework.decrypted for writing.
[+] Copying the not encrypted start of the file
[+] Dumping the decrypted data into the file
[+] Copying the not encrypted remainder of the file
[+] Setting the LC_ENCRYPTION_INFO->cryptid to 0 at offset bd0
[+] Closing original file
[+] Closing dump file
[*] This mach-o file decrypted done.
[+] dump macho file at:/var/mobile/Containers/Data/Application/23C75F90-C42D-4F43-83D9-5DCCA36FE2D5/Documents/gifIMFramework.decrypted
...
[*] Developed By xia0@2019
LLDB中的运行时补丁仪器
// -a patch_address -i patch_instrument{nop/ret/mov0/mov1} -s instrument_count
(lldb) patcher -a 0x0000000100233a18 -i nop -s 8
[*] start patch text at address:0x100233a18 size:8 to ins:"nop" and data:0x1f, 0x20, 0x03, 0xd5
[*] make ins data:
{0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 }
[+] patch done
[x] power by xia0@2019
(lldb) x/12i 0x0000000100233a18
0x100233a18: 0xd503201f nop
0x100233a1c: 0xd503201f nop
0x100233a20: 0xd503201f nop
0x100233a24: 0xd503201f nop
0x100233a28: 0xd503201f nop
0x100233a2c: 0xd503201f nop
0x100233a30: 0xd503201f nop
0x100233a34: 0xd503201f nop
0x100233a38: 0xf941ac14 ldr x20, [x0, #0x358]
0x100233a3c: 0xf9419c15 ldr x21, [x0, #0x338]
0x100233a40: 0xf941a400 ldr x0, [x0, #0x348]
0x100233a44: 0xf9400008 ldr x8, [x0]
// 2019-10-27 update: -i option can receive raw instrument data like: "{0x20, 0x00, 0x80, 0xd2}"
(lldb) patcher -a 0x183a40fd8 -i "{0x20, 0x00, 0x80, 0xd2}"
[*] detect you manual set ins data:{0x20, 0x00, 0x80, 0xd2}
[*] start patch text at address:0x183a40fd8 size:1 to ins data:{0x20, 0x00, 0x80, 0xd2}
[x] power by xia0@2019
(lldb) x/12i $pc
-> 0x183a40fd8: 0xd2800020 mov x0, #0x1
0x183a40fdc: 0x928003f0 mov x16, #-0x20
0x183a40fe0: 0xd4001001 svc #0x80
0x183a40fe4: 0xd65f03c0 ret
0x183a40fe8: 0x92800410 mov x16, #-0x21
0x183a40fec: 0xd4001001 svc #0x80
0x183a40ff0: 0xd65f03c0 ret
0x183a40ff4: 0x92800430 mov x16, #-0x22
0x183a40ff8: 0xd4001001 svc #0x80
0x183a40ffc: 0xd65f03c0 ret
0x183a41000: 0x92800450 mov x16, #-0x23
0x183a41004: 0xd4001001 svc #0x80
[2019/07/04] SBT -X/XUTIL的更新:Xutil CMD和SBT -X更新以在Xcode中禁用颜色输出
[2019/07/21]选择更新:LLDB的ctercript的命令版本的选择命令命令
[2019/08/07]修复选择中的关键错误:修复关键错误
[2019/08/11] XBR的更新: xbr className可以在类的所有方法的adresses设置断点
[2019/08/13]新的Debugme :LLDB中的Anti Anti Debug
[2019/08/20]新信息:获取地址/功能/模块的信息等等
[2019/09/11] debugme更新:挂钩ptrace和inlinehook svc ins indo。
[2019/09/22]新的DumpDecrypted :LLDB中的Dump Macho Image
[2019/09/27] DumpDecrypted更新:可以将所有图像转储在App Dir中
[2019/10/17] New Patcher :LLDB中的运行时补丁仪器
[2022/04/18]当IVARS/方法不支持MACOS或iOS系统进程时,添加Xivars/Xmethods/Xprotocol启用转储类。
http://blog.imjun.net/posts/restore-symbol-of-ios-app/感谢ida_block_json.py脚本
https://github.com/derekselander/lldb特别感谢Derekselander的LLDB提供代码框架
https://lldb.llvm.org/tutorial.html
https://github.com/hankbao/cycript/blob/bb99d698a27487.af679f8c04c04c3334ea840aea7aea7a/objectivec/library.mm in Cycript中的命令
https://opensource.apple.com/source/lldb/lldb-179.1/examples/darwin/heap_find/heap.py.py.auto.html
Apple LLDB关于堆
https://blog.0xbbc.com/2015/07/%E6%8A%BD%E7%A6%BBCYCRIPT;
