Probing into GDB debugging under iOS

Source: Internet
Author: User
Tags gdb debugger

Original address: http://www.cnblogs.com/famer/p/4190311.html

First, debug platform construction

1, GNU Debugger. First install the GDB debugger under iOS and add Source: cydia.radare.org. Search for GNU Debugger, install it. (Some of the sources of gdb seem to be useless, this test is no problem)

2, OpenSSH. This should be a http://www.cnblogs.com/jailbreaker/p/4142609.html, not a loaded reference,

3, Adv-cmds. Add Source: apt.saurik.com (This should be one of the default sources).

Second, additional steps

1. First open the app you want to debug in iOS.

2, remote SSH login to iOS.

Login As:root[email protected] ' s password:iphone:~ root#

3. Use ADV-CMDS tools to facilitate all process numbers in the system.

iphone:~ root# ps-ax 366??         1:50.90/var/mobile/containers/bundle/application/653eb29f-15a7-48ba-9226-69c4cf690771/sb.app/sb

The previous 366 is the process number. (a random process, just for example)

4. Using GDB to attach process number No. 366

iphone:~ root# gdb-p 366/usr/bin/gdb:line 55:awk:command not foundwarning:unrecognized host Cpusubtype, defaulting T o host==armv7. GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 00:53:47 UTC) Copyright 200 4 free software Foundation, inc.gdb are free software, covered by the GNU general public License, and your arewelcome to Cha Nge It and/or distribute copies of it under certain. Type "Show copying" to see the conditions. There is absolutely no warranty for GDB.  Type "Show warranty" for details. This GDB is configured as "Arm-apple-darwin".

..... Omit several codes

0x38e0e4f0 in Mach_msg_trap () (GDB)

Well, attach success. Below you can start the input command for debugging.

Three, the Common debugging command detailed

First of all, GDB commands can be abbreviated, as long as the inclusion of the first letter, do not cause ambiguity can be used, such as break, you can enter B, the letter must be continuous (BR can, BA is not).

Some directives are used in a complementary way, so in order to explain the usage, some instructions will be simple to use in advance.

I've divided the debug commands into three types:

1, control commands, including down, single-step commands, as the name implies is the command to control the code flow.

1.1 Break, down command.

1.1.1 function down: Known function name, the code is broken down.

(GDB) b cfrunloopruninmodebreakpoint 3 at 0x2aef7176 (gdb) i bnum Type           Disp Enb Address    What3   Breakpoint     Keep y   0x2aef7176 <CFRunLoopRunInMode+14>

I B is an abbreviation for info break that lists the current list of breakpoints.

1.1.2 does not know the function name and only knows the address in the disassembly engine such as Ida.

We know the file offset of the target function in Ida.

000190EC:000590EC (click the code in IDA, the data shown in the lower left corner) 190EC is the file offset, and 590EC is the address in memory. It is easy to conclude that Ida's load base is 40000 because iOS's load base is random, so we first use the Info SH command to get the target app to load in memory the base info SH is an abbreviation for info sharedlibrary
1 (GDB) Info SH2 The DYLD shared library state have not yet been Initialized.3                                                     requested State current State4 Num Basen Ame                          Type Address         Reason | | Source5 | | | | | | |                    |6   1 sb                                   -0x4000            exec C c/private/var/mobile/containers/bundle/ application/... (Too long omitted)

We got the load base is 0x4000, then the file offset 0x190ec + 0x4000 Get the address is the current app we want to break the address 0x1d0ec.

(Looks like a very troublesome appearance, does not matter, refer to this article to complete the Broken http://www.cnblogs.com/famer/p/4120444.html)

(GDB) b * 0x1d0ecbreakpoint 4 at 0x1d0ec

1.2 delete/disable/enable Delete/cancel/activate breakpoints. parameter is the breakpoint number in info B,

(GDB) B *0x690ec
Breakpoint 2 at 0x690ec
(GDB) Disable 2
(GDB) Info b
Num Type Disp Enb Address What
2 breakpoint Keep N 0x000690ec <_mh_execute_header+37100>
(GDB) Enable 2
(GDB) Info b
Num Type Disp Enb Address What
2 Breakpoint Keep y 0x000690ec <_mh_execute_header+37100>
(GDB) d 2
(GDB) Info b
No breakpoints or watchpoints.

