inovex GmbH, profile picture
Uploaded byinovex GmbH
PDF, PPTX925 views

lldb – Debugger auf Abwegen

The document discusses advanced debugging techniques using the Macoun framework with lldb, including various types of breakpoints (conditional, symbolic, and non-symbolic) and their manipulation. It also delves into runtime code manipulation, such as binary patching, and provides practical examples of altering function behavior and controlling thread execution. This session aims to enhance participants' debugging skills while cautioning that just because something is technically possible, it may not always be sensible.

Embed presentation

Download as PDF, PPTX
Macoun ⌘
lldb - Debugger auf Abwegen Oliver Bayer inovex GmbH
Disclaimer: Nur weil es technisch geht, muss es noch lange nicht sinnvoll sein!
Ablauf •Breakpoints per CLI •Metabreakpoints •Kontrollfluss Manipulation / Demo
Breakpoints •Software Breakpoint •Symbolic Breakpoint •Non-Symbolic Breakpoint
Conditional Breakpoints foo("") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
Conditional Breakpoints
Conditional Breakpoints
Conditional Breakpoints Non-Symbolic Breakpoint
Conditional Breakpoints Symbolic Breakpoint
Metabreakpoints foo("bar") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
br s -n foo -N macoun -d MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
br set -n foo -N macoun -d br s -f Bar.swift -l 42 -C "br en macoun" -G true MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
Metabreakpoints func seiteneffekteFuer100() { print("1") do() print("2") something() print("3") forMe() }
Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … player.play() … }
Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … } br s -f Player.swift -l 4 -C "call player.isMuted = false" -G true
Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) // Hier der Breakpoint … } br s -f Player.swift -p "// Hier der Breakpoint" -X do -C "call player.isMuted = true" -G true
Metabreakpoints •Auf dem Stack1 steht die Rücksprungadresse des Aufrufenden •Nach dem Rücksprung steht die Adresse der AVPlayer Instanz in Register rax1 [1] x86 Architekturen
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
Neue Wege gehen mit thread •Codepfade zur Laufzeit manipulieren •Methoden kurzschließen •Rückgabewerte ändern
Demo
Neue Wege gehen mit thread •Nachteil an thread return et al. → bremst das Ausführen des Codes aus
 •Idee: (Binary) Patch → genauso schnell wie vorher
Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { if value.lowercased() == secret { return true } else { return false } }
Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { return true }
Binary Patch Breakpoint push rbp
 mov rbp, rsp push 0x1 pop rax pop rbp ret 'x55x6ax01x58x5dxc3'
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
Patch Breakpoint private let secret = "foo" —> "macoun"
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
Schlussworte •Automatismen •https://github.com/obayer/Trampoline • .lldbinit • command source <filename> • für alles andere: lldb help
Fragen?
Vielen Dank Oliver Bayer inovex GmbH
Macoun ⌘

