Original address: http://www.cnblogs.com/famer/p/4190311.html
First, debug platform construction
1, GNU Debugger. First install the GDB debugger under iOS and add Source: cydia.radare.org. Search for GNU Debugger, install it. (Some of the sources of gdb seem to be useless, this test is no problem)
2, OpenSSH. This should be a http://www.cnblogs.com/jailbreaker/p/4142609.html, not a loaded reference,
3, Adv-cmds. Add Source: apt.saurik.com (This should be one of the default sources).
Second, additional steps
1. First open the app you want to debug in iOS.
2, remote SSH login to iOS.
Login As:root[email protected] ' s password:iphone:~ root#
3. Use ADV-CMDS tools to facilitate all process numbers in the system.
iphone:~ root# ps-ax 366?? 1:50.90/var/mobile/containers/bundle/application/653eb29f-15a7-48ba-9226-69c4cf690771/sb.app/sb
The previous 366 is the process number. (a random process, just for example)
4. Using GDB to attach process number No. 366
iphone:~ root# gdb-p 366/usr/bin/gdb:line 55:awk:command not foundwarning:unrecognized host Cpusubtype, defaulting T o host==armv7. GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 00:53:47 UTC) Copyright 200 4 free software Foundation, inc.gdb are free software, covered by the GNU general public License, and your arewelcome to Cha Nge It and/or distribute copies of it under certain. Type "Show copying" to see the conditions. There is absolutely no warranty for GDB. Type "Show warranty" for details. This GDB is configured as "Arm-apple-darwin".
..... Omit several codes
0x38e0e4f0 in Mach_msg_trap () (GDB)
Well, attach success. Below you can start the input command for debugging.
Three, the Common debugging command detailed
First of all, GDB commands can be abbreviated, as long as the inclusion of the first letter, do not cause ambiguity can be used, such as break, you can enter B, the letter must be continuous (BR can, BA is not).
Some directives are used in a complementary way, so in order to explain the usage, some instructions will be simple to use in advance.
I've divided the debug commands into three types:
1, control commands, including down, single-step commands, as the name implies is the command to control the code flow.
1.1 Break, down command.
1.1.1 function down: Known function name, the code is broken down.
(GDB) b cfrunloopruninmodebreakpoint 3 at 0x2aef7176 (gdb) i bnum Type Disp Enb Address What3 Breakpoint Keep y 0x2aef7176 <CFRunLoopRunInMode+14>
I B is an abbreviation for info break that lists the current list of breakpoints.
1.1.2 does not know the function name and only knows the address in the disassembly engine such as Ida.
We know the file offset of the target function in Ida.
000190EC:000590EC (click the code in IDA, the data shown in the lower left corner) 190EC is the file offset, and 590EC is the address in memory. It is easy to conclude that Ida's load base is 40000 because iOS's load base is random, so we first use the Info SH command to get the target app to load in memory the base info SH is an abbreviation for info sharedlibrary
1 (GDB) Info SH2 The DYLD shared library state have not yet been Initialized.3 requested State current State4 Num Basen Ame Type Address Reason | | Source5 | | | | | | | |6 1 sb -0x4000 exec C c/private/var/mobile/containers/bundle/ application/... (Too long omitted)
We got the load base is 0x4000, then the file offset 0x190ec + 0x4000 Get the address is the current app we want to break the address 0x1d0ec.
(Looks like a very troublesome appearance, does not matter, refer to this article to complete the Broken http://www.cnblogs.com/famer/p/4120444.html)
(GDB) b * 0x1d0ecbreakpoint 4 at 0x1d0ec
1.2 delete/disable/enable Delete/cancel/activate breakpoints. parameter is the breakpoint number in info B,
(GDB) B *0x690ec
Breakpoint 2 at 0x690ec
(GDB) Disable 2
(GDB) Info b
Num Type Disp Enb Address What
2 breakpoint Keep N 0x000690ec <_mh_execute_header+37100>
(GDB) Enable 2
(GDB) Info b
Num Type Disp Enb Address What
2 Breakpoint Keep y 0x000690ec <_mh_execute_header+37100>
(GDB) d 2
(GDB) Info b
No breakpoints or watchpoints.