1.3 Nexti Single Step mend. When the function call instruction is executed, the instruction is skipped. Equivalent to OD F8

(GDB) Ni0x38e0e4f4 in Mach_msg_trap ()

1.4 Stepi stepping into. When the function call instruction is executed, the function is entered. Equivalent to OD F7

(GDB) Si0x38e0e2e8 in Mach_msg ()

1.5 Continue continues to run, equivalent to OD F9

1.6 Run runs an app that doesn't work, it's now attached, and it's added later.

1.7 Finish ends the current function, which is equivalent to running OD to return.

(gdb) Finishrun till exit from #0  0x000690ec in _mh_execute_header () 0x000690ec in _mh_execute_header ()

1.8

2. Output command

2.1 Info Break Query Breakpoint

(GDB) Info bnum Type           Disp Enb Address    What1   breakpoint     keep y   0x00013cb8

2.2 Query Dylib

(GDB) Info shthe DYLD Shared library State have not yet been initialized.

2.3 Querying Current Register information

(GDB)  (GDB) Info regundefined command: "". Try "Help".  (gdb) r0 0x10004005 268451845Undefined command: "R0". Try "Help".  (gdb) R1 0x7000806 117442566Undefined Command: "R1". Try "Help".  (GDB) R2 0x0 0Undefined command: "R2". Try "Help".  (GDB) R3 0xc00 3072Undefined Command: "R3". Try "Help".  (gdb) R4 0x0 0Undefined command: "R4". Try "Help".  (GDB) R5 0x1c03 7171Undefined command: "R5". Try "Help".  (GDB) R6 0x0 0Undefined Command: "R6". Try "Help".  (gdb) R7 0x1c8df0 1871344Undefined command: "R7". Try "Help".  (gdb) R8 0xc00 3072Undefined command: "R8". Try "Help".  (gdb) R9 0x549ff237 1419768375Undefined command: "R9". Try "Help".  (gdb) R10 0x7000806 117442566Undefined command: "R10". Try "Help".  (gdb) R11 0x7000806 117442566Undefined command: "R11". Try "Help". (GDB) R12 0xffffffe1       -31undefined command: "R12". Try "Help".  (gdb) SP 0x1c8dc4 1871300Undefined command: "SP". Try "Help".  (GDB) LR 0x38e0e2e9 954262249Undefined command: "LR". Try "Help".  (GDB) PC 0x38e0e2e8 954262248Undefined command: "PC".  Try "Help". CPSR {0x60000030, n = 0x0, z = 0x1, c = 0x1, V = 0x0, q = 0x0, j = 0x0, GE = 0x0, e = 0x0,  A = 0x0, i = 0x0, F = 0x0, (gdb) cpsr {Undefined command: "CPSR". Try "Help".  (gdb) 0x60000030,undefined command: "0x60000030". Try "Help". (GDB) n = 0x0,a syntax error in expression, near ' = 0x0, '.  (gdb) z = 0x1,undefined command: "Z". Try "Help". (gdb) c = 0x1,not stopped at any breakpoint; Argument ignored.  Continuing. v = 0x0, q = 0x0, j = 0x0, GE = 0x0, e = 0x0, a = 0x0, i = 0x0, F = 0x0, T = 0x1, mode = 0x10} {0x6000003 0, n = 0, z = 1, c = 1, v = 0, q = 0, j = 0, ge = 0, e = 0, a = 0, i = 0, f = 0, T = 1, mode = usr} (gdb)

2.4 BackTrace querying the current call stack

(gdb) bt#0  0x38e0e4f0 in Mach_msg_trap () #1  0x38e0e2e8 in mach_msg () #2  0x2afab31a in <redacted> () #3 C3/>0x2afa98c0 in <redacted> () #4  0x2aef73c0 in cfrunlooprunspecific () #5  0x2aef71d2 in Cfrunloopruninmode () #6  0X2BC30BFC in <redacted> () #7  0X2BC7F0BC in <redacted> () #8  0x0007fd3e in _mh_execute_header () #9  0x0007fb40 in _mh_execute_header () (GDB)

2.5 disassemble disassembly can dump memory, no use

(GDB) Help disassembledisassemble a specified section of memory. Default is the function surrounding the PC of the selected frame. With a single argument, the function surrounding this address is dumped. Arguments is taken as a range of memory to dump.

