首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. iOS安全
    3. 发新帖
[求助]LLDB调试,如何trace 带有jumpout特征的函数?
2022-12-3 15:18 18339

[求助]LLDB调试,如何trace 带有jumpout特征的函数?

mb_bcbqumjf 活跃值
2022-12-3 15:18
18339

自己尝试按照lldb的文档编写trace的python脚本。

 

但trace过程,每当执行到br x27 这样的寄存器跳转指令时就挂了,原因是寄存器x27中存储的地址值打印出来根本就是个错误的,完全不在当前程序的内存地址范畴中,相当的奇怪,有大佬懂的指点下!!

 

目标函数的反汇编代码如下:【其中有多处的br指令】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
XXX[0x1046e9f8c]: sub    sp, sp, #0xc0             ; =0xc0
XXX[0x1046e9f90]: stp    x28, x27, [sp, #0x60]
XXX[0x1046e9f94]: stp    x26, x25, [sp, #0x70]
XXX[0x1046e9f98]: stp    x24, x23, [sp, #0x80]
XXX[0x1046e9f9c]: stp    x22, x21, [sp, #0x90]
XXX[0x1046e9fa0]: stp    x20, x19, [sp, #0xa0]
XXX[0x1046e9fa4]: stp    x29, x30, [sp, #0xb0]
XXX[0x1046e9fa8]: add    x29, sp, #0xb0            ; =0xb0
XXX[0x1046e9fac]: mov    x19, x7
XXX[0x1046e9fb0]: mov    x21, x6
XXX[0x1046e9fb4]: mov    x23, x5
XXX[0x1046e9fb8]: mov    x22, x4
XXX[0x1046e9fbc]: mov    x24, x3
XXX[0x1046e9fc0]: mov    x20, x0
XXX[0x1046e9fc4]: ldr    x28, [x29, #0x10]
XXX[0x1046e9fc8]: mov    w8, #0xb5
XXX[0x1046e9fcc]: str    w8, [sp, #0x20]
XXX[0x1046e9fd0]: add    x8, sp, #0x24             ; =0x24
XXX[0x1046e9fd4]: add    x9, sp, #0x20             ; =0x20
XXX[0x1046e9fd8]: adr    x27, #0x4
XXX[0x1046e9fdc]: ldrsw  x1, 0x1046ea008
XXX[0x1046e9fe0]: mov    x15, #0x55
XXX[0x1046e9fe4]: eor    x1, x1, x15
XXX[0x1046e9fe8]: mov    x25, #0x4d
XXX[0x1046e9fec]: eor    x1, x1, x25
XXX[0x1046e9ff0]: ldrsw  x3, [x9]
XXX[0x1046e9ff4]: eor    x1, x1, x3
XXX[0x1046e9ff8]: add    x27, x27, x1
XXX[0x1046e9ffc]: mov    w13, #0x66
XXX[0x1046ea000]: str    w13, [x8]
XXX[0x1046ea004]: br     x27
XXX[0x1046ea008]: udf    #0xed
XXX[0x1046ea00c]: .long  0xf5c3e516                ; unknown opcode
XXX[0x1046ea010]: .long  0xe49b0825                ; unknown opcode
XXX[0x1046ea014]: .long  0xcea5a7b5                ; unknown opcode
XXX[0x1046ea018]: ldrb   w12, [x10, #0xee9]
XXX[0x1046ea01c]: mov    x0, x2
XXX[0x1046ea020]: bl     0x105c5f070
XXX[0x1046ea024]: mov    x25, x0
XXX[0x1046ea028]: mov    x0, x24
XXX[0x1046ea02c]: bl     0x105c5f070
XXX[0x1046ea030]: mov    x26, x0
XXX[0x1046ea034]: mov    x0, x22
XXX[0x1046ea038]: bl     0x105c5f070
XXX[0x1046ea03c]: mov    x24, x0
XXX[0x1046ea040]: str    wzr, [sp, #0x58]
XXX[0x1046ea044]: ldr    w8, [sp, #0x24]
XXX[0x1046ea048]: cmp    w8, #0xcb                 ; =0xcb
XXX[0x1046ea04c]: b.hi   0x1046ea184
XXX[0x1046ea050]: mov    x0, x23
XXX[0x1046ea054]: bl     0x105c5f070
XXX[0x1046ea058]: mov    x23, x0
XXX[0x1046ea05c]: mov    x0, x26
XXX[0x1046ea060]: bl     0x105c5f07c
XXX[0x1046ea064]: mov    x26, x0
XXX[0x1046ea068]: adrp   x8, 10211
XXX[0x1046ea06c]: ldr    x22, [x8, #0xd80]
XXX[0x1046ea070]: mov    x1, x22