More Related Content

PPTX
Gun make
bypsychesnet Hsieh
 
PDF
All I know about rsc.io/c2go
byMoriyoshi Koizumi
 
ZIP
AnyMQ, Hippie, and the real-time web
byclkao
 
PPTX
Understand more about C
byYi-Hsiu Hsu
 
KEY
Good Evils In Perl (Yapc Asia)
byKang-min Liu
 
TXT
Mona cheatsheet
byCe.Se.N.A. Security
 
PDF
node ffi
by偉格 高
 
PDF
High Performance tDiary
byHiroshi SHIBATA
 
Gun make
bypsychesnet Hsieh
 
All I know about rsc.io/c2go
byMoriyoshi Koizumi
 
AnyMQ, Hippie, and the real-time web
byclkao
 
Understand more about C
byYi-Hsiu Hsu
 
Good Evils In Perl (Yapc Asia)
byKang-min Liu
 
Mona cheatsheet
byCe.Se.N.A. Security
 
node ffi
by偉格 高
 
High Performance tDiary
byHiroshi SHIBATA
 

What's hot

PDF
Implementing Software Machines in C and Go
byEleanor McHugh
 
PPT
typemap in Perl/XS
bycharsbar
 
PDF
A CTF Hackers Toolbox
byStefan
 
PDF
Static Optimization of PHP bytecode (PHPSC 2017)
byNikita Popov
 
PDF
Powered by Python - PyCon Germany 2016
bySteffen Wenz
 
TXT
Exploit techniques - a quick review
byCe.Se.N.A. Security
 
PDF
Trading with opensource tools, two years later
byclkao
 
PDF
Go a crash course
byEleanor McHugh
 
PDF
Python meetup: coroutines, event loops, and non-blocking I/O
byBuzzcapture
 
PDF
Barely Legal Xxx Perl Presentation
byAttila Balazs
 
PPT
Working with databases in Perl
byLaurent Dami
 
PDF
Implementing Software Machines in Go and C
byEleanor McHugh
 
PDF
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
bykinan keshkeh
 
PDF
Cluj.py Meetup: Extending Python in C
bySteffen Wenz
 
PDF
What's new in PHP 8.0?
byNikita Popov
 
PDF
Bytes in the Machine: Inside the CPython interpreter
byakaptur
 
PDF
NativeBoost
byESUG
 
PDF
C言語静的解析ツールと Ruby 1.9 trunk
byikegami__
 
PDF
Créer une base NoSQL en 1 heure
byAmaury Bouchard
 
PPTX
Python
byWei-Bo Chen
 
Implementing Software Machines in C and Go
byEleanor McHugh
 
typemap in Perl/XS
bycharsbar
 
A CTF Hackers Toolbox
byStefan
 
Static Optimization of PHP bytecode (PHPSC 2017)
byNikita Popov
 
Powered by Python - PyCon Germany 2016
bySteffen Wenz
 
Exploit techniques - a quick review
byCe.Se.N.A. Security
 
Trading with opensource tools, two years later
byclkao
 
Go a crash course
byEleanor McHugh
 
Python meetup: coroutines, event loops, and non-blocking I/O
byBuzzcapture
 
Barely Legal Xxx Perl Presentation
byAttila Balazs
 
Working with databases in Perl
byLaurent Dami
 
Implementing Software Machines in Go and C
byEleanor McHugh
 
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
bykinan keshkeh
 
Cluj.py Meetup: Extending Python in C
bySteffen Wenz
 
What's new in PHP 8.0?
byNikita Popov
 
Bytes in the Machine: Inside the CPython interpreter
byakaptur
 
NativeBoost
byESUG
 
C言語静的解析ツールと Ruby 1.9 trunk
byikegami__
 
Créer une base NoSQL en 1 heure
byAmaury Bouchard
 
Python
byWei-Bo Chen
 

Similar to lldb – Debugger auf Abwegen

KEY
淺入淺出 GDB
byJim Chang
 
PPT
A Life of breakpoint
byHajime Morrita
 
PDF
Gdb cheat sheet
byPiyush Mittal
 
PDF
"You shall not pass : anti-debug methodics"
byITCP Community
 
PDF
More than po: Debugging in LLDB
byMichele Titolo
 
PDF
More Than po: Debugging in LLDB @ CocoaConf SJ 2015
byMichele Titolo
 
PDF
NYU hacknight, april 6, 2016
byMikhail Sosonkin
 
KEY
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
byVincenzo Iozzo
 
PDF
More than `po`: Debugging in lldb
byMichele Titolo
 
PDF
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
byRootedCON
 
PDF
Advanced iOS Debbuging (Reloaded)
byMassimo Oliviero
 
PDF
Владимир Пузанов - JailBreak: Разработка без лимитов
byPavel Bashmakov
 
PDF
Mach-O par Stéphane Sudre
byCocoaHeads France
 
PDF
Go: It's Not Just For Google
byEleanor McHugh
 
KEY
GoLightly: Building VM-Based Language Runtimes with Google Go
byEleanor McHugh
 