1.3 Nexti Single Step mend. When the function call instruction is executed, the instruction is skipped. Equivalent to OD F8
(GDB) Ni0x38e0e4f4 in Mach_msg_trap ()
1.4 Stepi stepping into. When the function call instruction is executed, the function is entered. Equivalent to OD F7
(GDB) Si0x38e0e2e8 in Mach_msg ()
1.5 Continue continues to run, equivalent to OD F9
1.6 Run runs an app that doesn't work, it's now attached, and it's added later.
1.7 Finish ends the current function, which is equivalent to running OD to return.
(gdb) Finishrun till exit from #0 0x000690ec in _mh_execute_header () 0x000690ec in _mh_execute_header ()
1.8
2. Output command
2.1 Info Break Query Breakpoint
(GDB) Info bnum Type Disp Enb Address What1 breakpoint keep y 0x00013cb8
2.2 Query Dylib
(GDB) Info shthe DYLD Shared library State have not yet been initialized.
2.3 Querying Current Register information
(GDB) (GDB) Info regundefined command: "". Try "Help". (gdb) r0 0x10004005 268451845Undefined command: "R0". Try "Help". (gdb) R1 0x7000806 117442566Undefined Command: "R1". Try "Help". (GDB) R2 0x0 0Undefined command: "R2". Try "Help". (GDB) R3 0xc00 3072Undefined Command: "R3". Try "Help". (gdb) R4 0x0 0Undefined command: "R4". Try "Help". (GDB) R5 0x1c03 7171Undefined command: "R5". Try "Help". (GDB) R6 0x0 0Undefined Command: "R6". Try "Help". (gdb) R7 0x1c8df0 1871344Undefined command: "R7". Try "Help". (gdb) R8 0xc00 3072Undefined command: "R8". Try "Help". (gdb) R9 0x549ff237 1419768375Undefined command: "R9". Try "Help". (gdb) R10 0x7000806 117442566Undefined command: "R10". Try "Help". (gdb) R11 0x7000806 117442566Undefined command: "R11". Try "Help". (GDB) R12 0xffffffe1 -31undefined command: "R12". Try "Help". (gdb) SP 0x1c8dc4 1871300Undefined command: "SP". Try "Help". (GDB) LR 0x38e0e2e9 954262249Undefined command: "LR". Try "Help". (GDB) PC 0x38e0e2e8 954262248Undefined command: "PC". Try "Help". CPSR {0x60000030, n = 0x0, z = 0x1, c = 0x1, V = 0x0, q = 0x0, j = 0x0, GE = 0x0, e = 0x0, A = 0x0, i = 0x0, F = 0x0, (gdb) cpsr {Undefined command: "CPSR". Try "Help". (gdb) 0x60000030,undefined command: "0x60000030". Try "Help". (GDB) n = 0x0,a syntax error in expression, near ' = 0x0, '. (gdb) z = 0x1,undefined command: "Z". Try "Help". (gdb) c = 0x1,not stopped at any breakpoint; Argument ignored. Continuing. v = 0x0, q = 0x0, j = 0x0, GE = 0x0, e = 0x0, a = 0x0, i = 0x0, F = 0x0, T = 0x1, mode = 0x10} {0x6000003 0, n = 0, z = 1, c = 1, v = 0, q = 0, j = 0, ge = 0, e = 0, a = 0, i = 0, f = 0, T = 1, mode = usr} (gdb)
2.4 BackTrace querying the current call stack
(gdb) bt#0 0x38e0e4f0 in Mach_msg_trap () #1 0x38e0e2e8 in mach_msg () #2 0x2afab31a in <redacted> () #3 C3/>0x2afa98c0 in <redacted> () #4 0x2aef73c0 in cfrunlooprunspecific () #5 0x2aef71d2 in Cfrunloopruninmode () #6 0X2BC30BFC in <redacted> () #7 0X2BC7F0BC in <redacted> () #8 0x0007fd3e in _mh_execute_header () #9 0x0007fb40 in _mh_execute_header () (GDB)
2.5 disassemble disassembly can dump memory, no use
(GDB) Help disassembledisassemble a specified section of memory. Default is the function surrounding the PC of the selected frame. With a single argument, the function surrounding this address is dumped. Arguments is taken as a range of memory to dump.
