I am trying to learn how to debug iOS apps on my jailbroken iOS device using lldb.
I can't seem to figure out why lldb is not able to get functions when gdb is able to. For example, I am trying to find out what is the _mh_execute_header address.
On GDB
(gdb) info func _mh_ex*
All functions matching regular expression "_mh_ex*":
Non-debugging symbols:
0x000e5000 _mh_execute_header
On lldb
(lldb) image lookup -r -n _mh_e*
(lldb) image lookup -r -s _mh_e*
(lldb)
I did some searching around and found this site: http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ and followed its instructions.
After executing the target create command:
(lldb) target create --arch arm Cood
Current executable set to '/Users/tester/Desktop/Cood' (armv7).
I can do this
(lldb) image lookup -r -n _mh_e*
(lldb) image lookup -r -s _mh_e*
1 symbols match the regular expression '_mh_e*' in /Users/tester/Desktop/Cood:
Address: Cood[0x00004000] (Cood.__TEXT + 0)
Summary: Cood`_mh_execute_header
But then I execute process continue and I get
(lldb) process continue
error: invalid process
I have no idea what is going on.
FYI, I executed the following commands on my Mac to connect to the iOS debug server (OS X Yosemite, Xcode 6.3.1, lldb-330.0.44)
(lldb) platform select remote-ios
(lldb) process connect connect://127.0.0.1:7777
(lldb) process attach -n Cood -w
Any help would be appreciated! Thank you.
Related
I'm using ios-deploy to launch ios app automatically, it works fine but only a probem: it won't restart the app if it's already running.
I have studied its source code and learned it's using the lldb command to launch the app. the lldb script is (part):
def run_command(debugger, command, result, internal_dict):
device_app = internal_dict['fruitstrap_device_app']
args = command.split('--',1)
error = lldb.SBError()
lldb.target.modules[0].SetPlatformFileSpec(lldb.SBFileSpec(device_app))
args_arr = []
if len(args) > 1:
args_arr = shlex.split(args[1])
args_arr = args_arr + shlex.split('{args}')
launchInfo = lldb.SBLaunchInfo(args_arr)
global listener
launchInfo.SetListener(listener)
#This env variable makes NSLog, CFLog and os_log messages get mirrored to stderr
#https://stackoverflow.com/a/39581193
launchInfo.SetEnvironmentEntries(['OS_ACTIVITY_DT_MODE=enable'], True)
lldb.target.Launch(launchInfo, error)
lockedstr = ': Locked'
if lockedstr in str(error):
print('\\nDevice Locked\\n')
os._exit(254)
else:
print(str(error))
the start command:
(lldb) command source -s 0
'/tmp/BB1ED2A3-3A3E-413A-935D-323D7A7533D1/fruitstrap-lldb-prep-cmds-6a050aabefc708cb7fc6024c4dd1743080d6e20b'
Executing commands in
'/tmp/BB1ED2A3-3A3E-413A-935D-323D7A7533D1/fruitstrap-lldb-prep-cmds-6a050aabefc708cb7fc6024c4dd1743080d6e20b'.
(lldb) platform select remote-ios --sysroot
'/Users/wellbye/Library/Developer/Xcode/iOS DeviceSupport/12.0
(16A366)/Symbols' Platform: remote-ios Connected: no SDK Path:
"/Users/wellbye/Library/Developer/Xcode/iOS DeviceSupport/12.0
(16A366)/Symbols" (lldb) target create
"/Users/wellbye/git-repo/j/mj3d/Product/build/ios/Build/Products/Release-iphoneos/mj.app" Current executable set to
'/Users/wellbye/git-repo/j/mj3d/Product/build/ios/Build/Products/Release-iphoneos/mj.app' (arm64). (lldb) script
fruitstrap_device_app="/private/var/containers/Bundle/Application/1FB0E7E3-6616-4789-8E6F-598C4F5AAC35/mj.app"
(lldb) script fruitstrap_connect_url="connect://127.0.0.1:62276"
(lldb) target modules search-paths add /usr
"/Users/wellbye/Library/Developer/Xcode/iOS DeviceSupport/12.0
(16A366)/Symbols/usr" /System
"/Users/wellbye/Library/Developer/Xcode/iOS DeviceSupport/12.0
(16A366)/Symbols/System"
"/private/var/containers/Bundle/Application/1FB0E7E3-6616-4789-8E6F-598C4F5AAC35"
"/Users/wellbye/git-repo/j/mj3d/Product/build/ios/Build/Products/Release-iphoneos"
"/var/containers/Bundle/Application/1FB0E7E3-6616-4789-8E6F-598C4F5AAC35"
"/Users/wellbye/git-repo/j/mj3d/Product/build/ios/Build/Products/Release-iphoneos"
/Developer "/Users/wellbye/Library/Developer/Xcode/iOS
DeviceSupport/12.0 (16A366)/Symbols/Developer" (lldb) command
script import
"/tmp/BB1ED2A3-3A3E-413A-935D-323D7A7533D1/fruitstrap_6a050aabefc708cb7fc6024c4dd1743080d6e20b.py"
(lldb) command script add -f
fruitstrap_6a050aabefc708cb7fc6024c4dd1743080d6e20b.connect_command
connect (lldb) command script add -s asynchronous -f
fruitstrap_6a050aabefc708cb7fc6024c4dd1743080d6e20b.run_command run
(lldb) command script add -s asynchronous -f
fruitstrap_6a050aabefc708cb7fc6024c4dd1743080d6e20b.autoexit_command
autoexit (lldb) command script add -s asynchronous -f
fruitstrap_6a050aabefc708cb7fc6024c4dd1743080d6e20b.safequit_command
safequit (lldb) connect (lldb) run
I have searched the lldb's python api reference, but haven't seen anything (args or flags) I could use for my purpose.