PDF
The Python in the Apple
byzeroSteiner
 
PDF
Advanced debugging  techniques in different environments
byAndrii Soldatenko
 
PDF
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
byHafez Kamal
 
PDF
printf tricks
byShaun Colley
 
PPT
Introduction to gdb
byOwen Hsu
 
淺入淺出 GDB
byJim Chang
 
A Life of breakpoint
byHajime Morrita
 
Gdb cheat sheet
byPiyush Mittal
 
"You shall not pass : anti-debug methodics"
byITCP Community
 
More than po: Debugging in LLDB
byMichele Titolo
 
More Than po: Debugging in LLDB @ CocoaConf SJ 2015
byMichele Titolo
 
NYU hacknight, april 6, 2016
byMikhail Sosonkin
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
byVincenzo Iozzo
 
More than `po`: Debugging in lldb
byMichele Titolo
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
byRootedCON
 
Advanced iOS Debbuging (Reloaded)
byMassimo Oliviero
 
Владимир Пузанов - JailBreak: Разработка без лимитов
byPavel Bashmakov
 
Mach-O par Stéphane Sudre
byCocoaHeads France
 
Go: It's Not Just For Google
byEleanor McHugh
 
GoLightly: Building VM-Based Language Runtimes with Google Go
byEleanor McHugh
 
The Python in the Apple
byzeroSteiner
 
Advanced debugging  techniques in different environments
byAndrii Soldatenko
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
byHafez Kamal
 
printf tricks
byShaun Colley
 
Introduction to gdb
byOwen Hsu
 

More from inovex GmbH

PDF
Are you sure about that?! Uncertainty Quantification in AI
byinovex GmbH
 
PDF
Why natural language is next step in the AI evolution
byinovex GmbH
 
PDF
WWDC 2019 Recap
byinovex GmbH
 
PDF
Network Policies
byinovex GmbH
 
PDF
Interpretable Machine Learning
byinovex GmbH
 
PDF
Jenkins X – CI/CD in wolkigen Umgebungen
byinovex GmbH
 
PDF
AI auf Edge-Geraeten
byinovex GmbH
 
PDF
Prometheus on Kubernetes
byinovex GmbH
 
PDF
Deep Learning for Recommender Systems
byinovex GmbH
 
PDF
Azure IoT Edge
byinovex GmbH
 
PDF
Representation Learning von Zeitreihen
byinovex GmbH
 
PDF
Talk to me – Chatbots und digitale Assistenten
byinovex GmbH
 
PDF
Künstlich intelligent?
byinovex GmbH
 
PDF
Dev + Ops = Go
byinovex GmbH
 
PDF
Das Android Open Source Project
byinovex GmbH
 
PDF
Machine Learning Interpretability
byinovex GmbH
 
PDF
Performance evaluation of GANs in a semisupervised OCR use case
byinovex GmbH
 
PDF
People & Products – Lessons learned from the daily IT madness
byinovex GmbH
 
PDF
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
byinovex GmbH
 
PDF
Remote First – Der Arbeitsplatz in der Cloud
byinovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
byinovex GmbH
 
Why natural language is next step in the AI evolution
byinovex GmbH
 
WWDC 2019 Recap
byinovex GmbH
 
Network Policies
byinovex GmbH
 
Interpretable Machine Learning
byinovex GmbH
 
Jenkins X – CI/CD in wolkigen Umgebungen
byinovex GmbH
 
AI auf Edge-Geraeten
byinovex GmbH
 
Prometheus on Kubernetes
byinovex GmbH
 
Deep Learning for Recommender Systems
byinovex GmbH
 
Azure IoT Edge
byinovex GmbH
 
Representation Learning von Zeitreihen
byinovex GmbH
 
Talk to me – Chatbots und digitale Assistenten
byinovex GmbH
 
Künstlich intelligent?
byinovex GmbH
 
Dev + Ops = Go
byinovex GmbH
 
Das Android Open Source Project
byinovex GmbH
 
Machine Learning Interpretability
byinovex GmbH
 
Performance evaluation of GANs in a semisupervised OCR use case
byinovex GmbH
 
People & Products – Lessons learned from the daily IT madness
byinovex GmbH
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
byinovex GmbH
 
