LLDB动态调试步骤.md

和IDA类似，记录一些内容

全局调试，root下

magisk resetprop ro.debuggable 1
stop
start

快速获取入口类

adb shell "dumpsys package com.starbucks.cn | grep -A 1 MAIN | grep filter | cut -d ' ' -f 10"

adb shell "dumpsys package com.starbucks.cn | grep -A 1 MAIN | grep filter | awk '{print $2}'"

com.starbucks.cn/.home.revamp.launch.RevampLaunchActivity

adb shell am start -D -n com.starbucks.cn/.home.revamp.launch.RevampLaunchActivity

获取进程号，向GPT交流后取得两种方案

ps -ef | grep "[c]om.starbucks.cn" | awk '{print $2}'   

ps -ef | grep "[c]om.starbucks.cn" | tr -s ' ' | cut -d' ' -f2

编写bat如下

@echo off

set PKG=com.starbucks.cn
set PKG_REGEX=[%PKG:~0,1%]%PKG:~1%
for /f "tokens=* USEBACKQ" %%F IN (`adb shell "dumpsys package %PKG% | grep -A 1 MAIN | grep filter | awk '{print $2}'"`) DO (
    set ACTIVITY=%%F
)
echo start %ACTIVITY%

adb shell am start -D -n %ACTIVITY%

timeout /t 1 /nobreak

for /f "tokens=* USEBACKQ" %%F IN (`adb shell "ps -ef | grep "%PKG_REGEX%" | awk '{print $2}'"`) DO (
    set PID=%%F
)

echo "Please use debugger attach to %PID%, continue (Y/N)?"

<nul set /p=attach %PID% | clip

set /p INPUT=

if not defined INPUT (
    set INPUT=Y
)

if /i "%INPUT%"=="Y" (
    echo "Continuing..."
    adb forward tcp:8700 jdwp:%PID%
    jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700
) else (
    echo "Exiting..."
)

pause

查找符号，最后一个参数用于指定库，可以是完整路径，也可以不是

image lookup -r -s "__dl_g_ld_debug_verbosity" /system/bin/linker64

(lldb) image lookup -r -s "__dl_g_ld_debug_verbosity" /system/bin/linker64
1 symbols match the regular expression '__dl_g_ld_debug_verbosity' in /system/bin/linker64:
        Address: linker64[0x00000000000efb90] (linker64.PT_LOAD[3]..bss + 7056)
        Summary: linker64`__dl_g_ld_debug_verbosity

安装code-server

pkg install tur-repo
pkg install code-server

code-server --auth none --bind-addr 0.0.0.0:12123

code-server跑在手机上还是太吃力了

bat脚本使用演示

oCam_2023_05_11_21_53_30_797_2X.mp4