_shortMethodDescription 用於LLDB 進行打斷點

前言

https://medium.com/flawless-a...

_shortMethodDescription 用於LLDB 進行打斷點的步驟：

• LLDB鏈接到程序
• 找到須要下斷點的類，如CMessageMgr，而後在LLDB命令行輸入po [className
  _shortMethodDescription]。

找到對應放的內存地址，避免了以前的地址計算。

測試環境

• 使用iPhone5

主要是由於CPU是32位，32位arm彙編。IDA免費版不能反彙編64位程序

debugserver的開啓與LLDB的鏈接

devzkndeMacBook-Pro:doc devzkn$ sshusb
iPhone:~ root# debugserver *:12345 -a "WeChat"
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-320.2.89
 for armv7.
Attaching to process WeChat...
Listening to port 12345 for a connection from *...

devzkndeMacBook-Pro:python-client devzkn$ python tcprelay.py -t 12345:12345
devzkndeMacBook-Pro:demo devzkn$ relay12345
Forwarding local port 12345 to remote port 12345

• Mac端LLDB的接入

進行端口轉發後，接下來咱們就開始進入lldb模式，而後進行debugserver的鏈接了。
首先在terminal上輸入lldb命令，而後輸入下方的地址進行鏈接。由於咱們使用usbmuxd進行了端口的轉發，所以能夠使用本地的環回測試地址來進行debugserver的鏈接。

process connect connect://127.0.0.1:12345

(lldb) process connect connect://127.0.0.1:12345

(lldb) 
error: Process 347 is currently being debugged, kill the process before connecting.
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x373e9e90 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage((anonymous namespace)::AutoreleasePoolPage*) + 4
libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage:
->  0x373e9e90 <+4>:  add    r12, pc, r12
    0x373e9e94 <+8>:  ldr    pc, [r12]
    0x373e9e98 <+12>: sbceq  r3, r9, #16, #8

libobjc.A.dylib`defaultBadAllocHandler:
    0x373e9e9c <+0>:  ldr    r12, [pc, #0x4]           ; <+12>
Target 0: (WeChat) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
  * frame #0: 0x373e9e90 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::AutoreleasePoolPage((anonymous namespace)::AutoreleasePoolPage*) + 4
    frame #1: 0x373e7daa libobjc.A.dylib`objc_object::sidetable_clearDeallocating() + 46
    frame #2: 0x373d6606 libobjc.A.dylib`objc_destructInstance + 50
    frame #3: 0x29b2a012 CoreFoundation`CFRelease + 1038
    frame #4: 0x373e81a8 libobjc.A.dylib`(anonymous namespace)::AutoreleasePoolPage::pop(void*) + 404
    frame #5: 0x29b34f98 CoreFoundation`_CFAutoreleasePoolPop + 16
    frame #6: 0x2a866dc8 Foundation`-[NSAutoreleasePool release] + 120
    frame #7: 0x2d146380 UIKit`-[UIApplication _run] + 448
    frame #8: 0x2d1411d0 UIKit`UIApplicationMain + 1440
    frame #9: 0x001cacac WeChat`_mh_execute_header + 859308
    frame #10: 0x3794daae libdyld.dylib`start + 2

register read --all
General Purpose Registers:
        r0 = 0x3a086600  libobjc.A.dylib`(anonymous namespace)::SideTable::table_buf
        r1 = 0x00000380
        r2 = 0x182f5214
        r3 = 0x00000000
        r4 = 0x182f5210

(lldb) c
Process 347 resuming
(lldb)

(lldb) po [CMessageMgr _shortMethodDescription]

(lldb) po [CMessageMgr _shortMethodDescription]
error: Process is running.  Use 'process interrupt' to pause execution.
(lldb) process interrupt
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x37a004f0 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap:
->  0x37a004f0 <+20>: pop    {r4, r5, r6, r8}
    0x37a004f4 <+24>: bx     lr

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x37a004f8 <+0>:  mov    r12, sp
    0x37a004fc <+4>:  push   {r4, r5, r6, r8}
Target 0: (WeChat) stopped.