Remote First – Der Arbeitsplatz in der Cloud
byinovex GmbH
 

Recently uploaded

PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Track Phone Location on iPhone (2026)_ What Actually Works, What’s a Scam, an...
byOlive Dimitrescu
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
PDF
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
PDF
HubSpot Salesforce Integration Admin Guide
byAlbert Rio
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PPTX
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Track Phone Location on iPhone (2026)_ What Actually Works, What’s a Scam, an...
byOlive Dimitrescu
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
apidays Australia 2025 | Orchestrator vs. Choreography
byapidays
 
apidays Amsterdam 2025 | APIs with a Purpose
byapidays
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
HubSpot Salesforce Integration Admin Guide
byAlbert Rio
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 

lldb – Debugger auf Abwegen

  • 1.
  • 2.
    lldb - Debuggerauf Abwegen Oliver Bayer inovex GmbH
  • 3.
    Disclaimer: Nur weiles technisch geht, muss es noch lange nicht sinnvoll sein!
  • 4.
  • 5.
  • 6.
    Conditional Breakpoints foo("") func foo(_value: String) { ... } foo("bar") Foo.swift Bar.swift
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
    Metabreakpoints foo("bar") func foo(_ value:String) { ... } foo("bar") Foo.swift Bar.swift
  • 12.
    br s -nfoo -N macoun -d MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
  • 13.
    br set -nfoo -N macoun -d br s -f Bar.swift -l 42 -C "br en macoun" -G true MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
  • 14.
  • 15.
    Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } brs -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  • 16.
    Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } brs -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  • 17.
    Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } brs -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  • 18.
    Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } brs -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
  • 19.
    Metabreakpoints func do() { … letplayer = AVPlayer(playerItem: item) … player.play() … }
  • 20.
    Metabreakpoints func do() { … letplayer = AVPlayer(playerItem: item) … } br s -f Player.swift -l 4 -C "call player.isMuted = false" -G true
  • 21.
    Metabreakpoints func do() { … letplayer = AVPlayer(playerItem: item) // Hier der Breakpoint … } br s -f Player.swift -p "// Hier der Breakpoint" -X do -C "call player.isMuted = true" -G true
  • 22.
    Metabreakpoints •Auf dem Stack1steht die Rücksprungadresse des Aufrufenden •Nach dem Rücksprung steht die Adresse der AVPlayer Instanz in Register rax1 [1] x86 Architekturen
  • 23.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 24.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 25.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 26.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 27.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 28.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 29.
    Metabreakpoints br s -S"-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
  • 30.
    Neue Wege gehenmit thread •Codepfade zur Laufzeit manipulieren •Methoden kurzschließen •Rückgabewerte ändern
  • 31.
  • 32.
    Neue Wege gehenmit thread •Nachteil an thread return et al. → bremst das Ausführen des Codes aus
 •Idee: (Binary) Patch → genauso schnell wie vorher
  • 33.
    Binary Patch Breakpoint privatefunc isExpectedInput(_ value: String) -> Bool { if value.lowercased() == secret { return true } else { return false } }
  • 34.
    Binary Patch Breakpoint privatefunc isExpectedInput(_ value: String) -> Bool { return true }
  • 35.
    Binary Patch Breakpoint pushrbp
 mov rbp, rsp push 0x1 pop rax pop rbp ret 'x55x6ax01x58x5dxc3'
  • 36.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 37.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 38.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 39.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 40.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 41.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 42.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 43.
    Binary Patch Breakpoint brs -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
  • 44.
    Patch Breakpoint private letsecret = "foo" —> "macoun"
  • 45.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 46.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 47.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 48.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 49.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 50.
    Patch Breakpoint private letsecret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
  • 51.
  • 52.
  • 53.
  • 54.