XXX[0x1046ea074]: bl     0x105c5f028
XXX[0x1046ea078]: mov    x27, x0
XXX[0x1046ea07c]: mov    x0, x26
XXX[0x1046ea080]: bl     0x105c5f058
XXX[0x1046ea084]: str    x27, [sp, #0x28]
XXX[0x1046ea088]: mov    x0, x25
XXX[0x1046ea08c]: bl     0x105c5f07c
XXX[0x1046ea090]: mov    x25, x0
XXX[0x1046ea094]: mov    x1, x22
XXX[0x1046ea098]: bl     0x105c5f028
XXX[0x1046ea09c]: mov    x26, x0
XXX[0x1046ea0a0]: mov    x0, x25
XXX[0x1046ea0a4]: bl     0x105c5f058
XXX[0x1046ea0a8]: str    x26, [sp, #0x30]
XXX[0x1046ea0ac]: str    w21, [sp, #0x38]
XXX[0x1046ea0b0]: mov    x0, x24
XXX[0x1046ea0b4]: bl     0x105c5f07c
XXX[0x1046ea0b8]: mov    x21, x0
XXX[0x1046ea0bc]: mov    x1, x22
XXX[0x1046ea0c0]: bl     0x105c5f028
XXX[0x1046ea0c4]: mov    x24, x0
XXX[0x1046ea0c8]: mov    x0, x21
XXX[0x1046ea0cc]: bl     0x105c5f058
XXX[0x1046ea0d0]: str    x24, [sp, #0x40]
XXX[0x1046ea0d4]: adrp   x8, 10385
XXX[0x1046ea0d8]: ldr    x1, [x8, #0x2f0]
XXX[0x1046ea0dc]: mov    x0, x20
XXX[0x1046ea0e0]: mov    x2, x23
XXX[0x1046ea0e4]: bl     0x105c5f028
XXX[0x1046ea0e8]: bl     0x105c5f094
XXX[0x1046ea0ec]: mov    x20, x0
XXX[0x1046ea0f0]: mov    x0, x23
XXX[0x1046ea0f4]: bl     0x105c5f058
XXX[0x1046ea0f8]: mov    x0, x20
XXX[0x1046ea0fc]: bl     0x105c5f07c
XXX[0x1046ea100]: mov    x20, x0
XXX[0x1046ea104]: mov    x1, x22
XXX[0x1046ea108]: bl     0x105c5f028
XXX[0x1046ea10c]: str    x0, [sp, #0x48]
XXX[0x1046ea110]: str    w19, [sp, #0x50]
XXX[0x1046ea114]: mov    x0, x20
XXX[0x1046ea118]: bl     0x105c5f058
XXX[0x1046ea11c]: mov    w8, #0x53
XXX[0x1046ea120]: stur   w8, [x29, #-0x54]
XXX[0x1046ea124]: sub    x8, x29, #0x54            ; =0x54
XXX[0x1046ea128]: adr    x7, #0x4
XXX[0x1046ea12c]: ldrsw  x23, 0x1046ea150
XXX[0x1046ea130]: add    x23, x23, #0xb9           ; =0xb9
XXX[0x1046ea134]: add    x23, x23, #0x20           ; =0x20
XXX[0x1046ea138]: sub    x23, x23, #0xf6           ; =0xf6
XXX[0x1046ea13c]: ldrsw  x5, [x8]
XXX[0x1046ea140]: add    x23, x23, x5
XXX[0x1046ea144]: add    x7, x7, x23
XXX[0x1046ea148]: mov    x8, #0x4
XXX[0x1046ea14c]: br     x7
XXX[0x1046ea150]: udf    #0x2
XXX[0x1046ea154]: .long  0x32676ab5                ; unknown opcode
XXX[0x1046ea158]: b      0xfe3b4074
XXX[0x1046ea15c]: .long  0x7188dbe6                ; unknown opcode
XXX[0x1046ea160]: stp    s13, s26, [x15], #0x40
XXX[0x1046ea164]: adrp   x8, 11287
XXX[0x1046ea168]: ldr    x8, [x8, #0x790]
XXX[0x1046ea16c]: mov    w0, #0x558e
XXX[0x1046ea170]: add    x1, sp, #0x28             ; =0x28
XXX[0x1046ea174]: add    x2, sp, #0x58             ; =0x58
XXX[0x1046ea178]: blr    x8
XXX[0x1046ea17c]: mov    x22, x0
XXX[0x1046ea180]: cbz    x22, 0x1046ea27c
XXX[0x1046ea184]: ldr    x8, [x22]
XXX[0x1046ea188]: cbz    x8, 0x1046ea1c0
XXX[0x1046ea18c]: adrp   x9, 10428