so how could we let the lldb server know it should kill the exist process and start a new one?
It depends on whether you are trying to support rerun behavior (i.e. you make a target, launch the process, then use the same target to re-run) or if you just want to kill off some instance of the app that was running - maybe because it was finger-launched on the device or whatever.
In the first case, since you are reusing the SBTarget, you can just check whether your target has a process (call target.process.IsValid()) and if does kill it with target.process.Kill() before launching.
But if lldb is not responsible for launching the extant copy of the app, then it won't know anything about it, and doesn't really have a way to kill it off.
mac os 10.13.4
I write the command 'dyldinfo' in shell, but is wroing
-bash: dyldinfo: command not found
hope you help me
On recent versions of macOS you can run the tool with xcrun dyldinfo (as long as you have Xcode installed)
First, make sure you have either Xcode or Command Line Tools installed.
If you have one of those, you can find dyldinfo in /Library/Developer/CommandLineTools/usr/bin.
So, to run it, type this into your bash:
/Library/Developer/CommandLineTools/usr/bin/dyldinfo
You can check the dyldinfo path using following command:
$ xcrun --sdk dyldinfo
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/dyldinfo
Showing that the command dyldinfo is under the path:/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/dyldinfo, which means commands like dyldinfo belong to Toolchains of Xcode. Therefore, 'dyldinfo' cannot be used as a separate shell command. Instead, you must invoke it by using xcrun <sdk>.
$ xcrun dyldinfo
Usage: dyldinfo [-arch <arch>] <options> <mach-o file>
-dylibs print dependent dylibs
-dr print dependent dylibs and show any recorded DR info
-rebase print addresses dyld will adjust if file not loaded at preferred address
-bind print addresses dyld will set based on symbolic lookups
-weak_bind print symbols which dyld must coalesce
-lazy_bind print addresses dyld will lazily set on first use
-export print addresses of all symbols this file exports
-opcodes print opcodes used to generate the rebase and binding information
-function_starts print table of function start addresses
-export_dot print a GraphViz .dot file of the exported symbols trie
-data_in_code print any data-in-code information
I submitted a new version of my app to AppStore and it got rejected due to some crashes that I never experienced while testing the app.
Unfortunately I can't seem to be able to reproduce the issue so all I have to analyze the 2 unsymbolicated crash logs (.txt files) they sent me.
However, I am having problems symbolicating them.
Crash Log 1
Crash Log 2
I tried following the steps provided HERE and HERE, as well as other suggestions but no luck.
Here are the things I tried so far:
$ atos -arch arm64 -o Qlear.app.dSYM/Contents/Resources/DWARF/Qlear -l 0x1839fa000 0x0000000183a1c2e8
Unfortunately the command returns only 0x00000001000222e8 (in Qlear)
$ atos -arch arm64 -o 'Qlear.app'/'Qlear' 0x1839fa000
$ atos -arch arm64 -o 'Qlear.app.dSYM/Contents/Resources/DWARF/Qlear' 0x1839fa000
Both commands return 0x1839fa000
$ dwarfdump --uuid Qlear.app.dSYM
$ dwarfdump --uuid Qlear.app.dSYM/Contents/Resources/DWARF/Qlear
Both commands return
UUID: 4FFCBD15-01BA-366A-8C28-E4E613401616 (armv7) Qlear.app.dSYM/Contents/Resources/DWARF/Qlear
UUID: 97BD48FC-11E3-37C9-A081-700DCE0CDB23 (arm64) Qlear.app.dSYM/Contents/Resources/DWARF/Qlear
If I try $ dwarfdump --lookup 0x1839fa000 -arch arm64 Qlear.app.dSYM I get:
----------------------------------------------------------------------
File: Qlear.app.dSYM/Contents/Resources/DWARF/Qlear (arm64)
----------------------------------------------------------------------
Looking up address: 0x00000001839fa000 in .debug_info... not found.
