使用gdb 调试QQV5.3.ipa时,发现堆栈信息与IDA分析的结果不对。
gdb的相关信息
(gdb) info sh
The DYLD shared library state has not yet been initialized.
Requested State Current State
Num Basename Type Address Reason | | Source
| | | | | | | |
1 QQ - 0x4000 exec Y Y /private/var/mobile/Applications/A66DF95C-9C14-48A6-8BF3-EF68DA00C2F9/QQ.app/QQ (offset 0x0)
Breakpoint 1, 0x01e0513c in SecurityAccountServer::AddressBookItem::AddressBookItem ()
1: x/10i $pc
0x1e0513c: f0 b5 push {r4, r5, r6, r7, lr}
0x1e0513e: 03 af add r7, sp, #12
0x1e05140: 2d e9 00 05 stmdb sp!, {r8, r10}
0x1e05144: 81 b0 sub sp, #4
0x1e05146: 04 46 mov r4, r0
0x1e05148: 4a f6 92 20 movw r0, #43666 ; 0xaa92
0x1e0514c: c0 f2 a6 00 movt r0, #166 ; 0xa6
0x1e05150: 98 46 mov r8, r3
0x1e05152: 78 44 add r0, pc
0x1e05154: 92 46 mov r10, r2
(gdb) x/s $r1
0x22fcc18: "loadDiscussMemberList:"
(gdb) info st
#0 0x01e0513c in SecurityAccountServer::AddressBookItem::AddressBookItem ()
#1 0x01e02f1e in SecurityAccountServer::AddressBookItem::AddressBookItem ()
#2 0x01e00338 in SecurityAccountServer::AddressBookItem::AddressBookItem ()
#3 0x01e0044e in SecurityAccountServer::AddressBookItem::AddressBookItem ()
#4 0x01e395a8 in SecurityAccountServer::AddressBookItem::AddressBookItem ()
#5 0x00512040 in _t_::_p_::__internal_new_creator<ucache::multibusid::url::ReqUsrInfo> ()
#6 0x003e4c10 in KQQ::ProfFriendInfoRes::ProfFriendInfoRes ()
#7 0x007aedfa in VIP::VipUserInfo::readFrom<taf::BufferReader> ()
#8 0x007aea66 in VIP::VipUserInfo::readFrom<taf::BufferReader> ()
#9 0x0093380e in std::vector<AvatarInfo::DestQQHeadInfo, std::allocator<AvatarInfo::DestQQHeadInfo> >::~vector ()
#10 0x357cf1fa in -[NSObject performSelector:withObject:] ()
IDA分析的结果
__text:01E0513C
__text:01E0513C ; =============== S U B R O U T I N E =======================================
__text:01E0513C
__text:01E0513C ; DiscussGroupStorage - (id)loadDiscussMemberList:(int64_t)
__text:01E0513C ; Attributes: bp-based frame
__text:01E0513C
__text:01E0513C ; id __cdecl -[DiscussGroupStorage loadDiscussMemberList:](struct DiscussGroupStorage *self, SEL, int64_t)
__text:01E0513C __DiscussGroupStorage_loadDiscussMemberList__
__text:01E0513C ; DATA XREF: __objc_const:02825BE0o
__text:01E0513C
__text:01E0513C var_18 = -0x18
__text:01E0513C
__text:01E0513C PUSH {R4-R7,LR}
__text:01E0513E ADD R7, SP, #0xC
__text:01E05140 PUSH.W {R8,R10}
__text:01E05144 SUB SP, SP, #4
__text:01E05146 MOV R4, R0
__text:01E05148 MOV R0, #(selRef_getDiscussMemberListPathEnc_ - 0x1E05156)
从$r1的选择子来看,应该是要与IDA分析结果保持一致。
问题2:
__text:01E0513C PUSH {R4-R7,LR}
__text:01E0513E ADD R7, SP, #0xC
__text:01E05140 PUSH.W {R8,R10}
__text:01E05144 SUB SP, SP, #4
__text:01E05146 MOV R4, R0
__text:01E05148 MOV R0, #(selRef_getDiscussMemberListPathEnc_ - 0x1E05156)
__text:01E05150 MOV R8, R3
__text:01E05152 ADD R0, PC ; selRef_getDiscussMemberListPathEnc_
__text:01E05154 MOV R10, R2
__text:01E05156 LDR R1, [R0] ; "getDiscussMemberListPathEnc:"
__text:01E05158 MOV R0, R4
__text:01E0515A BLX _objc_msgSend
__text:01E0515E MOV R6, R0
在 break *(0x01E0515E)断下时,po $r0 提示不是对象。
但根据IDA分析的结果应该是NString对象
请教大牛,是怎么回事哈,有办法解决吗
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法