lldb – Debugger auf Abwegen
•
0 likes•915 views
lldb kann mehr als nur einfache Breakpoints oder po. In dem Vortrag zeigt Oliver Bayer, wie sich mit Hilfe von lldb Programmcode zur Ausführungszeit manipulieren lässt, ohne das hierfür der Sourcecode anzupassen ist. Sei es, damit Test- oder Debugcode nicht in die produktiv App gelangt, oder weil der Sourcecode für einen Teil der App nicht vorliegt. Event: macoun, 04.10.2019 Speaker: Oliver Bayer, inovex Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog
More Related Content
What's hot
What's hot (20)
Similar to lldb – Debugger auf Abwegen
Similar to lldb – Debugger auf Abwegen (20)
More from inovex GmbH
More from inovex GmbH (20)
Recently uploaded
Recently uploaded (20)
lldb – Debugger auf Abwegen
- 1. Macoun ⌘
- 2. lldb - Debugger auf Abwegen Oliver Bayer inovex GmbH
- 3. Disclaimer: Nur weil es technisch geht, muss es noch lange nicht sinnvoll sein!
- 4. Ablauf •Breakpoints per CLI •Metabreakpoints •Kontrollfluss Manipulation / Demo
- 6. Conditional Breakpoints foo("") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
- 11. Metabreakpoints foo("bar") func foo(_ value: String) { ... } foo("bar") Foo.swift Bar.swift
- 12. br s -n foo -N macoun -d MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
- 13. br set -n foo -N macoun -d br s -f Bar.swift -l 42 -C "br en macoun" -G true MetabreakpointsMetabreakpoints foo("bar") func foo(_ value: String) { ... } Bar.swift
- 15. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
- 16. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
- 17. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
- 18. Metabreakpoints func seiteneffekteFuer100() { do() something() forMe() } br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true br command add -s python print("Line: {}".format(frame.GetLineEntry().GetLine())) DONE
- 19. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … player.play() … }
- 20. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) … } br s -f Player.swift -l 4 -C "call player.isMuted = false" -G true
- 21. Metabreakpoints func do() { … let player = AVPlayer(playerItem: item) // Hier der Breakpoint … } br s -f Player.swift -p "// Hier der Breakpoint" -X do -C "call player.isMuted = true" -G true
- 22. Metabreakpoints •Auf dem Stack1 steht die Rücksprungadresse des Aufrufenden •Nach dem Rücksprung steht die Adresse der AVPlayer Instanz in Register rax1 [1] x86 Architekturen
- 23. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 24. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 25. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 26. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 27. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 28. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 29. Metabreakpoints br s -S "-[AVPlayer init]" -K false br command add settings set target.language objc br s -a `(unsigned long)*(unsigned long *)$rsp` -o true -C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G true settings set target.language swift continue
- 30. Neue Wege gehen mit thread •Codepfade zur Laufzeit manipulieren •Methoden kurzschließen •Rückgabewerte ändern
- 31. Demo
- 32. Neue Wege gehen mit thread •Nachteil an thread return et al. → bremst das Ausführen des Codes aus •Idee: (Binary) Patch → genauso schnell wie vorher
- 33. Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { if value.lowercased() == secret { return true } else { return false } }
- 34. Binary Patch Breakpoint private func isExpectedInput(_ value: String) -> Bool { return true }
- 35. Binary Patch Breakpoint push rbp mov rbp, rsp push 0x1 pop rax pop rbp ret 'x55x6ax01x58x5dxc3'
- 36. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 37. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 38. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 39. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 40. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 41. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 42. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 43. Binary Patch Breakpoint br s -n isExpectedInput -o true -K false br command add -s python patch = 'x55xB8x01x00x00x00x5dxc3' addr = bp_loc.GetLoadAddress() error = lldb.SBError() proc = frame.GetThread().GetProcess() result = proc.WriteMemory(addr, patch, error) proc.Continue() DONE
- 44. Patch Breakpoint private let secret = "foo" —> "macoun"
- 45. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 46. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 47. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 48. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 49. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 50. Patch Breakpoint private let secret = "foo" // —> "macoun" br s -F "Swift.String.init(_builtinStringLiteral: Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word, isASCII: Builtin.Int1) -> Swift.String" -c "0 == (int)strcmp("foo", (char *)$rdi)" -o true br command add exp -- char * $value = (char *)"macoun" register write $rdi `(unsigned long *)$value` register write $rsi 6 continue DONE
- 51. Schlussworte •Automatismen •https://github.com/obayer/Trampoline • .lldbinit • command source <filename> • für alles andere: lldb help
- 52. Fragen?
- 53. Vielen Dank Oliver Bayer inovex GmbH
- 54. Macoun ⌘