What is the best way to debug MobileSubstrate extensions, i.e. placing breakpoints etc.? Is there away to do this in Xcode? GNU Debugger?
I use the syslog and tail. You'll need syslogd and Erica Utilities from Cydia. Then throughout your tweak place NSLog(#"breakpoint 1 - %#", someObject); and run the tweak.
tail -f /var/log/syslog
#define Debugger() { kill( getpid(), SIGINT ) ; }
Then you just call Debugger() wherever you want to place a breakpoint.
You can also raise an exception if you want to trace the stack:
[NSException raise:#"Exception Message" format:formatString];
Mobilesubstrate injects your dylib into the target process. Debugging the target process using GDB or LLDB is also debugging your extension code.
I will show you how to debug Mobilesubstrate extension using GDB.
Here is simple Mobilesubstrate/Logos extension:
%hook SBApplicationController
-(void)uninstallApplication:(id)application {
int i = 5;
i = i +7;
NSLog(#"Hey, we're hooking uninstallApplication: and number: %d", i);
%orig; // Call the original implementation of this method
return;
}
%end
I compile and install the code, and then attaching gdb to it:
yaron-shanis-iPhone:~ root# ps aux | grep -i springboard
mobile 396 1.6 4.3 423920 21988 ?? Ss 2:19AM 0:05.23 /System/Library/CoreServices/SpringBoard.app/SpringBoard
root 488 0.0 0.1 273024 364 s000 S+ 2:22AM 0:00.01 grep -i springboard
yaron-shanis-iPhone:~ root# gdb -p 488
You can find your Mobilesubstrate extension with the command:
(gdb) info sharedlibrary
This command print a list of loaded modules, find your extension:
test-debug-substrate.dylib - 0x172c000 dyld Y Y /Library/MobileSubstrate/DynamicLibraries/test-debug-substrate.dylib at 0x172c000 (offset 0x172c000)
You can also find the address of Logos uninstallApplication hook:
(gdb) info functions uninstallApplication
Which outputs this:
0x0172cef0 _logos_method$_ungrouped$SBApplicationController$uninstallApplication$(SBApplicationController*, objc_selector*, objc_object*)
You can debug your uninstallApplication hook function with breakpoints and other gdb features:
(gdb) b *0x0172cef0+36
Where the offset 36 is the assembly opcode that adding of 7 to the i variable in uninstallApplication hook function. You can continue to debug your Mobilesubstrate extension from here as you wish.
Related
I am trying to setup my Raspberry Pi so I can start learning ARM, and have issues debugging 32-bits ARM files. First, some informations maybe useful to my problem:
$ uname -a
Linux raspberrypi 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
I can write a hello world program (in assembly) for ARM64, compile it using as and ld, then execute it and debug it with gdb without any issue. For 32 bits ARM, after installing the package binutils-arm-linux-gnueabihf, I can compile my files using arm-linux-gnueabihf-as/ld and execute them without issue. However, I have problems debugging them with gdb.
My version of gdb is :
$ gdb -v
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
and I am using the GEF extension. The file command for the 32-bits file gives:
$ file helloworld
helloworld: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
After typing gdb helloworld, I can run it using the r command and it does print Hello world, but I can't debug it step by step: setting a breakpoint to the entry point (in my case, 0x10074 - obtained with info file -, which does not seem standard) makes the program run indefinitely, as if it was in an infinite loop, and stopping it with CTRL+C gives me:
$sp : 0x798fdfb4
$lr : 0xc6ac9670
$pc : 0x20
$cpsr: [negative ZERO CARRY OVERFLOW INTERRUPT FAST thumb]
────────────────────────────────────────────────────────────────────────────────────────── stack ────
[!] Unmapped address: '0x55798fdfb4'
─────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x20
──────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "helloworld", stopped 0x20 in ?? (), reason: SIGINT
I am not sure what is going on. The address in Unmapped address: '0x55798fdfb4' looks like a standard .text address under PIE + ASLR, but I don't know why there would be mapping issues. How could I fix this ?
This answer is more an answer to the question: "How can I learn 32 bit assembly language on my raspberry Pi" than a direct answer to yours:
If your goal is to learn Aarch32 T32 or A32 assembly language on your raspberry Pi, I would strongly suggest to do so on a 32 bit distribution - I am not sure at this stage that you can debug a user mode Aarch32 program on an Aarch64 Linux system using an Aarch64 multiarch GDB or an Aarch32 version of GDB, my own attempts having been unsuccessful, and having not found to this day examples of how exactly to do this.
Another pro of this approach is that you will be able to concentrate on learning 32 bit Arm, and not asking yourself if your programs are not working because of a bug, or because off a potential problem/bug in the tools you are running on your Aarch64 system - my two cents.
