xia0LLDB icon indicating copy to clipboard operation
xia0LLDB copied to clipboard
verified publisher icon 4ch12dy

debugme issues

Open secretpray opened this issue 6 years ago • 15 comments

(lldb) debugme [] start patch ptrace funtion to bypass antiDebug [+] success ptrace funtion to bypass antiDebug [] start patch svc ins to bypass antiDebug [-] failed to get text segment:["rror: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: ISO C++11 does not allow conversion from string literal to 'char *'\nerror: Couldn't lookup symbols:\n _sprint"] [x] happy debugging~ kill antiDebug by xia0@2019

secretpray avatar Oct 04 '19 11:10 secretpray

Error in choose.py

$ lldb

[traceOC]: trace ObjectC function call traceOC more usage, try "traceOC -h"

[xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in

error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in

error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in

secretpray avatar Oct 04 '19 11:10 secretpray

Error in choose.py

$ lldb

[traceOC]: trace ObjectC function call

traceOC more usage, try "traceOC -h" [xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in

error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in

error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in

traceOC还没完成…

4ch12dy avatar Oct 05 '19 01:10 4ch12dy

你那是什么app,我这边测试下

4ch12dy avatar Oct 05 '19 01:10 4ch12dy

➜ gif lldb ======== [traceOC]: trace ObjectC function call traceOC more usage, try "traceOC -h" ======== [xutil]: some util tool for debug, this command is flexable and some options maybe remove future xutil [-b addr, -s module, -l dylib] more usage, try "xutil -h" error: module importing failed: invalid syntax (choose.py, line 274) File "temp.py", line 1, in error: module importing failed: Missing parentheses in call to 'print'. Did you mean print('please specify the param, for example: "-[UIView initWithFrame:]"')? (xbr.py, line 531) File "temp.py", line 1, in pcc error: module importing failed: invalid syntax (dumpdecrypted.py, line 431) File "temp.py", line 1, in ======== [debugme]: kill anti-debug in lldb debugme more usage, try "debugme -h" ======== [info]: get basic info of process/function/module/address/... info [-m moduleName, -a address, -f funtionName, -u UserDefaults] more usage, try "info -h" error: module importing failed: invalid syntax (sbt.py, line 166) File "temp.py", line 1, in

不论什么app,一连上lldb就会报这个错误,xbr完全用不了

wxq491216 avatar Oct 09 '19 08:10 wxq491216

使用的最新的xia0LLDB吗,我这边测了下没有复现这个问题。从错误上看起来像是Python文件解析错误,是不是用的Python3?

4ch12dy avatar Oct 09 '19 09:10 4ch12dy

python -V Python 2.7.10

默认要用python3么?

wxq491216 avatar Oct 09 '19 10:10 wxq491216

用python2

4ch12dy avatar Oct 09 '19 10:10 4ch12dy

看起来应该是python环境造成的,没安装python3之前是正常的。安装python3之后就出现这个问题了,但实际上mac默认用的是python2。还在摸索该怎么解决!

wxq491216 avatar Oct 10 '19 01:10 wxq491216

This error is done with bellow command:

defaults write com.apple.dt.lldb DefaultPythonVersion 2

The newest xcode11 use python3 defaultly, so this command change the python version from 3 to 2

wxq491216 avatar Oct 10 '19 02:10 wxq491216

thanks! I will update xia0LLDB with python3 soon.

4ch12dy avatar Oct 10 '19 02:10 4ch12dy

[-] failed to get text segment:["rror: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long')\nwarning: ISO C++11 does not allow conversion from string literal to 'char *'\nerror: Couldn't lookup symbols:\n _sprint"]

Couldn't lookup symbols:\n _sprint,这个bug解了吗

colordancer avatar Oct 28 '19 07:10 colordancer

Couldn't lookup symbols:\n _sprint,这个bug解了吗

什么app,我这边测下看看

4ch12dy avatar Oct 28 '19 07:10 4ch12dy

Couldn't lookup symbols:\n _sprint,这个bug解了吗

什么app,我这边测下看看

kwai_gif,6.9.1 image

colordancer avatar Oct 28 '19 07:10 colordancer

执行时机的问题,因为lldb attach以后,还没加载各个模块。参考这篇文章 http://4ch12dy.site/2019/09/23/lldb-dumpdecrypted/lldb-dumpdecrypted/ 在xbr -E main 以后执行debugme(在执行之前一定要删除所有断点)

不过需要说明的一点在于,debugme主要针对ptrace以及恶心的svc内联汇编的反调试,其他方式的话debugme暂时没解决

另外补充一点在于某手的可执行文件里面并不包含关键代码,都在另一个dylib里面。所以需要手动分析

4ch12dy avatar Oct 28 '19 07:10 4ch12dy

执行时机的问题,因为lldb attach以后,还没加载各个模块。参考这篇文章 http://4ch12dy.site/2019/09/23/lldb-dumpdecrypted/lldb-dumpdecrypted/ 在xbr -E main 以后执行debugme(在执行之前一定要删除所有断点)

不过需要说明的一点在于,debugme主要针对ptrace以及恶心的svc内联汇编的反调试,其他方式的话debugme暂时没解决

另外补充一点在于某手的可执行文件里面并不包含关键代码,都在另一个dylib里面。所以需要手动分析

哈哈,谢谢

colordancer avatar Oct 28 '19 07:10 colordancer