（重新排版）lldb打印微信函数参数，po $x0显示数字

@lauren wrote:

刚开始学习逆向，想要Hook微信的红包。看教程有一步试探是定位到 -[BaseMsgContentViewController touchesBegan_TableView:withEvent:]:这个方法，同时查看下个方法的入参。 但是教程上分可以直接执行 po $x0 命令查看x0参数是什么， 但是我在公司的电脑上实际操作却不行，打印出来是数字，回家在家里的能够打印出x0是对象。具体流程如下：

公司电脑:
Hopper查看 touchesBegan_TableView:withEvent方法的内存地址如下：

-[BaseMsgContentViewController touchesBegan_TableView:withEvent:]
0000000101fb4050 stp x22, x21, [sp, #-0x30]! ; Objective C Implementation defined at 0x103de1b68 (instance method), DATA XREF=0x103de1b68

在终端执行命令:

(lldb) breakpoint set -a 0x00000000000b8000+0x0000000101fb4050
Breakpoint 7: where = WeChat`___lldb_unnamed_symbol122979$$WeChat, address = 0x000000010206c050
Process 724 stopped

thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 7.1
frame #0: 0x000000010206c050 WeChat___lldb_unnamed_symbol122979$$WeChat WeChat___lldb_unnamed_symbol122979$$WeChat:
-> 0x10206c050 <+0>: stp x22, x21, [sp, #-0x30]!
0x10206c054 <+4>: stp x20, x19, [sp, #0x10]
0x10206c058 <+8>: stp x29, x30, [sp, #0x20]
0x10206c05c <+12>: add x29, sp, #0x20 ; =0x20
Target 0: (WeChat) stopped.

(lldb) register read
General Purpose Registers:
x0 = 0x000000013512c000
x1 = 0x000000010300a848 “touchesBegan_TableView:withEvent:”
x2 = 0x0000000135dcf6c0
x3 = 0x0000000136302c60
x4 = 0x0000000000000001
x5 = 0x0000000000000001
x6 = 0xc000000000000716
x7 = 0x0000000000000cf0
x8 = 0x0000000000000001
x9 = 0x0000000135ec9230
x10 = 0x0000000135253a00
x11 = 0x00000123000001ff
x12 = 0x0000000135253dc0
x13 = 0x000005a135ec9237
x14 = 0xffffffffffffc000
x15 = 0x0000000000003fff
x16 = 0x000000010300a848 “touchesBegan_TableView:withEvent:”
x17 = 0x000000010206c050 WeChat___lldb_unnamed_symbol122979$$WeChat x18 = 0x0000000000000000 x19 = 0x0000000135dcf6c0 x20 = 0x0000000136302c60 x21 = 0x000000013512c000 x22 = 0x0000000104aae028 "m_delegate" x23 = 0x000000010300a848 "touchesBegan_TableView:withEvent:" x24 = 0x000000013512c000 x25 = 0x000000013512c000 x26 = 0x0000000000000001 x27 = 0x0000000188e2ab8a "_addTouch:forDelayedDelivery:" x28 = 0x0000000136324e80 fp = 0x000000016fd45050 lr = 0x0000000102a725cc WeChat___lldb_unnamed_symbol161687$$WeChat + 248
sp = 0x000000016fd45000
pc = 0x000000010206c050 WeChat`___lldb_unnamed_symbol122979$$WeChat
cpsr = 0x60000000

(lldb) po $x0 <----  这里只是输出数字
5185388544

(lldb) x/s $x1
0x10300a848: “touchesBegan_TableView:withEvent:”

(lldb) po $x1
4345342024

家里电脑：

(lldb) image list -o -f | grep WeChat
[ 0] 0x00000000000a4000 /var/mobile/Containers/Bundle/Application/BBD0191B-D2A6-4E8B-A25C-8799A41D1CA6/WeChat.app/WeChat(0x00000001000a4000)
(lldb) breakpoint set -a 0x00000000000a4000+0x0000000101fb4050
Breakpoint 1: where = WeChat`ClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892, address = 0x0000000102058050
Process 1157 stopped

thread #1, queue = ‘com.apple.main-thread’, stop reason = breakpoint 1.1
frame #0: 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4276892 WeChatClearDataItem::compareTime:
-> 0x102058050 <+4276892>: stp x22, x21, [sp, #-0x30]!
0x102058054 <+4276896>: stp x20, x19, [sp, #0x10]
0x102058058 <+4276900>: stp x29, x30, [sp, #0x20]
0x10205805c <+4276904>: add x29, sp, #0x20 ; =0x20
Target 0: (WeChat) stopped.
(lldb) register read
General Purpose Registers:
x0 = 0x00000001580bea00
x1 = 0x0000000102ff6848 “touchesBegan_TableView:withEvent:”
x2 = 0x000000015912ca50
x3 = 0x0000000159105cf0
x4 = 0x0000000000000043
x5 = 0x0000000000000041
x6 = 0x0000000000000000
x7 = 0x0000000000000f80
x8 = 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr<ClearDataItem> const&, std::__1::shared_ptr<ClearDataItem> const&) + 4276892 x9 = 0x0000000000001000 x10 = 0x0000000157be8000 x11 = 0x0000000000000fff x12 = 0x0000000157be8000 x13 = 0x0000000000003fff x14 = 0xffffffffffffc000 x15 = 0x0000000000003fff x16 = 0x0000000198408178 libsystem_malloc.dylibfree
x17 = 0x0000000000000000
x18 = 0x0000000000000000
x19 = 0x000000015912ca50
x20 = 0x0000000159105cf0
x21 = 0x00000001580bea00
x22 = 0x0000000104aa6028 “m_delegate”
x23 = 0x0000000102ff6848 “touchesBegan_TableView:withEvent:”
x24 = 0x00000001580bea00
x25 = 0x00000001580bea00
x26 = 0x0000000000000001
x27 = 0x0000000188e2ab8a “_addTouch:forDelayedDelivery:”
x28 = 0x0000000159376f40
fp = 0x000000016fd59c00
lr = 0x00000001060821b8 LLWXExtension.dylib_logos_method$_ungrouped$BaseMsgContentViewController$touchesBegan_TableView$withEvent$(BaseMsgContentViewController*, objc_selector*, objc_object*, objc_object*) + 248 sp = 0x000000016fd59b90 pc = 0x0000000102058050 WeChatClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892
cpsr = 0x20000000
(lldb) po $x0
<BaseMsgContentViewController: 0x1580bea00>

自己的初步分析：

两次设置断点，反馈设置断点成功反馈信息不一样的，在家里是

(lldb) breakpoint set -a 0x0000000000034000+0x0000000101fb4050
Breakpoint 1: where = WeChat`ClearDataItem::compareTime(std::__1::shared_ptr const&, std::__1::shared_ptr const&) + 4276892, address = 0x0000000101fe8050

在公司是

(lldb) breakpoint set -a 0x00000000000b8000+0x0000000101fb4068
Breakpoint 8: where = WeChat`___lldb_unnamed_symbol122979$$WeChat + 24, address = 0x000000010206c068

‘___lldb_unnamed_symbol122979’ 在公司开始之前就怀疑这个，未命名的符号，但是不知道具体是什么情况。公司电脑和家里电脑的区域就是Xcode版本不一样，家里是X10.1 公司是X11.2.1。 其它软件和插件都是按照教程安装的， 请求大神解惑~！

Posts: 3

Participants: 2

Read full topic