XXX[0x1046ea190]: ldr    x0, [x9, #0x978]
XXX[0x1046ea194]: adrp   x9, 10212
XXX[0x1046ea198]: ldr    x1, [x9, #0xc0]
XXX[0x1046ea19c]: str    x8, [sp]
XXX[0x1046ea1a0]: adrp   x2, 6291
XXX[0x1046ea1a4]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea1a8]: bl     0x105c5f028
XXX[0x1046ea1ac]: bl     0x105c5f094
XXX[0x1046ea1b0]: mov    x19, x0
XXX[0x1046ea1b4]: ldr    x0, [x22]
XXX[0x1046ea1b8]: bl     0x105c5df84
XXX[0x1046ea1bc]: b      0x1046ea1c4
XXX[0x1046ea1c0]: mov    x19, #0x0
XXX[0x1046ea1c4]: mov    x0, x22
XXX[0x1046ea1c8]: bl     0x105c5df84
XXX[0x1046ea1cc]: adrp   x8, 10211
XXX[0x1046ea1d0]: ldr    x21, [x8, #0xde8]
XXX[0x1046ea1d4]: mov    x0, x19
XXX[0x1046ea1d8]: mov    x1, x21
XXX[0x1046ea1dc]: bl     0x105c5f028
XXX[0x1046ea1e0]: cbnz   x0, 0x1046ea338
XXX[0x1046ea1e4]: ldr    w26, [sp, #0x58]
XXX[0x1046ea1e8]: cbz    w26, 0x1046ea338
XXX[0x1046ea1ec]: adrp   x27, 10428
XXX[0x1046ea1f0]: ldr    x22, [x27, #0x978]
XXX[0x1046ea1f4]: adrp   x8, 10212
XXX[0x1046ea1f8]: ldr    x20, [x8, #0xc0]
XXX[0x1046ea1fc]: adrp   x23, 11287
XXX[0x1046ea200]: add    x23, x23, #0xe77          ; =0xe77
XXX[0x1046ea204]: ldrb   w8, [x23, #0x9d]
XXX[0x1046ea208]: tbnz   w8, #0x0, 0x1046ea23c
XXX[0x1046ea20c]: adrp   x0, 11287
XXX[0x1046ea210]: add    x0, x0, #0xd6e            ; =0xd6e
XXX[0x1046ea214]: adrp   x2, 12731
XXX[0x1046ea218]: add    x2, x2, #0x804            ; =0x804
XXX[0x1046ea21c]: adrp   x3, 12731
XXX[0x1046ea220]: add    x3, x3, #0x7ff            ; =0x7ff
XXX[0x1046ea224]: orr    w1, wzr, #0xe
XXX[0x1046ea228]: orr    w4, wzr, #0x4
XXX[0x1046ea22c]: mov    w5, #0xaf
XXX[0x1046ea230]: bl     0x1046f15cc
XXX[0x1046ea234]: orr    w8, wzr, #0x1
XXX[0x1046ea238]: strb   w8, [x23, #0x9d]
XXX[0x1046ea23c]: str    x19, [sp, #0x18]
XXX[0x1046ea240]: adrp   x8, 11287
XXX[0x1046ea244]: add    x8, x8, #0xd6e            ; =0xd6e
XXX[0x1046ea248]: str    x8, [sp]
XXX[0x1046ea24c]: adrp   x2, 6291
XXX[0x1046ea250]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea254]: mov    x0, x22
XXX[0x1046ea258]: mov    x1, x20
XXX[0x1046ea25c]: bl     0x105c5f028
XXX[0x1046ea260]: bl     0x105c5f094
XXX[0x1046ea264]: mov    x22, x0
XXX[0x1046ea268]: cbz    x22, 0x1046ea284
XXX[0x1046ea26c]: mov    w8, #0x0
XXX[0x1046ea270]: mov    w24, #0x88
XXX[0x1046ea274]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea278]: b      0x1046ea41c
XXX[0x1046ea27c]: mov    x19, #0x0
XXX[0x1046ea280]: b      0x1046ea1cc
XXX[0x1046ea284]: orr    w24, wzr, #0x7c
XXX[0x1046ea288]: b      0x1046ea41c
XXX[0x1046ea28c]: adrp   x8, 10428
XXX[0x1046ea290]: ldr    x21, [x8, #0xd80]
XXX[0x1046ea294]: ldr    x22, [x27, #0x978]
XXX[0x1046ea298]: adrp   x23, 11287
XXX[0x1046ea29c]: add    x23, x23, #0xe77          ; =0xe77