2.6 Print Command
You can print variables, registers.
(GDB) p $r 0$3 = 383366272 (gdb) p/x $r 1$4 = 0xb2acbc12
Print pointers, level two, level
(GDB) Info fstack Level 0, frame @ 0x1afaf0:pc = 0x690ec in _mh_execute_header; Saved PC 0x690ec called by frame @ 0x1afaf0 Arglist at 0x1afaf0, args:locals at 0x1afaf0,
(gdb) p/x *0x1afaf0$7 = 0x387e7f41
(gdb) p/x **0x1afaf0$8 = 0xf8d0b1
Print Flag Register
(GDB) p $CPSR $ = { 0x20000030, n = 0x0, z = 0x0, c = 0x1, v = 0x0, q = 0x0, j = 0x0, ge = 0x0, e = 0x0, a = 0x0, i = 0x0, f = 0x0, t = 0x1, mode = 0x10}
2.7 Info Frame Prints the current stack frame information, same as info f
2.8 x Command, no Name found, view value in memory address
(GDB) Help Xexamine memory:x/fmt ADDRESS. Address is a expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format Letters is O (octal), X (hex), D (decimal), U (unsigned decimal), t (binary), F (float), a (address), I (Instruction ), C (char) and S (string), T (OSType), A (floating point values in hex). Size Letters is B (byte), H (Halfword), W (word), G (Giant, 8 bytes). The specified number of objects of the specified size is printedaccording to the format. Defaults for format and size letters is those previously used. Default count is 1. Default address is following last thing printedwith this command or "print".
X/nfu 0x<addr>: View the values in the memory address.
n indicates the number of memory units to display
F represents the display mode, the following values are preferable
x Displays the variable in hexadecimal format.
D Displays the variable in decimal format.
u displays unsigned integers in decimal format.
o Displays the variable in octal format.
T displays the variable in binary format.
A displays the variable in hexadecimal format.
I instruction address format
C Displays the variable in character format.
F Displays the variable in floating-point number format.
U represents the length of an address unit
b represents a single byte,
H represents double-byte,
W represents four bytes,
g = Eight bytes
Can be used to view the current assembly code:
(gdb) x/5i $pc 0x690ec: 9a 9e 98 ldmls LR, {r1, R3, R4, R7, R12, pc}0x690f0: Geneva d1 Teqle R 6, R3, LSL #160x690f4: 4b f2 a4 Adccs pc, R4, R11, ASR #40x690f8: c0 f2 xx andeq pc, R3, R 0, ASR #50x690fc: stmdavs r0, {r3, R4, R5, R6, R10, LR}
Error
(gdb) X/5ih $pc 0x690ec: 9a @ str r0, [sp, #616]0x690ee: 9e 98 ldr r0, [sp, #632]0x690f0: r0 CMP, #30x690f2: d1 BNE.N 0x691420x690f4: 4b f2 a4 movw r0 , #45732 ; 0xb2a4
That's right. Need to specify minimum instruction length?
2.7 Print-object (PO) Prints Object objects. Very useful.
(gdb) PO $r 0/private/var.
R0 is a nsstring
Iii. input Commands
3.1 Set modifies register and memory commands.
(GDB) p $r 0$10 = 5 (gdb) set $r 0=100 (GDB) p $r 0$11 = 100
3.2 signal sends a signal to the program. UNIX's system semaphores are usually from 1 to 15, so the <signal> value is also in this range.
There are also more commonly used directives to be pointed out.
Details of the blog are:
http://blog.csdn.net/21cnbao/article/details/7385161
Http://www.cnblogs.com/visayafan/archive/2011/09/27/2193632.html
Probing into GDB debugging under iOS