If you have a spare 8GiB micro-SD card, you can install a 32 bit version of Ubuntu Server 22.04 from here.
One installed, here is what I am getting on my system:
cat /sys/firmware/devicetree/base/model
Raspberry Pi 3 Model B Rev 1.2
uname -a
Linux ubuntu 5.15.0-1005-raspi #5-Ubuntu SMP PREEMPT Mon Apr 4 12:25:49 UTC 2022 armv7l armv7l armv7l GNU/Linux
Install gcc and gdb:
sudo-apt -get install gcc gdb
Create hello-world.s, adapted from this example:
.arch armv7a
.file "hello-world.s"
.text
.global main
.syntax unified
.thumb
.thumb_func
.type main, %function
main:
mov r0, #1 # 1 = stdout
ldr r1, =hello_world # str pointer
mov r2, #13 # str len
mov r7, #4 # linux write syscall
svc 0 # software interrupt call write
exit:
mov r0, #0 # return code
mov r7, #1 # linux exit syscall
svc 0 # software interrupt call exit
.data
hello_world:
.ascii "Hello World!\n"
.end
as -g -o hello-world.o hello-world.s
gcc -g -o hello-world hello-world.o
./hello-world
Hello World!
GDB debug session:
gdb ./hello-world
GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./hello-world...
(gdb) b main
Breakpoint 1 at 0x4e0: file hello-world.s, line 10.
(gdb) run
Starting program: /home/ubuntu/hello-world
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
Breakpoint 1, main () at hello-world.s:10
10 mov r0, #1 # 1 = stdout
(gdb) step
11 ldr r1, =hello_world # str pointer
(gdb)
12 mov r2, #13 # str len
(gdb)
13 mov r7, #4 # linux write syscall
(gdb)
14 svc 0 # software interrupt call write
(gdb)
Hello World!
exit () at hello-world.s:16
16 mov r0, #0 # return code
(gdb)
17 mov r7, #1 # linux exit syscall
(gdb)
18 svc 0 # software interrupt call exit
(gdb)
[Inferior 1 (process 3043) exited normally]
(gdb) quit
I am new to using windbg, and I am trying to set a breakpoint inside of the main function of a .net assembly that I am trying to debug, but am getting:
Unable to insert breakpoint 0 at 000001d1`4465384e, Win32 error 0n998 "Invalid access to memory location."
I have tried using bp and bu $exentry to set a break point for the entry to the program, but even that is giving me the same error. I've tried searching other old stackoverflow topics on this issue and through google, but still haven't found a solution.
Any help would be greatly appreciated.
Given a trivial .NET Console application compiled for .NET framework 4.7
using System;
namespace DebugNetMainMethod
{
class Program
{
static void Main()
{
Console.WriteLine("If you can read this, it's too late. You wanted to set a breakpoint earlier.");
Console.ReadLine();
}
}
}
you can use WinDbg Preview to debug it.
Run WinDbg Preview
Choose "Launch Executable" and select the EXE
WinDbg will stop at the initial breakpoint
ntdll!LdrpDoDebuggerBreak+0x2b:
7743ecc2 cc int 3
At this point, you get the problem you described:
0:000> bp $exentry
0:000> bl
0 e Disable Clear 007a27c6 0001 (0001) 0:**** DebugNetMainMethod!COM+_Entry_Point <PERF> (DebugNetMainMethod+0x27c6)
0:000> g
Unable to insert breakpoint 0 at 007a27c6, Win32 error 0n998
"Invalid access to memory location."
0:000> bc 0
0:000> bl
Note: In the future you want to provide exactly the information above, so everyone can reproduce your issue.
WinDbg is not made for .NET but for debugging "native code", i.e. code that was compiled for a specific processor like x86 or AMD64. WinDbg does not work well for Java, Python or .NET. However, for .NET, Microsoft provides an extension called SOS. You would typically load it like this:
0:000> .loadby sos clr
Unable to find module 'clr'
But at this early stage of debugging, not many DLLs have been loaded and the clr is still missing. So let's postpone this:
0:000> sxe ld clrjit
0:000> g
[...]
ModLoad: 72950000 729da000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
[...]
0:000> .loadby sos clr
No output means it worked.
0:000> !bpmd DebugNetMainMethod Program.Main
Found 1 methods in module 00914044...
MethodDesc = 00914d5c
Adding pending breakpoints...
0:000> g
[...]
