Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

lldb – Debugger auf Abwegen

282 views

Published on

lldb kann mehr als nur einfache Breakpoints oder po. In dem Vortrag zeigt Oliver Bayer, wie sich mit Hilfe von lldb Programmcode zur Ausführungszeit manipulieren lässt, ohne das hierfür der Sourcecode anzupassen ist. Sei es, damit Test- oder Debugcode nicht in die produktiv App gelangt, oder weil der Sourcecode für einen Teil der App nicht vorliegt.

Event: macoun, 04.10.2019
Speaker: Oliver Bayer, inovex

Mehr Tech-Vorträge: inovex.de/vortraege
Mehr Tech-Artikel: inovex.de/blog

Published in: Software
  • Visit Here to Download PDF Format === http://bestadaododadj.justdied.com/B0000DWRAV-pensee-la-6-fois-l-an-in-4-br-paris.html
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

lldb – Debugger auf Abwegen

  1. 1. Macoun ⌘
  2. 2. lldb - Debugger auf Abwegen Oliver Bayer inovex GmbH
  3. 3. Disclaimer: Nur weil es technisch geht, muss es noch lange nicht sinnvoll sein!
  4. 4. Ablauf •Breakpoints per CLI •Metabreakpoints •Kontrollfluss Manipulation / Demo
  5. 5. Breakpoints •Software Breakpoint •Symbolic Breakpoint •Non-Symbolic Breakpoint
  6. 6. Conditional Breakpoints foo("") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
  7. 7. Conditional Breakpoints
  8. 8. Conditional Breakpoints
  9. 9. Conditional Breakpoints Non-Symbolic Breakpoint
  10. 10. Conditional Breakpoints Symbolic Breakpoint
  11. 11. Metabreakpoints foo("bar") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
  12. 12. br s -n foo -N macoun -d MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
  13. 13. br set -n foo -N macoun -d br s -f Bar.swift -l 42 -C "br en macoun" -G true MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
  14. 14. Metabreakpoints func seiteneffekteFuer100() { print("1") do() print("2") something() print("3") forMe() }
  15. 15. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  16. 16. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  17. 17. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  18. 18. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  19. 19. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … player.play() … }
  20. 20. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … } br s -f Player.swift -l 4 -C "call player.isMuted = false" -G true
  21. 21. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) // Hier der Breakpoint … } br s -f Player.swift -p "// Hier der Breakpoint" -X do -C "call player.isMuted = true" -G true
  22. 22. Metabreakpoints •Auf dem Stack1 steht die Rücksprungadresse des Aufrufenden •Nach dem Rücksprung steht die Adresse der AVPlayer Instanz in Register rax1 [1] x86 Architekturen
  23. 23. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  24. 24. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  25. 25. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  26. 26. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  27. 27. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  28. 28. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  29. 29. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  30. 30. Neue Wege gehen mit thread •Codepfade zur Laufzeit manipulieren •Methoden kurzschließen •Rückgabewerte ändern
  31. 31. Demo
  32. 32. Neue Wege gehen mit thread •Nachteil an thread return et al. → bremst das Ausführen des Codes aus
 •Idee: (Binary) Patch → genauso schnell wie vorher
  33. 33. Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { if value.lowercased() == secret { return true } else { return false } }
  34. 34. Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { return true }
  35. 35. Binary Patch Breakpoint push rbp
 mov rbp, rsp push 0x1 pop rax pop rbp ret 'x55x6ax01x58x5dxc3'
  36. 36. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  37. 37. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  38. 38. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  39. 39. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  40. 40. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  41. 41. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  42. 42. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  43. 43. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  44. 44. Patch Breakpoint private let secret = "foo" —> "macoun"
  45. 45. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  46. 46. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  47. 47. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  48. 48. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  49. 49. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  50. 50. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  51. 51. Schlussworte •Automatismen •https://github.com/obayer/Trampoline • .lldbinit • command source <filename> • für alles andere: lldb help
  52. 52. Fragen?
  53. 53. Vielen Dank Oliver Bayer inovex GmbH
  54. 54. Macoun ⌘

×