Learn to wield the power of LLDB and other debugging tools while exploring code you do(n\’t)? have source for. Create powerful, custom debugging scripts to quickly hunt down any item that piques your interest.
Couple of sources I didn’t cite in the talk:
First video example that uses AirDrop was inspired by @NeoNacho’s github repo Trolldrop. iOS uses different frameworks, but never would have thought of exploring it if it wasn’t for this repo.
The search.py script which enumerates objects in the heap is a cherry picking of ideas from Saurik’s choose functionality in cycript as well as the convenience of Apple’s heap.py script bundled within Xcode.
Thanks to all for them for inspiring me and allowing me to learn from them.
Are there any instructions for the labs? The downloaded materials only shows the directories and I am unsure if there is something that is missing? (I just passed the lab 1 portion where Derek mentions that the group gets to work on it and they’ll meet back later)
Hey @simonqq, sorry I didn’t get back to you sooner. The lab instruction PDF is located at $workshop_dir/RWDevCon-2017-Workshops.pdf
Lab 1 => page 19
Lab 2 => page 39
Lab 3 => page 54
Lab 4 => page 72
Hi Derek,
After learning the sbt command, I tried to resymbolicating a release iOS app, but I get stuck.
Whenever I call the synthetic property on symbol, it keeps return False. But I’m sure that this method is synthetic, because it’s on the release app.
(lldb) script print lldb.frame
frame #0: 0x0000000101671a38 WeChat`_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int) + 15158668
(lldb) script print lldb.frame.symbol
id = {0x00000010}, range = [0x000000010075ccac-0x0000000101a9e0a0), name="_mcwxh_dydx33_8to8(_VDecStruct*, unsigned char*, unsigned char*, unsigned int, unsigned int, unsigned int, unsigned int)", mangled="_Z18_mcwxh_dydx33_8to8P11_VDecStructPhS1_jjjj"
(lldb) script print lldb.frame.symbol.synthetic
False
Do you have any instructions on how to resymbolicating arm64, release iOS applicatoin?
Thanks.
Hey @rwdevcon2017,
LLDB is correct in returning that the synthetic property is false. This appears to be a c++ function, not an Objective-C function. That being said, WeChat could be deploying some preprocessing to obfuscate the Objective-C call. If the SBSymbol was synthetic, then LLDB would generate a method name like ___lldb_unnamed_symbol1234$$WeChat instead
In regards to resymbolicating a stripped arm64 binary without the original symbolication file, I would say depends what you’re going after. It is definitely theoretically possible to resymbolicate Objective-C code, you’ll just need a strong understanding of mach-o and DWARF to go after the Objective-C class/method declarations in the different segments. In regards to resymboicating C or C++ implemented in the main executable (i.e. not position independent code), I do not have a good answer for that.