(2658.2e08): CLR notification exception - code e0444143 (first chance)
JITTED DebugNetMainMethod!DebugNetMainMethod.Program.Main()
Setting breakpoint: bp 00BA085F [DebugNetMainMethod.Program.Main()]
Breakpoint 2 hit
0:000> !clrstack
OS Thread Id: 0x2e08 (0)
Child SP IP Call Site
0075eff4 00ba085f DebugNetMainMethod.Program.Main() [C:\...\Program.cs # 8]
0075f170 63dff036 [GCFrame: 0075f170]
0:000> !u eip
Normal JIT generated code
DebugNetMainMethod.Program.Main()
Begin 00ba0848, size 32
[...]
I am new to this, or better rusted (being 62).
Trying to develop on Beaglebone Black running Debian over IP using Eclipse Luna CDT and linaro tools.
I succeed in running and debugging standard helloworld.c.
Need to control GPIO fast (to connect to uncommon peripheral) but
all attempts to read or write to memory mapped registers fail.
Instruction
i = (*((volatile unsigned int *)(0x4804c130)))
which should read GPIO status register results in
Child terminated with signal = 0xb (SIGSEGV)
GDBserver exiting
logout
This is the source (hellobone.c) I compile without errors:
int main(void)
{
unsigned int i = 1;
i = (*((volatile unsigned int *)(0x4804c130))) ;
}
(I tried all variations on this pointer arithmetic)
Makefile trace: (ignore includes)
---COMPILE--- C:/hellobone/source/hellobone.c
"C:\gcc-linaro\bin\arm-linux-gnueabihf-gcc.exe" -c -o C:/hellobone/object/hellobone.o C:/hellobone/source/hellobone.c -marm -O0 -g -I. -IC:/hellobone/include
.
---LINK---
"C:\gcc-linaro\bin\arm-linux-gnueabihf-gcc.exe" -o hellobone C:/hellobone/object/hellobone.o C:/hellobone/object/tools.o C:/hellobone/object/gpio_v2.o -marm -O0 -g -I. -IC:/hellobone/include
.
The binary also crashes running as root from TTY:
root#beaglebone:~# ./hellobone
Segmentation fault
I installed Eclipse on the BBB Debian and read and write to memory works just fine. Just too slow compiling, and unstable, to be practical.
Reading memory should be doable. What am I doing wrong?
I suspect
GNU gdbserver (GDB) 7.4.1-debian
This gdbserver was configured as "arm-linux-gnueabihf"
But maybe I am missing something obvious, have not seen any post on this problem...
Really stuck. Being working on this for months now. Setting up toolchain very frustrating, nothing works as in YouTube videos..
Any help would be really appreciated
Marco
You need to mmap /dev/mem to access memory mapped peripherals through physical addresses. Easiest example / code I know does this goes by the name devmem2.
Thank you a lot, that certainly helped.
I compiled the program you gave me and it worked perfect in run mode in Eclipse, and in terminal on the remote machine.
Curiously, when running the Eclipse debugger, it crashes executing:
if((fd = open("/dev/mem", O_RDWR | O_SYNC)) == -1) FATAL;
I get this error message from gdbserver
Remote debugging from host 192.168.1.2
/root/hellobone: relocation error: /root/hellobone: symbol �pen, version GLIBC_2.4 not defined in file libc.so.6 with link time reference
Child exited with status 127
GDBserver exiting
Have been trying to use fopen but that gives a segmentation fault. Anyhow, I think that is a toolchain issue and not a programming issue.
I'm attempting to debug a manual dump file of a 64bit w3wp process with 64bit Windbg (Version 6.10). The dump was taken with taskmgr. I can't get anything from the !clrstack command. Here is what I'm getting:
!loadby sos clr
!runaway
User Mode Time
Thread Time
17:cf4 0 days 5:37:42.455
~17s
ntdll!ZwDelayExecution+0xa:
00000000`776208fa c3 ret
!clrstack
GetFrameContext failed: 1
What is GetFrameContext failed: 1?
Use !dumpstack command instead of !clrstack. It usually works.
Try getting the "native" call stack by doing "k" and see what that gets you. Sometimes, the stack isn't quite right and the !ClrStack extension is pretty sensitive.
When i debug a programmer, I found too many lines useless info which appear in GDB. this kind of infomation may come from iphone framework. it is not logged by my code. the info like this
Node 48 TrialMT(102,102,101,101)
Node 58 TrialMT(102,102,101,101)
Node 69 TrialMT(102,102,101,101)
Node 72 TrialMT(102,102,101,101)
Just too much. so i can not find my log.
I want to known is there a way i can export GDB log to a file, so i can find my log info in the file later on.
thanks
In Xcode you can type GDB commands in the debugger console. There you can reset the stdout and stderr file descriptors to your preferred log file like this
(gdb) call (void)close(1)
(gdb) call (void)close(2)
(gdb) call (int)open("/tmp/out.log", 0x201, 0644)
$1 = 1
(gdb) call (int)dup(1)
$2 = 2
(gdb) continue