逆向时终端语法

发表于

终端常用语法

  1. ps -e 查看每个模块的全路径
  2. ssh root@ip 使用ssh 登录手机
  3. scp 需要拷贝的文件 要拷贝的文件路径
  4. cycript -p TargetApp 对TargetApp进行注入
  5. image list -o -f 查看APP加载模块

  6. debugserver *:3333 -a "App" 开启APP的3333端口的监听

    1. debugserver -x backboard *:2343 路径

  7. grep -r 检索条件 路径 对某个路径下进行条件检索

lldb 使用

  1. lldb => xcode路径下lldb

  2. process connect connect://iOSip:3333 针对手机上ip的3333端口进行lldb

  3. br s -a address 针对address下断点
  4. br dis 禁用断点
  5. br en 开启断点
  6. br del 删除断点
  7. br com add 1 针对1号断点进行命令追加,使用DONE结束追加命令,当断点1倍出发时候会调用追加的命令
  8. p 打印出对象的类型,值,变量名 例如 (long) $2 = 1324,可以强行更改对象的类型
  9. po 打印对象的值
  10. p/x 以16进制的方式打印地址
  11. x/10 打印出10个bite的数据
  12. ni 不进入函数下一步
  13. si进入函数下一步
  14. register write 寄存器 = 1 expression 寄存器 = 1 两个命令一样,修改寄存器的值为1
  15. register read 寄存器 expression 寄存器 读取寄存器

  16. frame info 查看当前栈帧函数名,如果有参数这有参数,

    1
    2
    3
    4
    5
    frame #1: 0x0000000106dff76b ArmDemo`-[ViewController viewDidLoad](self=0x00007fdd8940ebe0, _cmd="viewDidLoad") at ViewController.m:36
    	``` 
    		
    			
    16. `frame variable` ,查看当前栈帧函数名,参数,函数内部局部变量

(ViewController *) self = 0x00007fdd8940ebe0
(SEL) _cmd = “b1:b2:b3:b4:b5:b6:b7:b8:b9:”
(int) b1 = 1
(int) b2 = 2
(int) b3 = 3
(int) b4 = 4
(int) b5 = 5
(int) b6 = 6
(int) b7 = 7
(int) b8 = 8
(int) b9 = 9
(int) c = 0

1
2
3
4
		
		
		
17. `frame select 0` 展示选择栈帧时部分代码

frame #0: 0x0000000106dff7e1 ArmDemo`-ViewController b1:b2:b3:b4:b5:b6:b7:b8:b9: at ViewController.m:41
38
39 }
40 - (int)b1:(int)b1 b2:(int)b2 b3:(int)b3 b4:(int)b4 b5:(int)b5 b6:(int)b6 b7:(int)b7 b8:(int)b8 b9:(int)b9{
-> 41 int c = b1 + b2 + b3 + b4 + b5 + b6 + b7 + b8 + b9;
42
43 return c;
44 }

1
2
		
18. `thread backtrace -c 5` 在当前线程中选择前5 个栈帧展示

thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 23.1

frame #0: 0x0000000106dff7e1 ArmDemo-[ViewController b1:b2:b3:b4:b5:b6:b7:b8:b9:](self=0x00007fdd8940ebe0, _cmd="b1:b2:b3:b4:b5:b6:b7:b8:b9:", b1=1, b2=2, b3=3, b4=4, b5=5, b6=6, b7=7, b8=8, b9=9) at ViewController.m:41 frame #1: 0x0000000106dff76b ArmDemo-ViewController viewDidLoad at ViewController.m:36 frame #2: 0x00000001083c7d51 UIKit[UIViewController loadViewIfRequired] + 1235 frame #3: 0x00000001083c819e UIKit-[UIViewController view] + 27