2.6 Print Command

You can print variables, registers.

(GDB) p $r 0$3 = 383366272 (gdb) p/x $r 1$4 = 0xb2acbc12
Print pointers, level two, level

(GDB) Info fstack Level 0, frame @ 0x1afaf0:pc = 0x690ec in _mh_execute_header; Saved PC 0x690ec called by frame @ 0x1afaf0 Arglist at 0x1afaf0, args:locals at 0x1afaf0,
(gdb) p/x *0x1afaf0$7 = 0x387e7f41
(gdb) p/x **0x1afaf0$8 = 0xf8d0b1

Print Flag Register

(GDB) p $CPSR $ = {  0x20000030,  n = 0x0,  z = 0x0,  c = 0x1,  v = 0x0,  q = 0x0,  j = 0x0,  ge = 0x0,  e = 0x0,  a = 0x0,  i = 0x0,  f = 0x0,  t = 0x1,  mode = 0x10}

2.7 Info Frame Prints the current stack frame information, same as info f

2.8 x Command, no Name found, view value in memory address

(GDB) Help Xexamine memory:x/fmt ADDRESS. Address is a expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format Letters is O (octal), X (hex), D (decimal), U (unsigned decimal),  t (binary), F (float), a (address), I (Instruction ), C (char) and S (string),  T (OSType), A (floating point values in hex). Size Letters is B (byte), H (Halfword), W (word), G (Giant, 8 bytes). The specified number of objects of the specified size is printedaccording to the format. Defaults for format and size letters is those previously used. Default count is 1.  Default address is following last thing printedwith this command or "print".

X/nfu 0x<addr>: View the values in the memory address.

n indicates the number of memory units to display

F represents the display mode, the following values are preferable

x Displays the variable in hexadecimal format.

D Displays the variable in decimal format.

u displays unsigned integers in decimal format.

o Displays the variable in octal format.

T displays the variable in binary format.

A displays the variable in hexadecimal format.

I instruction address format

C Displays the variable in character format.

F Displays the variable in floating-point number format.

U represents the length of an address unit

b represents a single byte,

H represents double-byte,

W represents four bytes,

g = Eight bytes

Can be used to view the current assembly code:

(gdb) x/5i $pc 0x690ec:  9a 9e 98                   ldmls   LR, {r1, R3, R4, R7, R12, pc}0x690f0:  Geneva d1                   Teqle   R 6, R3, LSL #160x690f4:  4b f2 a4                   Adccs   pc, R4, R11, ASR #40x690f8:  c0 f2 xx                   andeq   pc, R3, R 0, ASR #50x690fc:                   stmdavs r0, {r3, R4, R5, R6, R10, LR}

Error

(gdb) X/5ih $pc 0x690ec:  9a @                         str     r0, [sp, #616]0x690ee:  9e 98                         ldr     r0, [sp, #632]0x690f0:     r0 CMP, #30x690f2:  d1                         BNE.N   0x691420x690f4:  4b f2 a4 movw r0    , #45732      ; 0xb2a4

That's right. Need to specify minimum instruction length?

2.7 Print-object (PO) Prints Object objects. Very useful.

(gdb) PO $r 0/private/var.

R0 is a nsstring

Iii. input Commands

3.1 Set modifies register and memory commands.

(GDB) p $r 0$10 = 5 (gdb) set $r 0=100 (GDB) p $r 0$11 = 100

3.2 signal sends a signal to the program. UNIX's system semaphores are usually from 1 to 15, so the <signal> value is also in this range.
  

There are also more commonly used directives to be pointed out.

Details of the blog are:

http://blog.csdn.net/21cnbao/article/details/7385161

Http://www.cnblogs.com/visayafan/archive/2011/09/27/2193632.html

Probing into GDB debugging under iOS

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.