debugserver + lldb 動態調試
以調試設備界面爲例,改變背景顏色、獲取VPN界面UISwitch控件響應事件.
Mac通過ssh
連接越獄設備,默認密碼alpine
Nelson:~ Nelson$ ssh [email protected]
啓動Preferences
進程,開啓1234
端口,等待任意IP地址的lldb接入
# debugserver -x backboard *:1234 /Applications/Preferences.app/Preferences
Nelson-iPad:~ root# debugserver -x backboard *:1234 /Applications/Preferences.app/Preferences
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-340.3.51.1
for arm64.
Listening to port 1234 for a connection from *...
Mac啓動新窗口終端,進入Xcode的lldb調試模式
# /Applications/Xcode.app/Contents/Developer/usr/bin/lldb
Nelson:~ Nelson$ /Applications/Xcode.app/Contents/Developer/usr/bin/lldb
(lldb)
連接正在等待的debugserver
# process connect connect://192.168.xx.xxx:1234
(lldb) process connect connect://192.168.xx.xxx:1234
Process 6529 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
frame #0: 0x00000001819f54bc libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
-> 0x1819f54bc <+8>: ret
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x1819f54c0 <+0>: mov x16, #-0x20
0x1819f54c4 <+4>: svc #0x80
0x1819f54c8 <+8>: ret
(lldb)
打印所有界面層次
(lldb) po [[[UIApplication sharedApplication] keyWindow] recursiveDescription]
recursiveDescription
搜索UITableView:
獲取內存地址爲0x13e051800
8EAB695B-6F43-4475-B7A8-FE6138BB3AB2.jpeg
修改UITableView(0x13e051800)
的背景顏色爲yellowColor
(lldb) po [(UITableView*)0x13e051800 setBackgroundColor:[UIColor yellowColor]]
現在界面處理調試狀態,需要手動刷新下界面
(lldb) e (void)[CATransaction flush]
IMG_0142.PNG
修改另外一個UITableView(0x13e8ac400)
的背景顏色
(lldb) po [(UITableView*)0x13e8ac400 setBackgroundColor:[UIColor greenColor]]
(lldb) e (void)[CATransaction flush]
IMG_0144.PNG
獲取VPN
界面的UISwitch
的allTargets
IMG_0144.PNG
(lldb) po [(UISwitch *)0x13f263980 allTargets]
(lldb) po [(UISwitch *)0x13f263980 allTargets]
{(
<VPNToggleCell: 0x13e0c3400; baseClass = UITableViewCell; frame = (0 55.5; 594.5 45); text = '狀態'; autoresize = W; tag = 6; layer = <CALayer: 0x13f004a80>>
)}
(lldb)
此處的Target
爲上一步獲取到的VPNToggleCell(0x13e0c3400)
(lldb) po [(UISwitch *)0x13f263980 actionsForTarget:(id)0x13e0c3400 forControlEvent:0]
(lldb) po [(UISwitch *)0x13f263980 actionsForTarget:(id)0x13e0c3400 forControlEvent:0]
<__NSArrayM 0x13ddd9ca0>(
controlChanged:
)
(lldb)
獲取到了UISwitch
的響應方法爲controlChanged:
,接下來爲UISwitch
的點擊添加斷點
(lldb) br set -n "-[VPNToggleCell controlChanged:]"
Breakpoint 1: no locations (pending).
WARNING: Unable to resolve breakpoint to any actual locations.
添加斷點失敗了,也就是說明controlChanged:
這個方法不屬於VPNToggleCell
這個類,於是查找Runtime Header
,找到了PSControlTableCell
這個類
PSControlTableCell.h
412C86A5-F95D-40CF-9D6B-B82D15FED827.png
(lldb) br set -n "-[PSControlTableCell controlChanged:]"
(lldb) br set -n "-[PSControlTableCell controlChanged:]"
Breakpoint 3: where = Preferences`-[PSControlTableCell controlChanged:], address = 0x0000000189488618
(lldb)
斷點添加成功了,查看下所有的斷點列表
(lldb) br list
(lldb) br list
Current breakpoints:
3: name = '-[PSControlTableCell controlChanged:]', locations = 1, resolved = 1, hit count = 0
3.1: where = Preferences`-[PSControlTableCell controlChanged:], address = 0x0000000189488618, resolved, hit count = 0
(lldb)
按需求可以對斷點進行以下操作:3針對以上的斷點序號
禁用斷點:(lldb) br dis 3
啓用斷點:(lldb) br en 3
刪除斷點:(lldb) br del 3
退出調試狀態
(lldb) c
此時界面可以進行操作了,點擊VPN
界面的UISwitch
執行了斷點操作,再次進入了調試模式
(lldb) c
Process 6529 resuming
Process 6529 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
frame #0: 0x0000000189488618 Preferences`-[PSControlTableCell controlChanged:]
Preferences`-[PSControlTableCell controlChanged:]:
-> 0x189488618 <+0>: stp x24, x23, [sp, #-0x40]!
0x18948861c <+4>: stp x22, x21, [sp, #0x10]
0x189488620 <+8>: stp x20, x19, [sp, #0x20]
0x189488624 <+12>: stp x29, x30, [sp, #0x30]
(lldb)
執行c
、s
進行下一步操作
(lldb) c
(lldb) n
進入調試模式
(lldb) process interrupt
lldb
其他指令
指令 | 指令說明 |
---|---|
thread list |
線程列表 |
image list -o -f |
進程列表 |
frame info |
查看當前代碼 |