The last article has introduced a few tools in general, I believe you are familiar with. Check it out again if you don’t. Ha ha. Without further ado, here is an example of a combination of Hopper, ios-deploy, etc. On the other hand, let you experience the use of LLDB debugging statements such as break (you can follow my blog, some articles have not been moved to flyOceanfish blog portal)

This demo for everyone is through these tools for current application of the corresponding view controller (next looked at are complex, and the entire process is actually the process just display tool use, if you really want to realize this function has a more simple method, we could think of, didn’t think it doesn’t matter, I’m at the end of the article to expose for everyone)

Gets the controller corresponding to the current visible view

  • Connect to the real machine, and start LLDB remote debugging

Note Execute the following statement to ensure that the terminal has been CD to weixin. app

ios-deploy –debug –bundle WeiXin.app

After executing this statement, the APP is installed on the mobile phone and started. The terminal displays the following message starting with (LLDB), indicating successful startup and remote debugging.

2ADCF3E1-88BC-4F98-9F72-693A56F113CB.png

  • Global breakpoint

br set -n viewWillAppear:

When entering any interface, it will stop and the terminal will display the following information:

0653D621-991E-4DF4-B916-7952B0C343EE.png

The 1 I have indicated in the figure represents the name of the breakpoint used for deletion and other operations

When you operate the APP, it will stop. The terminal is shown as follows:

4DE7AB92-DD65-440B-A8EB-B40E0C21A634.png

Now we have the name of the controller that corresponds to the current view. Then type br, dis, press enter, and c to continue the code.

  • Gets the current view name

(lldb) po $x0

(lldb) po [(MMUINavigationController*)0x11c1a3c00 viewControllers]

Some tutorials you can see are Po $r0 which is the command for 32-bit machines; Po $x0 is the corresponding 64-bit command

1DB7FB69-8138-4231-BB7F-5461BCC2E14F.png

This is a breakpoint to get the name of the current view controller, and I’m going to show you another way

The second:

(lldb) e UIApplication *$app = [UIApplication sharedApplication]
(lldb) e UIWindow *$keyWindow = $app.keyWindow

(lldb) po $keyWindow.rootViewController
<MMTabBarController: 0x138947000>

(lldb) e MMTabBarController *$tab = $keyWindow.rootViewController

(lldb) po $tab.viewControllers
<__NSArrayM 0x139775c50>(
<MMUINavigationController: 0x1380a2a00>,
<MMUINavigationController: 0x138938a00>,
<MMUINavigationController: 0x13893d600>,
<MMUINavigationController: 0x138943600>
)

(lldb)e MMUINavigationController *$navi2 = $tab.viewControllers[2]

(lldb) po $navi2.visibleViewController

(SeePeopleNearbyViewController *) $8 = 0x00000001398f55c0Copy the code

The e syntax in LLDB remote debugging enables the execution of any OC statement similar to Cycript

The third:

Simply open Xcode’s View Debug Hierarchy. 😁 😁

Interrupt point debugging by memory address

First of all, we should popularize a few knowledge, and then do it may be handy.

Base address after module offset = ASLR offset + base address before module offset

  • The offset base address of the module: this address is the real address of the object, and it is the address we use during debugging.

  • Base address before module offset: This is actually the address Hopper resolves to show in our application

  • ASLR(Address Space Layout Randomization) offset: This is a memory Address randomly generated by ASLR. As a security measure, the base address of the module before the offset can be easily obtained by any assembly tool, but it is not so easy to obtain the ASLR offset.

ASLR offset

image list -o -f “WeChat”

A612F9FE-E91D-479F-A6F1-E48CD50E7E0F.png

0x0000000000300000 is the OFFSET of ASLR offset

Gets the base address before module offset

Drag the. App file into the Hopper app. Be sure to select the wrong 64-bit uncountable address that matches the number of digits on your phone. The process may be busy. Be patient

Take intercepting messages as an example: search for the name of a function in Hopper

A97E9160-D079-4330-8E8F-14710F764DC3.png

0x00000001029C2964 is the pre-offset base address of the module we are looking for

So let’s get a calculator and this is a hexadecimal calculator and just add it up.

0x102cc2964

Breaking point

br a -s 0x102cc2964

Next you can look for a beauty to send a message to see. Ha ha

5DF1BE04-2972-450B-BA6B-BF58DA855679.png

ni

(lldb) po $x0