Skip to content

Instantly share code, notes, and snippets.

@iddoeldor

iddoeldor/lldb.md

Last active April 16, 2019 13:19
Show Gist options
  • Save iddoeldor/fd2d1c5e713d1e5a84e778e41f3a3fa7 to your computer and use it in GitHub Desktop.
Save iddoeldor/fd2d1c5e713d1e5a84e778e41f3a3fa7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
lldb.md 
$ iproxy 2222 22
$ iproxy 7777 77
iphone~root# debugserver 7777 --waitfor $processId

(lldb) process connect connect://localhost:7777
(lldb) image list | grep $processId

@ IDA Pro > Edit > Segements > Rebase program
  • reg r x1 # show x1 register value
  • br s -a 0x1234 # breakpoint on address
    • br s -s libsystem_c.dylib -n gettimeofday
    • br s -n mach_msg -s libsystem_kernel.dylib
      • br co a 1
        • add command to print mach_msg port
        • p *(unit32_t*)($x0 + 8)
        • c
        • DONE
    • to execute python function on breakpoint
      • first set a breakpoint
      • br co a -F file_name.breakpoint_callback 1 # 1 = breakpoint index from br l
        • function singnature is def breakpoint_callback(frame, bp_ploc, internal_dict)
  • w s e -- 0x123 # watchpoint on address
    • w l # give list of watchpoint.. lets assume we set watchpoint on index 1`
    • w c a 1 # add command on watchpoint #1 stop
      • -> x/10i $pc-8
      • -> reg r
      • -> c
      • DONE # write done to exit
  • po x22 # print object
  • image lookup --address 0x123
  • x/4g "*(long long **) ($sp+0x1234)" read pointer of pointer

lldb python

  • command script import ~/.lldb/script.py
import lldb
def dc(command):
    res = lldb.SBCommandReturnObject()
    lldb.debugger.GetCommandInterpreter().HandleCommand(command, res)
    return res.GetOutput()
    
def __lldb_init_module(debugger, internal_dict):
    debugger.HandleCommand('command script add -f %s.func func' % __name__)
    base_addr = dc('image list | grep moduleName')
    dc ('breakpoint set --address ' + base_addr + '+' str(0xOFFSET))
    print '[-] Script loaded.'

(lldb) target stop-hook add --one-liner "po r"

br co a -s python # def f(f, b, d): print dc('x/4g'+dc('x/g $sp+8') split(':')[1])

Oneliner ? br co a -s python -o "print frame.sp"

(lldb) br co a -s python #

   r1, r2, c = lldb.SBCommandReturnObject(), lldb.SBCommandReturnObject(), lldb.debugger.GetCommandInterpreter()
   c.HandleCommand('x/g ' + str(frame.sp + 0x123), r2
   ptr = r1.GetOutput()
   print ptr, '-' * 50
   c.HandleCommand('x/10g ' + ptr.split(':')[1], r2)
   print r2.GetOutput(), '*' * 100
def command_template(debugger, command, result,internal_dict):
    HandleCommand()

http://lldb.llvm.org/python_reference/index.html https://www.slideshare.net/micheletitolo/more-than-po-debugging-in-lldb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment