search

4ch12dy / xia0LLDB

LLDB python scripts for iOS arm64 reversing by xia0
640 stars 111 forks source link

debugme issues #3

Open secretpray opened 4 years ago

secretpray commented 4 years ago

(lldb) debugme [] start patch ptrace funtion to bypass antiDebug [+] success ptrace funtion to bypass antiDebug [] start patch svc ins to bypass antiDebug [-] failed to get text segment:["rror: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: ISO C++11 does not allow conversion from string literal to 'char *'\nerror: Couldn't lookup symbols:\n _sprint"] [x] happy debugging~ kill antiDebug by xia0@2019

secretpray commented 4 years ago

Error in choose.py

$ lldb

[traceOC]: trace ObjectC function call traceOC more usage, try "traceOC -h"

[xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in

error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in

error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in

4ch12dy commented 4 years ago

Error in choose.py

$ lldb

[traceOC]: trace ObjectC function call

traceOC more usage, try "traceOC -h" [xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in

error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in

error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in

traceOC还没完成…

4ch12dy commented 4 years ago

你那是什么app,我这边测试下

wxq491216 commented 4 years ago

➜ gif lldb

[traceOC]: trace ObjectC function call traceOC more usage, try "traceOC -h"

[xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in pcc error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in

[debugme]: kill anti-debug in lldb debugme more usage, try "debugme -h"

[info]: get basic info of process/function/module/address/... info [-m moduleName, -a address, -f funtionName, -u UserDefaults] more usage, try "info -h" error: module importing failed: invalid syntax (sbt.py, line 166) File "temp.py", line 1, in

不论什么app,一连上lldb就会报这个错误,xbr完全用不了

4ch12dy commented 4 years ago

使用的最新的xia0LLDB吗,我这边测了下没有复现这个问题。从错误上看起来像是Python文件解析错误,是不是用的Python3?

wxq491216 commented 4 years ago

python -V Python 2.7.10

默认要用python3么?

4ch12dy commented 4 years ago

用python2

wxq491216 commented 4 years ago

看起来应该是python环境造成的,没安装python3之前是正常的。安装python3之后就出现这个问题了,但实际上mac默认用的是python2。还在摸索该怎么解决!

wxq491216 commented 4 years ago

This error is done with bellow command:

defaults write com.apple.dt.lldb DefaultPythonVersion 2

The newest xcode11 use python3 defaultly, so this command change the python version from 3 to 2

4ch12dy commented 4 years ago

thanks! I will update xia0LLDB with python3 soon.

colordancer commented 4 years ago

[-] failed to get text segment:["rror: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: ISO C++11 does not allow conversion from string literal to 'char *'\nerror: Couldn't lookup symbols:\n _sprint"]

Couldn't lookup symbols:\n _sprint,这个bug解了吗

4ch12dy commented 4 years ago

Couldn't lookup symbols:\n _sprint,这个bug解了吗

什么app,我这边测下看看

colordancer commented 4 years ago

Couldn't lookup symbols:\n _sprint,这个bug解了吗

什么app,我这边测下看看

kwai_gif,6.9.1 image

4ch12dy commented 4 years ago

执行时机的问题,因为lldb attach以后,还没加载各个模块。参考这篇文章 http://4ch12dy.site/2019/09/23/lldb-dumpdecrypted/lldb-dumpdecrypted/ 在xbr -E main 以后执行debugme(在执行之前一定要删除所有断点)

不过需要说明的一点在于,debugme主要针对ptrace以及恶心的svc内联汇编的反调试,其他方式的话debugme暂时没解决

另外补充一点在于某手的可执行文件里面并不包含关键代码,都在另一个dylib里面。所以需要手动分析

colordancer commented 4 years ago

执行时机的问题,因为lldb attach以后,还没加载各个模块。参考这篇文章 http://4ch12dy.site/2019/09/23/lldb-dumpdecrypted/lldb-dumpdecrypted/ 在xbr -E main 以后执行debugme(在执行之前一定要删除所有断点)

不过需要说明的一点在于,debugme主要针对ptrace以及恶心的svc内联汇编的反调试,其他方式的话debugme暂时没解决

另外补充一点在于某手的可执行文件里面并不包含关键代码,都在另一个dylib里面。所以需要手动分析

哈哈,谢谢