lldb kann mehr als nur einfache Breakpoints oder po. In dem Vortrag zeigt Oliver Bayer, wie sich mit Hilfe von lldb Programmcode zur Ausführungszeit manipulieren lässt, ohne das hierfür der Sourcecode anzupassen ist. Sei es, damit Test- oder Debugcode nicht in die produktiv App gelangt, oder weil der Sourcecode für einen Teil der App nicht vorliegt. Event: macoun, 04.10.2019 Speaker: Oliver Bayer, inovex Mehr Tech-Vorträge: inovex.de/vortraege Mehr Tech-Artikel: inovex.de/blog

1. Macoun
⌘

2. lldb - Debugger auf Abwegen
Oliver Bayer
inovex GmbH

3. Disclaimer: Nur weil es technisch
geht, muss es noch lange nicht
sinnvoll sein!

4. Ablauf
•Breakpoints per CLI
•Metabreakpoints
•Kontrollfluss Manipulation / Demo

5. Breakpoints
•Software Breakpoint
•Symbolic Breakpoint
•Non-Symbolic Breakpoint

6. Conditional Breakpoints
foo("")
func foo(_ value: String) {
...
}
foo("bar")
Foo.swift Bar.swift

7. Conditional Breakpoints

8. Conditional Breakpoints

9. Conditional Breakpoints
Non-Symbolic Breakpoint

10. Conditional Breakpoints
Symbolic Breakpoint

11. Metabreakpoints
foo("bar")
func foo(_ value: String) {
...
}
foo("bar")
Foo.swift Bar.swift

12. br s -n foo -N macoun -d
MetabreakpointsMetabreakpoints
foo("bar")
func foo(_ value: String) {
...
}
Bar.swift

13. br set -n foo -N macoun -d
br s -f Bar.swift -l 42 -C "br en macoun" -G
true
MetabreakpointsMetabreakpoints
foo("bar")
func foo(_ value: String) {
...
}
Bar.swift

14. Metabreakpoints
func seiteneffekteFuer100() {
print("1")
do()
print("2")
something()
print("3")
forMe()
}

15. Metabreakpoints
func seiteneffekteFuer100() {
do()
something()
forMe()
}
br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true
br command add -s python
print("Line: {}".format(frame.GetLineEntry().GetLine()))
DONE

16. Metabreakpoints
func seiteneffekteFuer100() {
do()
something()
forMe()
}
br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true
br command add -s python
print("Line: {}".format(frame.GetLineEntry().GetLine()))
DONE

17. Metabreakpoints
func seiteneffekteFuer100() {
do()
something()
forMe()
}
br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true
br command add -s python
print("Line: {}".format(frame.GetLineEntry().GetLine()))
DONE

18. Metabreakpoints
func seiteneffekteFuer100() {
do()
something()
forMe()
}
br s -p . -X seiteneffekteFuer100 -f Foo.swift -G true
br command add -s python
print("Line: {}".format(frame.GetLineEntry().GetLine()))
DONE

19. Metabreakpoints
func do() {
…
let player = AVPlayer(playerItem: item)
…
player.play()
…
}

20. Metabreakpoints
func do() {
…
let player = AVPlayer(playerItem: item)
…
}
br s -f Player.swift -l 4 -C "call player.isMuted = false"
-G true

21. Metabreakpoints
func do() {
…
let player = AVPlayer(playerItem: item)
// Hier der Breakpoint
…
}
br s -f Player.swift -p "// Hier der Breakpoint" -X do
-C "call player.isMuted = true" -G true

22. Metabreakpoints
•Auf dem Stack1 steht die Rücksprungadresse des Aufrufenden
•Nach dem Rücksprung steht die Adresse der AVPlayer Instanz in
Register rax1
[1] x86 Architekturen

23. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

24. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

25. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

26. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

27. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

28. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

29. Metabreakpoints
br s -S "-[AVPlayer init]" -K false
br command add
settings set target.language objc
br s -a `(unsigned long)*(unsigned long *)$rsp` -o true
-C "exp -l objc -- [(AVPlayer *)$rax setMuted: @YES]" -G
true
settings set target.language swift
continue

30. Neue Wege gehen mit thread
•Codepfade zur Laufzeit manipulieren
•Methoden kurzschließen
•Rückgabewerte ändern

31. Demo

32. Neue Wege gehen mit thread
•Nachteil an thread return et al. → bremst das Ausführen des Codes
aus
•Idee: (Binary) Patch → genauso schnell wie vorher

33. Binary Patch Breakpoint
private func isExpectedInput(_ value: String) -> Bool {
if value.lowercased() == secret {
return true
} else {
return false
}
}

34. Binary Patch Breakpoint
private func isExpectedInput(_ value: String) -> Bool {
return true
}

35. Binary Patch Breakpoint
push rbp
mov rbp, rsp
push 0x1
pop rax
pop rbp
ret
'x55x6ax01x58x5dxc3'

36. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

37. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

38. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

39. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

40. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

41. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

42. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

43. Binary Patch Breakpoint
br s -n isExpectedInput -o true -K false
br command add -s python
patch = 'x55xB8x01x00x00x00x5dxc3'
addr = bp_loc.GetLoadAddress()
error = lldb.SBError()
proc = frame.GetThread().GetProcess()
result = proc.WriteMemory(addr, patch, error)
proc.Continue()
DONE

44. Patch Breakpoint
private let secret = "foo" —> "macoun"

45. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

46. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

47. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

48. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

49. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

50. Patch Breakpoint
private let secret = "foo" // —> "macoun"
br s -F "Swift.String.init(_builtinStringLiteral:
Builtin.RawPointer, utf8CodeUnitCount: Builtin.Word,
isASCII: Builtin.Int1) -> Swift.String" -c "0 ==
(int)strcmp("foo", (char *)$rdi)" -o true
br command add
exp -- char * $value = (char *)"macoun"
register write $rdi `(unsigned long *)$value`
register write $rsi 6
continue
DONE

51. Schlussworte
•Automatismen
•https://github.com/obayer/Trampoline
• .lldbinit
• command source <filename>
• für alles andere: lldb help

52. Fragen?

53. Vielen Dank
Oliver Bayer
inovex GmbH

54. Macoun
⌘