[iOS Hacker] 解决 LLDB 显示的反汇编代码不对的问题

Xcode 升级到 9.2 之后使用 debugserver 结合 LLDB 调试某些程序会发现反汇编代码不对，与 IDA 显示的不一致:

(lldb) si
Process 1319 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into
    frame #0: 0x00071858 Quiz7GUI`_mh_execute_header + 6232
Quiz7GUI`_mh_execute_header:
->  0x71858 <+6232>: svcge  #0x3b5f0
    0x7185c <+6236>: stceq  p9, c14, [r0, #-180]
    0x71860 <+6240>: strbeq pc, [r0], #-429
    0x71864 <+6244>: .long  0x040ff024                ; unknown opcode
Target 0: (Quiz7GUI) stopped.

(lldb) si

Process 1319 stopped

* thread #1, queue = 'com.apple.main-thread', stop reason = instruction step into

frame #0: 0x00071858 Quiz7GUI`_mh_execute_header + 6232

Quiz7GUI`_mh_execute_header:

-> 0x71858 <+6232>: svcge #0x3b5f0

0x7185c <+6236>: stceq p9, c14, [r0, #-180]

0x71860 <+6240>: strbeq pc, [r0], #-429

0x71864 <+6244>: .long 0x040ff024 ; unknown opcode

Target 0: (Quiz7GUI) stopped.

这是什么原因？看起来像调试器默认是以 ARM 指令来解析执行的，实际上应该是 thumb 指令，切换指令集查看一下，发现有一部分指令还是显示不对：

(lldb) dis -A thumb -b -s 0x71858
Quiz7GUI`_mh_execute_header:
->  0x71858 <+6232>: 0xb5f0       push   {r4, r5, r6, r7, lr}
    0x7185a <+6234>: 0xaf03       add    r7, sp, #0xc
    0x7185c <+6236>: 0x0d00e92d   .long  0x0d00e92d                ; unknown opcode
    0x71860 <+6240>: 0x0440f1ad   .long  0x0440f1ad                ; unknown opcode
    0x71864 <+6244>: 0x040ff024   .long  0x040ff024                ; unknown opcode
    0x71868 <+6248>: 0x46a5       mov    sp, r4
    0x7186a <+6250>: 0x82edf904   .long  0x82edf904                ; unknown opcode
    0x7186e <+6254>: 0xc2eff904   .long  0xc2eff904                ; unknown opcode
    0x71872 <+6258>: 0xb090       sub    sp, #0x40
    0x71874 <+6260>: 0x460c       mov    r4, r1
    0x71876 <+6262>: 0x4605       mov    r5, r0

(lldb) dis -A thumb -b -s 0x71858

Quiz7GUI`_mh_execute_header:

-> 0x71858 <+6232>: 0xb5f0 push {r4, r5, r6, r7, lr}

0x7185a <+6234>: 0xaf03 add r7, sp, #0xc

0x7185c <+6236>: 0x0d00e92d .long 0x0d00e92d ; unknown opcode

0x71860 <+6240>: 0x0440f1ad .long 0x0440f1ad ; unknown opcode

0x71864 <+6244>: 0x040ff024 .long 0x040ff024 ; unknown opcode

0x71868 <+6248>: 0x46a5 mov sp, r4

0x7186a <+6250>: 0x82edf904 .long 0x82edf904 ; unknown opcode

0x7186e <+6254>: 0xc2eff904 .long 0xc2eff904 ; unknown opcode

0x71872 <+6258>: 0xb090 sub sp, #0x40

0x71874 <+6260>: 0x460c mov r4, r1

0x71876 <+6262>: 0x4605 mov r5, r0

查看一下当前的 LLDB 版本号：

(lldb) version
lldb-1000.11.38.2
  Swift-4.2

(lldb) version

lldb-1000.11.38.2

Swift-4.2

最简单有效的解决方法用低版本的 Xcode，比如输入 Xcode 7.2 里的 lldb 路径，然后再看汇编代码就是对的，解析的代码如下：

Users/exchen/Downloads/Xcode7.app/Contents/Developer/usr/bin/lldb
(lldb) process connect connect://127.0.0.1:12345
……
(lldb) si
Process 1323 stopped
* thread #1: tid = 0x16126, 0x00031858 Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI, queue = 'com.apple.main-thread', stop reason = instruction step into
    frame #0: 0x00031858 Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI
Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI:
->  0x31858 <+0>: push   {r4, r5, r6, r7, lr}
    0x3185a <+2>: add    r7, sp, #0xc
    0x3185c <+4>: push.w {r8, r10, r11}
    0x31860 <+8>: sub.w  r4, sp, #0x40
(lldb) dis
Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI:
->  0x31858 <+0>:   push   {r4, r5, r6, r7, lr}
    0x3185a <+2>:   add    r7, sp, #0xc
    0x3185c <+4>:   push.w {r8, r10, r11}
    0x31860 <+8>:   sub.w  r4, sp, #0x40
    0x31864 <+12>:  bic    r4, r4, #0xf
    0x31868 <+16>:  mov    sp, r4
    0x3186a <+18>:  vst1.64 {d8, d9, d10, d11}, [r4:128]!
    0x3186e <+22>:  vst1.64 {d12, d13, d14, d15}, [r4:128]
    0x31872 <+26>:  sub    sp, #0x40
    0x31874 <+28>:  mov    r4, r1
    0x31876 <+30>:  mov    r5, r0
    0x31878 <+32>:  blx    0x33fb0                   ; symbol stub for: objc_autoreleasePoolPush
……

Users/exchen/Downloads/Xcode7.app/Contents/Developer/usr/bin/lldb

(lldb) process connect connect://127.0.0.1:12345

……

(lldb) si

Process 1323 stopped

* thread #1: tid = 0x16126, 0x00031858 Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI, queue = 'com.apple.main-thread', stop reason = instruction step into

frame #0: 0x00031858 Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI

Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI:

-> 0x31858 <+0>: push {r4, r5, r6, r7, lr}

0x3185a <+2>: add r7, sp, #0xc

0x3185c <+4>: push.w {r8, r10, r11}

0x31860 <+8>: sub.w r4, sp, #0x40

(lldb) dis

Quiz7GUI`___lldb_unnamed_function1$$Quiz7GUI:

-> 0x31858 <+0>: push {r4, r5, r6, r7, lr}

0x3185a <+2>: add r7, sp, #0xc

0x3185c <+4>: push.w {r8, r10, r11}

0x31860 <+8>: sub.w r4, sp, #0x40

0x31864 <+12>: bic r4, r4, #0xf

0x31868 <+16>: mov sp, r4

0x3186a <+18>: vst1.64 {d8, d9, d10, d11}, [r4:128]!

0x3186e <+22>: vst1.64 {d12, d13, d14, d15}, [r4:128]

0x31872 <+26>: sub sp, #0x40

0x31874 <+28>: mov r4, r1

0x31876 <+30>: mov r5, r0

0x31878 <+32>: blx 0x33fb0 ; symbol stub for: objc_autoreleasePoolPush

……

看看现在的 LLDB 版本号：

(lldb) version
lldb-340.4.119

1 2	(lldb) version lldb-340.4.119

转载请注明：exchen's blog » [iOS Hacker] 解决 LLDB 显示的反汇编代码不对的问题

与本文相关的文章