Looking up address: 0x00000001839fa000 in .debug_frame... not found.
So in the end I thought the .dSYM files(I tried the one on my Mac as well as the one from iTunes Connect) are corrupted so I tried dwarfdump --all Qlear.app.dSYM but this seems to be working as it returns a lot of content.
Any ideas what I'm doing wrong here? Am I mixing up the commands, am I using the wrong hex?
Finally, after hours of searching I finally found a solution:
Change the crash logs extension from .txt to .crash.. This is very important since .txt files are not recognized. I was also unable to find any info on this while reading Apple documentation.
Connect an iOS device and start Xcode.
In Xcode, go to Windows > Devices and Simulators (Shift + CMD + 1)
Select the Devices tab and then View Devices Logs.
In the left pane, select This Device and then drag-n-drop the .crash files inside.
Wait for the files to load and get symbolicated. The logs can also be symbolicated manually after drag-n-drop: Right Click on the log > Re-Symbolicate Log.
I've successfully installed Qt 5.7.0 and Qt-creator 4.1.0 on El Capitan with Xcode 8.
I fixed the xcode sdk-version errors from qt, and now I'm trying to build one of the examples for iphonesimulator. None of them work. All of them fail with error message of type:
The following build commands failed:
CopyPNGFile Debug-iphonesimulator/2dpainting.app/Default-568h#2x.png 2dpainting.xcodeproj/Default-568h#2x.png
I can confirm that directory Debug-iphonesimulator/2dpainting.app does not have the png-file, it's actually located somewhere within the qt installation directories. Copying the png to the source folder does not help as the folder gets overwritten upon running 'make'.
Any advice would be appreciated.
Edit:
The build kit warns about the following issue:
"Device type is not supported by the Qt version". Device type is 'iOS simulator'.
I had the same problem after I had updated my Xcode to version 8.0.
My first error was "Project ERROR: Xcode not set up properly. You may need to confirm the license agreement by running /usr/bin/xcodebuild."
To solve this problem, I created a symbolic link:
cd /Applications/Xcode.app/Contents/Developer/usr/bin/
sudo ln -s xcodebuild xcrun
Then I got error "Project ERROR: Current iphonesimulator SDK version (10.0) is too old. Please upgrade Xcode."
I commented two strings out in file QT_DIR/5.7/ios/mkspecs/macx-ios-clang/features/sdk.prf
lessThan(QMAKE_MAC_SDK_VERSION, "8.0"): \
error("Current $$QMAKE_MAC_SDK SDK version ($$QMAKE_MAC_SDK_VERSION) is too old. Please upgrade Xcode.")
Then I got error about emulator. Qt could not find it. I replaced line of code in file QT_DIR/5.7/ios/mkspecs/macx-ios-clang/xcodebuild.mk from:
IPHONESIMULATOR_GENERIC_DESTINATION := "id=$(shell xcrun simctl list devices | grep -E 'iPhone|iPad' | grep -v unavailable | perl -lne 'print $$1 if /((.*?))/' | tail -n 1)"
to:
IPHONESIMULATOR_GENERIC_DESTINATION := "id=$(shell xcrun simctl list devices | grep -E 'iPhone|iPad' | grep -v unavailable | awk 'match ($$0, /\(([A-F0-9\-]*\))/ ) { print substr ($$0, RSTART+1, RLENGTH-2) }' | tail -n 1)"
And finally afer all of it I got error "The following build commands failed:
CopyPNGFile Debug-iphonesimulator/Test01.app/Default-568h#2x.png Test01.xcodeproj/Default-568h#2x.png"
This error occurred due to the fact that the system has two file xcrun. And script /Applications/Xcode.app/Contents/Developer/usr/bin/copypng starts one, which is a symbolic link. Then I changed path in this script
from:
my $PNGCRUSH = `xcrun -f pngcrush`;
to:
my $PNGCRUSH = `/usr/bin/xcrun -f pngcrush`;
And then I finally had built the project without errors and opened it in Xcode.
I had this stupid error and spent two days to nail down. I was about to downgrade Xcode and thought lets try one more time. Finally nailed down.
Symptom:
The simplest project wont build from Qt Creator. The error I would get: CopyPNG failed or something along the line and a hint '-f' unknown parameter.
Reason: xcrun takes both -f and -find from the terminal I can see, but it does not like -f from the script copypng. (copypng is a perl script by the way.)