XXX[0x1046ea2a0]: ldrb   w8, [x23, #0x9e]
XXX[0x1046ea2a4]: tbnz   w8, #0x0, 0x1046ea2d8
XXX[0x1046ea2a8]: adrp   x0, 11287
XXX[0x1046ea2ac]: add    x0, x0, #0xd7c            ; =0xd7c
XXX[0x1046ea2b0]: adrp   x2, 12731
XXX[0x1046ea2b4]: add    x2, x2, #0x820            ; =0x820
XXX[0x1046ea2b8]: adrp   x3, 12096
XXX[0x1046ea2bc]: add    x3, x3, #0xa10            ; =0xa10
XXX[0x1046ea2c0]: orr    w19, wzr, #0x1
XXX[0x1046ea2c4]: orr    w1, wzr, #0x30
XXX[0x1046ea2c8]: orr    w5, wzr, #0x1
XXX[0x1046ea2cc]: mov    w4, #0x0
XXX[0x1046ea2d0]: bl     0x1046f1548
XXX[0x1046ea2d4]: strb   w19, [x23, #0x9e]
XXX[0x1046ea2d8]: adrp   x8, 11287
XXX[0x1046ea2dc]: add    x8, x8, #0xd7c            ; =0xd7c
XXX[0x1046ea2e0]: str    x8, [sp]
XXX[0x1046ea2e4]: adrp   x2, 6291
XXX[0x1046ea2e8]: add    x2, x2, #0x768            ; =0x768
XXX[0x1046ea2ec]: mov    x0, x22
XXX[0x1046ea2f0]: mov    x1, x20
XXX[0x1046ea2f4]: bl     0x105c5f028
XXX[0x1046ea2f8]: bl     0x105c5f094
XXX[0x1046ea2fc]: mov    x20, x0
XXX[0x1046ea300]: ldrsw  x8, [sp, #0x58]
XXX[0x1046ea304]: add    x3, x8, #0x578            ; =0x578
XXX[0x1046ea308]: adrp   x8, 10213
XXX[0x1046ea30c]: ldr    x1, [x8, #0xf90]
XXX[0x1046ea310]: mov    x0, x21
XXX[0x1046ea314]: mov    x2, x20
XXX[0x1046ea318]: mov    x4, #0x0
XXX[0x1046ea31c]: bl     0x105c5f028
XXX[0x1046ea320]: bl     0x105c5f094
XXX[0x1046ea324]: bl     0x105c5eefc
XXX[0x1046ea328]: str    x0, [x28]
XXX[0x1046ea32c]: mov    x0, x20
XXX[0x1046ea330]: bl     0x105c5f058
XXX[0x1046ea334]: ldr    x19, [sp, #0x18]
XXX[0x1046ea338]: mov    x0, x19
XXX[0x1046ea33c]: ldp    x29, x30, [sp, #0xb0]
XXX[0x1046ea340]: ldp    x20, x19, [sp, #0xa0]
XXX[0x1046ea344]: ldp    x22, x21, [sp, #0x90]
XXX[0x1046ea348]: ldp    x24, x23, [sp, #0x80]
XXX[0x1046ea34c]: ldp    x26, x25, [sp, #0x70]
XXX[0x1046ea350]: ldp    x28, x27, [sp, #0x60]
XXX[0x1046ea354]: add    sp, sp, #0xc0             ; =0xc0
XXX[0x1046ea358]: b      0x105c5ef20
XXX[0x1046ea35c]: cmp    w25, #0x82                ; =0x82
XXX[0x1046ea360]: b.ne   0x1046ea374
XXX[0x1046ea364]: cmp    w19, #0x86                ; =0x86
XXX[0x1046ea368]: b.ne   0x1046ea3c8
XXX[0x1046ea36c]: mov    x24, x23
XXX[0x1046ea370]: b      0x1046ea3f8
XXX[0x1046ea374]: mov    w8, #0x7d
XXX[0x1046ea378]: str    w8, [sp, #0x20]
XXX[0x1046ea37c]: add    x8, sp, #0x24             ; =0x24
XXX[0x1046ea380]: add    x9, sp, #0x20             ; =0x20
XXX[0x1046ea384]: adr    x15, #0x4
XXX[0x1046ea388]: ldrsw  x5, 0x1046ea3ac
XXX[0x1046ea38c]: mvn    x5, x5
XXX[0x1046ea390]: add    x5, x5, #0xe1             ; =0xe1
XXX[0x1046ea394]: ldrsw  x13, [x9]
XXX[0x1046ea398]: eor    x5, x5, x13
XXX[0x1046ea39c]: add    x15, x15, x5
XXX[0x1046ea3a0]: mov    w4, #0x77
XXX[0x1046ea3a4]: str    w4, [x8]
XXX[0x1046ea3a8]: br     x15
