search

4ch12dy / xia0LLDB

LLDB python scripts for iOS arm64 reversing by xia0
640 stars 111 forks source link

exeucte debugme will make Tiiktok crash #17

Closed liuxuan30 closed 3 years ago

liuxuan30 commented 3 years ago

Hi there,

我在抖音启动到UIApplicationMain时加了断点,然后执行了debugme

提示似乎都正常也patch了,但是继续调试就会直接crash在

TikTok`___lldb_unnamed_symbol400947$$TikTok:
->  0x1071925a0 <+0>:  udf    #0x1
    0x1071925a4 <+4>:  ldr    x16, #0x8                 ; <+12>
    0x1071925a8 <+8>:  br     x16
    0x1071925ac <+12>: .long  0x0f024000                ; unknown opcode

crash 在 udf #0x1这里

(lldb) bt
* thread #24, queue = 'com.apple.root.background-qos', stop reason = EXC_BAD_INSTRUCTION (code=1, subcode=0x1)
  * frame #0: 0x00000001071925a0 TikTok`___lldb_unnamed_symbol400947$$TikTok
    frame #1: 0x0000000107193224 TikTok`___lldb_unnamed_symbol400952$$TikTok + 508
    frame #2: 0x0000000107193edc TikTok`___lldb_unnamed_symbol400954$$TikTok + 884
    frame #3: 0x0000000107199fe8 TikTok`___lldb_unnamed_symbol400972$$TikTok + 284
    frame #4: 0x0000000107199304 TikTok`___lldb_unnamed_symbol400969$$TikTok + 196
liuxuan30 commented 3 years ago

如果让程序完全跑起来以后,中断LLDB 然后跑debugme,似乎也oK,

但是给某个函数在svc 前后加了断点,再继续执行,就会遇到

error: memory read failed for 0xfffffffe18d90000

crash提示在

0x1033c0be8 <+276>: mov x1, x0

尝试打印$x1 和x0是这样的:

(lldb) po $x0
error: Couldn't materialize: couldn't read the value of register x0
error: errored out in DoExecute, couldn't PrepareToExecuteJITExpression
(lldb) po $x1
error: Couldn't materialize: couldn't read the value of register x1
error: errored out in DoExecute, couldn't PrepareToExecuteJITExpression
(lldb) reg read
General Purpose Registers:
       x19 = 0x0000000281b69530
       x20 = 0x0000000281b69530
       x21 = 0x0000000281b69540
       x22 = 0x00000002225717b8 
       x23 = 0x00000001070b9658 
       x24 = 0x000000028308d560
       x25 = 0x000000005f910b68
       x26 = 0x00000002226b4037 
       x27 = 0x0000000106804000  (void *)0x000000010689aec0
       x28 = 0x00000001067a4000 
        fp = 0x00000001704710f0
        lr = 0x00000001033c0be8  TikTok`___lldb_unnamed_symbol400914$$TikTok + 276
        sp = 0x0000000170471080
        pc = 0x00000001033c0be8  TikTok`___lldb_unnamed_symbol400914$$TikTok + 276
20 registers were unavailable.
liuxuan30 commented 3 years ago

如果我尝试使用patcher 比如代码段

    0x105968c14 <+320>: b      0x105968bf4               ; <+288>
    0x105968c18 <+324>: svc    #0x80
    0x105968c1c <+328>: add    sp, sp, #0x50             ; =0x50

我想把0x105968c18 改为nop, 

(lldb) patcher -a 0x105968c18 -i nop -s 4
[*] start patch text at address:0x105968c18 size:4 to ins:"nop" and data:0x1f, 0x20, 0x03, 0xd5 
[*] make ins data:
{0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 ,0x1f, 0x20, 0x03, 0xd5 }
[+] patch done
[x] power by xia0@2019

然后再继续,也会遇到

error: memory read failed for 0x10765f6400

4ch12dy commented 3 years ago

douyin就别想一步搞定了

liuxuan30 commented 3 years ago

@4ch12dy 能详细说说吗?你是说xia0LLDB 里面那些反反调试的没法用还是有bug?还是被针对了

4ch12dy commented 3 years ago

有对抗