The solution: Open the file /Applications/Xcode.app/Contents/Developer/usr/bin/copypng and find
my $PNGCRUSH = `xcrun -f pngcrush`;
changed to
my $PNGCRUSH = `xcrun -find pngcrush`;
PS: I dint have path problem with xcrun, if you have it'd be good to put the whole path as advised above.
I launch my iOS app on the device (not simulator) with the following command (app is already installed).
instruments \
-w c717fa22472d7b691ae5763af90e1e44244ad85a \
-t /Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/PlugIns/AutomationInstrument.bundle/Contents/Resources/Automation.tracetemplate \
-D "/Users/mj/Desktop/apps/trace" \
LPSimpleExample-cal \
-e UIARESULTSPATH /Users/mj/Desktop/apps \
-e UIASCRIPT /Users/mj/Desktop/apps/_run_loop.js
6 out of 10 times it is working. In case of an error I get the following message:
2013-10-07 16:45:51.553 instruments[9891:1207] unable to locate CFBundleIdentifier for path: LPSimpleExample-cal
2013-10-07 16:45:51.555 instruments[9891:1207] Recording cancelled : At least one target failed to launch; aborting run
Instruments Trace Error : Error Domain=com.apple.instruments Code=1 "Error Starting Recording" UserInfo=0x7faccbef8fa0 {NSLocalizedDescription=Error Starting Recording, NSLocalizedRecoverySuggestion=At least one target failed to launch; aborting run}
Instruments Trace Error : Failed to start trace.
For me it looks that instruments has a bug here. I tried to launch the app over 100 times, in different scenarios and I can't analyze an error pattern. The device crashlog says:
Process: DTMobileIS [34956]
Path: /Developer/Library/Daemons/DTMobileIS
Identifier: DTMobileIS
Version: ??? (???)
Code Type: ARM (Native)
Parent Process: lockbot [34938]
Date/Time: 2013-10-07 15:29:05.474 -0700
OS Version: iOS 6.1.3 (10B329)
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000
Exception type EXC_BAD_ACCESS (SIGSEGV) indicates that an object which is getting accessed has been already released. A SIGSEGV is a segmentation fault, meaning you it is trying to access an invalid memory address. Reference: Exception Types in iOS crash logs
Instead of using the bundleIdentifier I also tried to specify the full app path or the full bundleIdentifier:
# with full app path
instruments \
-w c717fa22472d7b691ae5763af90e1e44244ad85a \
-t /Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/PlugIns/AutomationInstrument.bundle/Contents/Resources/Automation.tracetemplate \
-D "/Users/mj/Desktop/apps/trace" \
/Users/mj/Desktop/apps/LPSimpleExample-cal.app \
-e UIARESULTSPATH /Users/mj/Desktop/apps \
-e UIASCRIPT /Users/mj/Desktop/apps/_run_loop.js
# with full bundleIdentifier
instruments \
-w c717fa22472d7b691ae5763af90e1e44244ad85a \
-t /Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/PlugIns/AutomationInstrument.bundle/Contents/Resources/Automation.tracetemplate \
-D "/Users/mj/Desktop/apps/trace" \
/Users/mj/Desktop/apps/LPSimpleExample-cal.app \
-e UIARESULTSPATH /Users/mj/Desktop/apps \
-e UIASCRIPT /Users/mj/Desktop/apps/_run_loop.js
Configuration details
Instruments version: 5.0 (51166)
XCode version: 5.0 (5A1413)
Device Types: iPhone 5 - 6.1.3, iPhone 5C - 7.02, iPhone 5S - 7.0.2
Has anyone more information in which cases instruments can't launch an app on the device or when do you receive the error message unable to locate CFBundleIdentifier for path: LPSimpleExample-cal?
Are you using Calabash with Jenkins?
Has anyone more information in which cases instruments can't launch an app on the device or > when do you receive the error message unable to locate CFBundleIdentifier for path:
LPSimpleExample-cal?
I had the problem using Calabash on Jenkins and what helped me solve it was to launch instruments (calabash) in the app folder (where there is the xcodeproj.) Don't forget to copy the builded app in this folder.
please excuse me if I do not answer the question.
I had this problem when attempting to run an iOS app with instruments under the control of Xcode Server on the iDevice attached to the server host. That app, however, was never installed on the target iDevice before. I can only surmise that the error message
instruments ... unable to locate CFBundleIdentifier for path: ...
actually refers to the iDevice's file system (where that app is not present) in spite of the fact that the error message reports a path in the file system of the Xcode Server host. After I manually installed the app on the target device using my development machine once, the error message on the server host went away and instruments was working again.
My takeaway is that the error messages of Xcode Server (and/or instruments?) are just abysmally bad. Who needs enemies when you've got error messages like these?