In the jailbreak environment, we can easily use cycript and reveal to debug applications, but there is a problem that they do not affect the process and there is no way to debug at breakpoints. Reveal is mainly used for interface debugging, and sometimes lldb is also needed for logic debugging.

Xcode debugging has an additional process attached to the process:

After it starts running, it is attached, and you can debug it directly at the breakpoint:

You can view debugging:

The lldb in Xcode can debug applications in mobile phones because the debugserver in mobile phones starts related services. Therefore, in the jailbreak environment, we only need to start the debugserver service to remotely debug the three-party application with LLDB.

Mac can see image files corresponding to different iOS system versions in the directory/applications/xcode.app/contents/developer/platforms/iphoneos.platform/devicesupport:

Open the dmg file and enter the usr/bin directory to view the debugserver. This is the file that xcode installed on the mobile phone:

Xcode will install debugserver on the mobile phone the first time it connects to it.

Specifically installed in the /Developer/usr/bin/ directory of the mobile phone:

Copy the debugserver on the mobile phone, and verify it with md5 and mac.

Md5 conformance verification confirmation.

Due to the permission problem of debugserver, debugserver can only attach programs installed by Xcode by default. You need to re-sign to attach other programs. When obtaining a connection from a remote GDB process fails, it is usually a permission problem.

Re-sign the debugserver by using the ldid tool (installation is required), and you can view the specific functions of the ldid by directly entering the ldid in the computer terminal:

Copy the debugserver export permission file corresponding to the mobile phone version in Xcode (I have iOS 14 here):

The whole content is related to its own unified version. This is iOS 14.0. It is based on two architectures: arm64 and arm64e:

Re-sign after modification (no space after s):

Lid-s rights file debugging server file

If you want to replace the debugserver in the /Developer/usr/bin directory with a re-signed debugserver, you think too much. We do not have permission to modify this directory (read-only directory).

Then we will directly put the re-signed debugserver in the /usr/bin/ directory:

At this point, the debugserver on the mobile phone has been configured.

Before starting the debugserver on the mobile phone, we first add a map to the port map:

Map two ports at the same time, and both iproxy and python scripts can be used.

Enter the /usr/bin/ directory and enter. /debugserver to view available functions:

As you can see, we can open it by process id and name:

Debugging Server Host Address: Port Number-Application Process

Firstly, start the debugging server on the mobile phone:

Enter listening state.

Enter lldb enter directly in mac terminal to enter lldb environment, and then connect:

Process connection connection: //IP: port

It takes a few seconds to connect. When the target stops appearing, the connection is successful, and you can directly enter the command for debugging.

involve

/t/IOs 12-debug server-lldb/ 14429