Lu Yuanjiang joined Qunar in January 2019. Now he is in charge of app analysis and device fingerprint reverse climbing, and has rich experience in app unshell and Java/NativeC layer encryption and decrypting algorithm analysis.
1. The background
Used to get familiar with the loading process of classes in the Dalvik VM (native layer)
- With APP source configuration, you can achieve graphical debugging in Android Studio (IDE built-in function).
- No APP source code in the case of how to achieve graphical debugging.
2. Set environment requirements
- Android Studio version: 2.2 or above (earlier versions do not support Native debugging)
- Install the plug-in: LLDB debugger( lldb.llvm.org/ )
- A compiled android source code (Android4.4.4)
3. APP source code is available
-
Create an Android project (as the target process for debugging)
-
Replace files with debug symbols
Files containing debugging symbols are stored in the compiled symbols directory
From their cell phone/system/lib/libdvm. So replace with debug symbol information libdvm. So (compiled android source the out/target/product/hammerhead/symbols/system/lib/libdvm. So)
-
Configure debug mode for the target process
Select Debug mode -Native mode, in the toolbar – select and click run the following button Edit Configuration: When configured, name it APP
-
After configuration, run APP\ directly in debug mode
-
After the Wating for Debuger interface appears on the phone, click the pause button in the Android Studio debugger. There are three Windows as follows: Frames, Variables, LLDB, which are used to view the function call stack, variable view, and LLDB interaction respectively.
- Run the breakpoint command on the LLDB interface, and the following figure shows after the breakpoint is triggered:
You can use commands such as F7 F8 F9 for visual debugging. Breakpoints can only be accessed from the LLDB command. For visual debugging purposes, two breakpoints are useful:
A # breakpoint based on function name
br s -n DalvikdalviksystemDexFiledefineClassNative
B # set a breakpoint based on the file name and line number
Br set –file dalvikSystemdexfile. CPP –line 387 or br S -f DalvikSystemdexfile. CPP -l 387
- You can step through other modules of interest, such as libdvm. So, etc
4. Debug libdvm. So without APP source
Scenario: After modifying dalvik recompile and trying to debug the modified code, custom libdvm. So encountered a crash location while running.
Visual debugging on Android Studio is not possible without the APP source code, usually through GDB or IDA.
This is how to use LLDB for remote debugging.
Common LLDB commands:
| The command | functions |
|---|---|
| p *(Type *)addr | Print structure |
| Po object. Properties | View properties in a structure or object |
| Br s minus n function name | Breakpoints for function names |
| b **.m:NUM | Sets a line breakpoint on a file |
| Br del Indicates the breakpoint number | Remove breakpoints |
| ta v | Viewing global variables |
| ta v baz | // A specific global variable baz |
| fr v | Viewing local variables |
| fr v bar | // View a specific variable, where bar is the variable name |
| s | enter |
| n | Step over |
| c | Continue to run |
| wa s v b | Set the variable b as the watch point |
| watchpoint l | View point |
| Watch del Number of the watch point | Delete watch point |
Prerequisites:
**** The target APP must be debuggable – we have compiled the DEBUG version of the ROM, which enables debugging of any APP.
The LLDB is relatively simple to use. The specific steps are as follows:
- LLDB – server push to mobile phone/data/local/TMP directory LLDB – server is located in the Android Sdk/LLDB / 3.1 / Android/armeabi directory
- Assign executable rights to llDB-server on the mobile phone
chmod 777 lldb-server
Copy the code3. Run the LLDB-server in the mobile phone
./lldb-server platform --server --listen unix-abstract:///data/local/tmp/debug.sock
Copy the code4. On another terminal, enter LLDB
The LLDB supports various plug-ins. You can view them in the Platform list
(lldb) platform list
Available platforms:
host: Local Linux user platform plug-in.
remote-freebsd: Remote FreeBSD user platform plug-in.
remote-linux: Remote Linux user platform plug-in.
remote-netbsd: Remote NetBSD user platform plug-in.
remote-windows: Remote Windows user platform plug-in.
kalimba: Kalimba user platform plug-in.
remote-android: Remote Android user platform plug-in.
remote-ios: Remote iOS platform plug-in.
remote-macosx: Remote Mac OS X user platform plug-in.
remote-gdb-server: A platform that uses the GDB remote protocol as the communication transport.(lldb)
Copy the codeWe chose to use the Android debug plugin
platform select remote-android
Copy the codeConnection LLDB – server
platform connect unix-abstract-connect:///data/local/tmp/debug.sock
Copy the codeAttach Target process
Process attach -p INDICATES the ID of the target APP processCopy the code- Use the LLDB command to debug libdvm