XXX[0x1046ea3ac]: udf    #0x9b
XXX[0x1046ea3b0]: .long  0xb1b5d51c                ; unknown opcode
XXX[0x1046ea3b4]: .long  0x75e9f1a9                ; unknown opcode
XXX[0x1046ea3b8]: .long  0x415dced2                ; unknown opcode
XXX[0x1046ea3bc]: .long  0xdcb45e74                ; unknown opcode
XXX[0x1046ea3c0]: b      0x1046ea334
XXX[0x1046ea3c4]: mov    w19, #0x62
XXX[0x1046ea3c8]: ldr    x0, [x27, #0x978]
XXX[0x1046ea3cc]: adrp   x8, 6286
XXX[0x1046ea3d0]: add    x8, x8, #0x468            ; =0x468
XXX[0x1046ea3d4]: stp    x23, x8, [sp]
XXX[0x1046ea3d8]: adrp   x2, 6338
XXX[0x1046ea3dc]: add    x2, x2, #0x2c8            ; =0x2c8
XXX[0x1046ea3e0]: mov    x1, x20
XXX[0x1046ea3e4]: bl     0x105c5f028
XXX[0x1046ea3e8]: bl     0x105c5f094
XXX[0x1046ea3ec]: mov    x24, x0
XXX[0x1046ea3f0]: mov    x0, x23
XXX[0x1046ea3f4]: bl     0x105c5f058
XXX[0x1046ea3f8]: str    x24, [sp]
XXX[0x1046ea3fc]: adrp   x0, 6286
XXX[0x1046ea400]: add    x0, x0, #0x3c8            ; =0x3c8
XXX[0x1046ea404]: bl     0x100149308
XXX[0x1046ea408]: mov    x0, x24
XXX[0x1046ea40c]: bl     0x105c5f058
XXX[0x1046ea410]: mov    w8, #0x0
XXX[0x1046ea414]: orr    w24, wzr, #0x7c
XXX[0x1046ea418]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea41c]: cmp    w24, #0x88                ; =0x88
XXX[0x1046ea420]: b.ne   0x1046ea46c
XXX[0x1046ea424]: sxtw   x8, w26
XXX[0x1046ea428]: add    x8, x8, #0x578            ; =0x578
XXX[0x1046ea42c]: ldr    x0, [x27, #0x978]
XXX[0x1046ea430]: str    x8, [sp]
XXX[0x1046ea434]: mov    x1, x20
XXX[0x1046ea438]: mov    x2, x22
XXX[0x1046ea43c]: bl     0x105c5f028
XXX[0x1046ea440]: bl     0x105c5f094
XXX[0x1046ea444]: mov    x23, x0
XXX[0x1046ea448]: adrp   x0, 6286
XXX[0x1046ea44c]: add    x0, x0, #0x468            ; =0x468
XXX[0x1046ea450]: mov    x1, x21
XXX[0x1046ea454]: bl     0x105c5f028
XXX[0x1046ea458]: cbnz   x0, 0x1046ea3c4
XXX[0x1046ea45c]: mov    w19, #0x86
XXX[0x1046ea460]: mov    w24, #0x88
XXX[0x1046ea464]: mov    w25, #0x82
XXX[0x1046ea468]: b      0x1046ea47c
XXX[0x1046ea46c]: mov    x0, x22
XXX[0x1046ea470]: bl     0x105c5f058
XXX[0x1046ea474]: cbnz   x28, 0x1046ea28c
XXX[0x1046ea478]: orr    w25, wzr, #0x7
XXX[0x1046ea47c]: orr    w8, wzr, #0x1
XXX[0x1046ea480]: tbnz   w8, #0x0, 0x1046ea35c
XXX[0x1046ea484]: b      0x1046ea41c

但手动单步调试过去时,寄存器中的值又是一个合理的,有大神知道是什么原因吗?


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
点赞0
打赏
分享
最新回复 (2)
flashgg
雪    币: 49
活跃值: (1567)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
flashgg 2022-12-3 19:27
2
0
我感觉是你的trace被检测到了。
mb_bcbqumjf
雪    币: 416
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
mb_bcbqumjf 2022-12-7 17:29
3
0
flashgg 我感觉是你的trace被检测到了。
trace 如何被检测 跟检测是否调试一样?
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回