Note: LLDB Debug OS X Application

By @sskaje
Link: https://sskaje.me/2014/01/note-lldb-debug-os-application/

The LLDB Debugger, as it’s said on http://lldb.llvm.org/:

LLDB is a next generation, high-performance debugger. It is built as a set of reusable components which highly leverage existing libraries in the larger LLVM Project, such as the Clang expression parser and LLVM disassembler.

I was trying to find an OllyDBG-like debugger on OS X, gdb & lldb are the two choices.
Affinic.com has GUI for these two debuggers, not so good.
Hopper Disassembler provides it’s own GDB Server app, still bad.

Only commands here:

Stop at entry:

(lldb) process launch --stop-at-entry

1	(lldb) process launch --stop-at-entry

Launch with args:

(lldb) process launch --  -a -b -c

1	(lldb) process launch -- -a -b -c

Read memory(stack like):

(lldb)  memory read -f A -c 0x4 $esp-4
0xbfffe49c: 0x00002d76 
0xbfffe4a0: 0x03f13790 -> 0xa11d2b70 Foundation`NSConcreteMutableData
0xbfffe4a4: 0x00003aff "ascii26String"
0xbfffe4a8: 0x00000007

(lldb) memory read -f A -c 0x4 $esp-4

0xbfffe49c: 0x00002d76

0xbfffe4a0: 0x03f13790 -> 0xa11d2b70 Foundation`NSConcreteMutableData

0xbfffe4a4: 0x00003aff "ascii26String"

0xbfffe4a8: 0x00000007

Read memory(hex dump like):

(lldb) memory read -f Y -c 0x20 $esp-4
0xbfffe49c: 76 2d 00 00 90 37 f1 03 ff 3a 00 00 07 00 00 00  v-...7?.?:......
0xbfffe4ac: 08 00 00 00 01 00 00 00 e0 a9 33 00 00 00 00 00  ........?3.....

(lldb) memory read -f Y -c 0x20 $esp-4

0xbfffe49c: 76 2d 00 00 90 37 f1 03 ff 3a 00 00 07 00 00 00 v-...7?.?:......

0xbfffe4ac: 08 00 00 00 01 00 00 00 e0 a9 33 00 00 00 00 00 ........?3.....

Read variable:

(lldb) p $eax
(unsigned int) $516 = 70420592
(lldb) p/x 12345
(int) $108 = 0x00003039
(lldb) po $eax
KUTBSIYEGHZSYICYUNBYJEL

(lldb) p $eax

(unsigned int) $516 = 70420592

(lldb) p/x 12345

(int) $108 = 0x00003039

(lldb) po $eax

KUTBSIYEGHZSYICYUNBYJEL

Add breakpoint at an address:

(lldb) breakpoint set -a 0x2a80

1	(lldb) breakpoint set -a 0x2a80

Add breakpoint at a name:

(lldb) breakpoint set --name ExtractFromCMSEnvelope

1	(lldb) breakpoint set --name ExtractFromCMSEnvelope

List all breakpoints:

(lldb) breakpoint list

1	(lldb) breakpoint list

Enable/Disable a breakpoint:

(lldb) breakpoint enable 1
1 breakpoints enabled.
(lldb) breakpoint disable 2
1 breakpoints disabled.

(lldb) breakpoint enable 1

1 breakpoints enabled.

(lldb) breakpoint disable 2

1 breakpoints disabled.

Delete a breakpoint:

(lldb) breakpoint delete 6
1 breakpoints deleted; 0 breakpoint locations disabled.

1 2	(lldb) breakpoint delete 6 1 breakpoints deleted; 0 breakpoint locations disabled.

Disassemble at current address(20 lines):

(lldb) dis -c 20

1	(lldb) dis -c 20

Continue:

(lldb) c

(lldb) c

Step-in

(lldb) s

(lldb) s

Step-over

(lldb) n

(lldb) n

Finish executing in current frame

(lldb) fin

1	(lldb) fin

Read All Registers:

(lldb) register read

1	(lldb) register read

Modify A Register:

(lldb) register write rax 0

1	(lldb) register write rax 0

List loaded modules

image list

1	image list

Useful links:
https://github.com/snarez/voltron <= this one is quite useful in LLDB:

voltron start

1	voltron start

in a new shell:

sskajetekiMacBook-Pro:~ sskaje$ voltron view cmd 'memory read -f Y -c 0x20 0x03f0cc90 '

1	sskajetekiMacBook-Pro:~ sskaje$ voltron view cmd 'memory read -f Y -c 0x20 0x03f0cc90 '

http://lldb.llvm.org/tutorial.html http://lldb.llvm.org/varformats.html#formatstable http://lldb.llvm.org/lldb-gdb.html https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/LowLevelABI/130-IA-32_Function_Calling_Conventions/IA32.html#//apple_ref/doc/uid/TP40002492-SW5 <= know how objc executed.

Note: LLDB Debug OS X Application by @sskaje: https://sskaje.me/2014/01/note-lldb-debug-os-application/

Incoming search terms:

Related posts: