debugserver调试APP

手机必须是已越狱的iPhone手机,本文用到的工具可以在github下载

1.重签名debugserver

把手机中的/Developer/usr/bin/debugserver拷贝到电脑

端口号映射  把手机端口号22映射为电脑的2222 ,手机端口号1234映射为电脑的1234 , tcprelay.py文件在python-client.zip里面
$ python tcprelay.py -t  22:2222 1234:1234
-P P是大写,表示端口号,回车输入手机ssh密码就行(默认alpine, 通过passwd命令可以修改)
$ scp -P 2222 [email protected]:/Developer/usr/bin/debugserver ~/Downloads

拆分debugserver架构,也可不拆

查看debugserver包含的架构
$ file debugserver
拆出arm64架构
$ lipo debugserver -thin arm64 -output debugserver

添加调试非xcode安装APP的权限

把debugserver原本的权限导出到 ent.xml
ldid -e debugserver >  ent.xml

修改 ent.xml ,添加 platform-application, task_for_pid-allow 等key,删除不用的key,可以用下面2个修改后的xml文件





    com.apple.backboardd.debugapplications
    
    com.apple.backboardd.launchapplications
    
    com.apple.frontboard.debugapplications
    
    com.apple.frontboard.launchapplications
    
    com.apple.springboard.debugapplications
    
    com.apple.system-task-ports
    
    get-task-allow
    
    platform-application
    
    run-unsigned-code
    
    task_for_pid-allow
    


或者(这个我没验证)





com.apple.springboard.debugapplications

run-unsigned-code

get-task-allow

task_for_pid-allow




复制保存成ent.xml,重新写入debugserver

$ codesign -fs - --entitlements ent.xml debugserver

或者 (这个我的一直在执行,貌似没什么用)
//注意这里的Sent.xml并不是一个文件, -S是一个参数后面的ent.xml是文件
$ ldid -Sent.xml debugserver

拷贝到手机/usr/bin/目录,因为/Developer/usr/bin目录是只读的,添加可执行权限

拷贝到手机`/usr/bin/`目录
$ scp -P 2222 debugserver [email protected]:/usr/bin/
添加权限
$ chmod 777 /usr/bin/debugserver

2.调试APP

ssh远程连接手机

ssh root@localhost -p 2222
或者
ssh [email protected] -p 2222

开始debugserver并且监听来自端口1234的调试指令 要先打开要调试的APP
-a:attach 附加到那个APP 
DingTalk:要调试的APP的进程名 DingTalk是钉钉, WeChat是微信
iPhone:~ root# debugserver 127.0.0.1:1234 -a DingTalk
或者 (我的这个没效果)
iPhone:~ root# debugserver *:1234 -a DingTalk
iPhone:~ root# debugserver localhost:1234 -a DingTalk
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.98
 for arm64.
Attaching to process DingTalk...
error: failed to attach to process named: ""
Exiting.

显示上面的,说明没打开调试的APP,要先打开APP

iPhone:~ root# debugserver localhost:1234 -a DingTalk
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.98
 for arm64.
Attaching to process DingTalk...
Listening to port 1234 for a connection from localhost...
显示这个说明启动监听成功,等待lldb连接

启动监听成功,重新开一个终端窗口lldb, connect connect://localhost:1234

$ lldb
(lldb)
(lldb) process connect connect://localhost:1234
Process 14402 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x0000000185d08634 libsystem_kernel.dylib` mach_msg_trap  + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x185d08634 <+8>: ret
libsystem_kernel.dylib'mach_msg_overwrite_trap:    0x185d08638 <+0>: mov    x16, #-0x20
    0x185d0863c <+4>: svc    #0x80
    0x185d08640 <+8>: ret
libsystem_kernel.dylib'semaphore_signal_trap:    0x185d08644 <+0>: mov    x16, #-0x21
    0x185d08648 <+4>: svc    #0x80
    0x185d0864c <+8>: ret
libsystem_kernel.dylib'semaphore_signal_all_trap:    0x185d08650 <+0>: mov    x16, #-0x22
Target 0: (DingTalk) stopped.
(lldb)

输入connect connect://localhost:1234 等半分钟左右,如果出现类似的打印,说明连接成功了,此时的app是无法交互的我们输入c继续程序,开始愉(ku)快(bi)的调试吧!

参考:
https://bbs.pediy.com/thread-203592.htm
https://www.cnblogs.com/2f28/p/11189051.html
https://iosre.com/t/ios12-debugserver-lldb/14429
https://www.jianshu.com/p/5040d3730f3f

你可能感兴趣的:(debugserver调试APP)