I want to set a breakpoint on a third party class instance method.
br set -r "\[ThirdPartyClass .*\]$"
But I got (no location).
Then I want to lookup this class and found what's wrong with it.
image lookup -t ThirdPartyClass
The output is empty. Things become weird.
Finally, I use hopper to find the address offset of the instance method which is something like this.
-[ThirdPartyClass aMethod:]:
00000001008f83b8 stp x22, x21, [sp, #-0x30]! ; Objective C Implementation defined at 0x101098168 (instance method), DATA XREF=0x101098168
00000001008f83bc stp x20, x19, [sp, #0x10]
00000001008f83c0 stp x29, x30, [sp, #0x20]
00000001008f83c4 add x29, sp, #0x20
00000001008f83c8 mov x19, x2
00000001008f83cc mov x20, x0
00000001008f83d0 adrp x8, #0x101102000
00000001008f83d4 ldr x1, [x8, #0xb40]
00000001008f83d8 mov x0, x19
00000001008f83dc bl imp___stubs__objc_msgSend
00000001008f83e0 adrp x8, #0x101116000
00000001008f83e4 ldrsw x21, [x8, #0x8d4]
00000001008f83e8 ldr x0, x20, x21
00000001008f83ec adrp x8, #0x101102000
00000001008f83f0 ldr x1, [x8, #0x940]
00000001008f83f4 bl imp___stubs__objc_msgSend
00000001008f83f8 str x19, x20, x21
00000001008f83fc ldp x29, x30, [sp, #0x20]
00000001008f8400 ldp x20, x19, [sp, #0x10]
00000001008f8404 ldp x22, x21, [sp]!, #0x30
00000001008f8408 ret
And find base address with this.
image list -f -o
[ 0] /Users/TEP/Library/Developer/Xcode/DerivedData/XXXXXX 0x00000000009e8000
When I mixed up all these addresses.
image lookup -a 0x00000000009e8000+0x0000001008f83b8
I got this:
Address: XXXXXXX[0x00000001008f83b8] (XXXXXXXX.__TEXT.__text + 9376552)
Summary: XXXXXXXXXX`___lldb_unnamed_symbol98$$XXXXXXXXXX
So, what is ___lldb_unnamed_symbol? where is this class and why I can't find it?
In the main executable of an app, Objective-C code is stripped out so LLDB is unable to read these symbols. This is different than dynamically linked frameworks, where you can still resolve the symbols.
That being said, you're going after Objective-C, so you can use the Objective-C runtime against itself. There's a number of ways to find the location of that method when loaded into memory. But since I see you're using the regex option in that breakpoint, I'd suggest you take a look at this custom LLDB script that can search the main executable for stripped out classes
https://github.com/DerekSelander/LLDB/blob/master/lldb_commands/lookup.py
This command, called lookup, can be used like so:
(lldb) lookup -X \[ThirdPartyClass\s
Using the -l argument you can get the load address of these methods
(lldb) lookup -X -l \[ThirdPartyClass\s
And of course you can set a breakpoint on all these methods with the -B option
(lldb) lookup -X -B \[ThirdPartyClass\s
You can see this lookup command being used in this video https://youtu.be/gxfrJuxwblI?t=20m50s
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With