(lldb) po [CMessageMgr _shortMethodDescription]
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
error: libarclite_iphoneos.a(arclite.o) failed to load objfile for /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/arc/libarclite_iphoneos.a
<CMessageMgr: 0x35ae230>:
in CMessageMgr:
    Class Methods:
        + (void) csendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x522b0e5)
        + (void) modifyUsrInfo:(id)arg1; (0x522ad45)
        + (id) getUserImgUrl; (0x522a2dd)
        + (id) getUserm_taskDataDic; (0x522a0a1)
        + (id) getm_nsNickName; (0x5229481)
        + (void) uploadHDHeadImgWithUrl:(id)arg1; (0x52291a1)
        + (void) sendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x5228c41)
        + (id) GetPathOfOpenUploadFile; (0x263ede3)
        + (id) GetPathOfOpenUploadCDNFile; (0x263ee4d)
    Properties:
        @property (retain, nonatomic) NSString* playingVideoPath;  (@synthesize playingVideoPath = _playingVideoPath;)
        @property (readonly) unsigned int hash;
        @property (readonly) Class superclass;
        @property (readonly, copy) NSString* description;
        @property (readonly, copy) NSString* debugDescription;
    Instance Methods:
        - (void) sendMsg:(id)arg1 toContactUsrName:(id)arg2; (0x52286e1)
        - (void) REQUEST_TYPE_MAKE_FRIENDS:(id)arg1; (0x5227fc1)
        - (void) setupREQUEST_TYPE_MAKE_FRIENDS:(id)arg1 m_nsFromUsrCContact:(id)arg2; (0x5227da1)
        - (void) addAutoVerifyWithArray:(id)arg1 arrayType:(unsigned int)arg2; (0x52274c9)
        - (void) addAutoVerifyWithMessageInfo:(id)arg1; (0x5227301)
        - (void) deleteFriendList:(id)arg1; (0x522708d)
        - (void) setupzombiepowderWithwrap:(id)arg1; (0x5226e49)
        - (void) ShowInContactBookWithchatroomId:(id)arg1; (0x5226ad1)
        - (void) reportchatroomInfoWithWrap:(id)arg1; (0x5226915)
        - (void) reportRESPONSE_TYPE_COLLECT_FRIENDS; (0x5224a05)
        - (void) reportRESPONSE_TYPE_INSPECT_FRIENDS:(id)arg1; (0x5223fc9)
        - (void) reportRESPONSE_TYPE_MAKE_FRIENDS:(id)arg1; (0x5223a85)
        - (BOOL) SetChatRoomDesc:(id)arg1 Desc:(id)arg2; (0x52238bd)
        - (BOOL) SetGroupTopic:(id)arg1 withTopic:(id)arg2; (0x52236fd)
        - (void) setupUPDATE_ROOM:(int)arg1 RoomGuid:(id)arg2 NewValue:(id)arg3; (0x5223375)
        - (void) setupRESPONSE_TYPE:(id)arg1; (0x5222dd1)
        - (void) setupRESPONSE_TYPENOTIFY:(id)arg1; (0x5222c65)
        - (void) AddMsg:(id)arg1 MsgWrap:(id)arg2; (0x26337fd)
        - (void) StartDownloadShortVideo:(id)arg1; (0x26391a7)
        - (void) MessageReturn:(id)arg1 Event:(unsigned long)arg2; (0x263cd5d)
//中間還有不少方法

    - (id) GetImgNextMsg:(id)arg1 FromID:(unsigned long)arg2 CreateTime:(unsigned long)arg3; (0x263e0a5)
        - (id) GetImgLastMsg:(id)arg1 FromID:(unsigned long)arg2 CreateTime:(unsigned long)arg3; (0x263e105)
        - (BOOL) runTransaction:(^block)arg1 event:(^block)arg2; (0x263eed5)
        - (void) onServiceInit; (0x263dfbf)
        - (void) onServiceReloadData; (0x263e095)
        - (void) onServiceEnterBackground; (0x263e085)
        - (BOOL) onServiceMemoryWarning; (0x263e063)
        - (void) onServiceClearData; (0x263e067)
        - (BOOL) runTransaction:(^block)arg1; (0x263eeb7)
        - (void) enterBackground; (0x2640827)
        - (void) dealloc; (0x52223d9)
        - (id) init; (0x5222549)
        - (void) .cxx_destruct; (0x26416dd)
(MMService ...)

對MessageReturn：MessageInfo:Event： 進行斷點

- (void) MessageReturn:(id)arg1 Event:(unsigned long)arg2; (0x263cd5d)

- (void) MessageReturn:(unsigned long)arg1 MessageInfo:(id)arg2 Event:(unsigned long)arg3; (0x52260f9)

(lldb) b 0x52260f9
Breakpoint 2: where = wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) + 1 at wlentrust.xm:785, address = 0x052260f9

• resuming Process

(lldb) c
Process 347 resuming
Process 347 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x052260f8 wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(self=0x18261030, _cmd="\x18", arg1=55569772, info=0xb06c2007, arg3=973629440) at wlentrust.xm:785
   782     
   783     #pragma mark - ******** 處理羣信息
   784     
-> 785     - (void)MessageReturn:(unsigned int)arg1 MessageInfo:(NSDictionary *)info Event:(unsigned int)arg3 {
   786         
   787         %log();
   788         %orig;
Target 0: (WeChat) stopped.

(lldb) po $r0
<CMessageMgr: 0x1814e890>

(lldb) po $r1
43804954

(lldb) po (char *)$r1
"MessageReturn:MessageInfo:Event:"

(lldb) register read --all
General Purpose Registers:
        r0 = 0x1814e890
        r1 = 0x029c691a  "MessageReturn:MessageInfo:Event:"
        r2 = 0x000000e3
        r3 = 0x184b8350
        r4 = 0x1814e890
        r5 = 0x00000001
        r6 = 0x2d8b00ba  "observer"
        r7 = 0x03b0aae8
        r8 = 0x00000001
        r9 = 0x00000000
       r10 = 0x00000000
       r11 = 0x029c691a  "MessageReturn:MessageInfo:Event:"
       r12 = 0x052260f9  wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) + 1 at wlentrust.xm:785
        sp = 0x03b0a9e0
        lr = 0x015ff591  WeChat`__cxa_throw + 14624329
        pc = 0x052260f8  wlentrust.dylib`_logos_method$_ungrouped$CMessageMgr$MessageReturn$MessageInfo$Event$(CMessageMgr*, objc_selector*, unsigned int, NSDictionary*, unsigned int) at wlentrust.xm:785
      cpsr = 0x60000030

Floating Point Registers:
        s0 = 0
        s1 = 0

補充

打印數據模型內容頗有用的私有函數方法[模型對象 _ivarDescription]；
更多黑科技私有函數，

經常使用命令

(lldb) breakpoint delete
About to delete all breakpoints, do you want to do that?: [Y/n] y
All breakpoints removed. (2 breakpoints)

(lldb) exit
Quitting LLDB will kill one or more processes. Do you really want to proceed: [Y/n] y