1
2
	
19. `disassemble --frame` 反汇编当前栈帧`di -f`

(lldb) disassemble –frame
ArmDemo`-[ViewController b1:b2:b3:b4:b5:b6:b7:b8:b9:]:
0x106dff7a0 <+0>: pushq %rbp
0x106dff7a1 <+1>: movq %rsp, %rbp
0x106dff7a4 <+4>: pushq %r14
0x106dff7a6 <+6>: pushq %rbx
0x106dff7a7 <+7>: movl 0x30(%rbp), %eax
0x106dff7aa <+10>: movl 0x28(%rbp), %r10d
0x106dff7ae <+14>: movl 0x20(%rbp), %r11d
0x106dff7b2 <+18>: movl 0x18(%rbp), %ebx
0x106dff7b5 <+21>: movl 0x10(%rbp), %r14d
0x106dff7b9 <+25>: movq %rdi, -0x18(%rbp)
0x106dff7bd <+29>: movq %rsi, -0x20(%rbp)
0x106dff7c1 <+33>: movl %edx, -0x24(%rbp)
0x106dff7c4 <+36>: movl %ecx, -0x28(%rbp)
0x106dff7c7 <+39>: movl %r8d, -0x2c(%rbp)
0x106dff7cb <+43>: movl %r9d, -0x30(%rbp)
0x106dff7cf <+47>: movl %r14d, -0x34(%rbp)
0x106dff7d3 <+51>: movl %ebx, -0x38(%rbp)
0x106dff7d6 <+54>: movl %r11d, -0x3c(%rbp)
0x106dff7da <+58>: movl %r10d, -0x40(%rbp)
0x106dff7de <+62>: movl %eax, -0x44(%rbp)
-> 0x106dff7e1 <+65>: movl -0x24(%rbp), %eax
0x106dff7e4 <+68>: addl -0x28(%rbp), %eax
0x106dff7e7 <+71>: addl -0x2c(%rbp), %eax
0x106dff7ea <+74>: addl -0x30(%rbp), %eax
0x106dff7ed <+77>: addl -0x34(%rbp), %eax
0x106dff7f0 <+80>: addl -0x38(%rbp), %eax
0x106dff7f3 <+83>: addl -0x3c(%rbp), %eax
0x106dff7f6 <+86>: addl -0x40(%rbp), %eax
0x106dff7f9 <+89>: addl -0x44(%rbp), %eax
0x106dff7fc <+92>: movl %eax, -0x48(%rbp)
0x106dff7ff <+95>: movl -0x48(%rbp), %eax
0x106dff802 <+98>: popq %rbx
0x106dff803 <+99>: popq %r14
0x106dff805 <+101>: popq %rbp
0x106dff806 <+102>: retq
0x106dff807 <+103>: nopw (%rax,%rax)
(lldb)

1
2
		
20. `disassemble --name test` 反汇编test方法 `di -n test`

(lldb) disassemble –name test
ArmDemo`-[ViewController test]:
0x106dff830 <+0>: pushq %rbp
0x106dff831 <+1>: movq %rsp, %rbp
0x106dff834 <+4>: subq $0x20, %rsp
0x106dff838 <+8>: movq %rdi, -0x8(%rbp)
0x106dff83c <+12>: movq %rsi, -0x10(%rbp)
0x106dff840 <+16>: movq -0x8(%rbp), %rsi
0x106dff844 <+20>: movq 0x47e5(%rip), %rdi ; “result”
0x106dff84b <+27>: movq %rdi, -0x20(%rbp)
0x106dff84f <+31>: movq %rsi, %rdi
0x106dff852 <+34>: movq -0x20(%rbp), %rsi
0x106dff856 <+38>: callq 0x106e013f4 ; symbol stub for: objc_msgSend
0x106dff85b <+43>: movl %eax, -0x14(%rbp)
0x106dff85e <+46>: movl -0x14(%rbp), %eax
0x106dff861 <+49>: addq $0x20, %rsp
0x106dff865 <+53>: popq %rbp
0x106dff866 <+54>: retq

1
2
		
21. `image lookup -v --address 0x0000000106dfe000` 查看 *0x0000000106dfe000*这个模块上的详细信息

(lldb) image lookup -v –address 0x0000000106dfe000
Address: ArmDemo[0x0000000100000000] (ArmDemo.__TEXT + 0)
Summary: ArmDemo`_mh_execute_header
Module: file = “/Users/guolianghao/Library/Developer/Xcode/DerivedData/ArmDemo-crbwjymsidrgejervyhgwvtufpbw/Build/Products/Debug-iphonesimulator/ArmDemo.app/ArmDemo”, arch = “x86_64”
Symbol: id = {0x00000174}, range = [0x0000000106dfe000-0x0000000106dff6b0), mangled=”_mh_execute_header”

1
2
3
4


#cycript 中语法
1. `[[[UIApplication sharedApplication]keyWindow] recursiveDescription]` `[[UIApp keyWindow] recursiveDescription]`相同效果,展示当前界面下所有视图结构

[self.view recursiveDescription];
```

砸壳过程

砸壳

回到顶部