Reputation: 2320
Setting a breakpoint in a stripped binary with LLDB
I'm trying to debug an obscure issue with a closed-source command line tool on macOS, and (with some disassembly) it appears that the bug is in a framework it's using. I'd like to confirm the issue, so I fired up LLDB and tried to set a breakpoint in one of the methods in the framework–however, I'm not really sure how to (LLDB can't find the method when I tell it to break, and I can't stop at a memory location either). Can anyone point me in the right direction on how to get LLDB to debug the framework's code?
EDIT: It seems like the issue is not with the framework, but the fact that it is stripped. See my answer below.
Upvotes: 4
Views: 1961
Answers (1)
Reputation: 2320
So, I finally realized that the framework that I was working with didn't have debugging symbols (doh!), which is why LLDB couldn't find anything. Working with stripped binaries takes a bit more work, and Apple Technical Note 2239 goes over using the Objective-C runtime to set breakpoints. Here's the example code translated to LLDB the best I could:
$ lldb /Applications/TextEdit.app
(lldb) target create "/Applications/TextEdit.app"
Current executable set to '/Applications/TextEdit.app' (x86_64).
(lldb) r
Process 2463 launched: '/Applications/TextEdit.app/Contents/MacOS/TextEdit' (x86_64)
Process 2463 stopped
* thread #1: tid = 0x437c7a, 0x00007fffea1603ba libsystem_kernel.dylib`mach_msg_trap + 10, stop reason = signal SIGSTOP
frame #0: 0x00007fffea1603ba libsystem_kernel.dylib`mach_msg_trap + 10
libsystem_kernel.dylib`mach_msg_trap:
-> 0x7fffea1603ba <+10>: ret
0x7fffea1603bb <+11>: nop
libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x7fffea1603bc <+0>: mov r10, rcx
0x7fffea1603bf <+3>: mov eax, 0x1000020
(lldb) # Try to find the
(lldb) # -[DocumentController openUntitledDocumentAndDisplay:error:]
(lldb) # symbol.
(lldb) break set -S openUntitledDocumentAndDisplay:error:
Breakpoint 1: where = AppKit`-[NSDocumentController openUntitledDocumentAndDisplay:error:], address = 0x00007fffd21d244f
(lldb) # These are not the droids we're looking for. It turns out that
(lldb) # TextEdit ships with its symbols stripped, so we'll have to do
(lldb) # this the hard way.
(lldb) #
(lldb) # Get the Class object for the DocumentController class.
(lldb) expr -- void *$class = (void *)objc_getClass("DocumentController")
(lldb) # Get the SEL object for the "openUntitledDocumentAndDisplay:error:" method.
(lldb) expr -- void *$sel=(void *)sel_getUid("openUntitledDocumentAndDisplay:error:")
(lldb) # Get a pointer to the method implementation.
(lldb) po (void*)class_getMethodImplementation($class, $sel)
0x0000000100006df4
(lldb) # Set a breakpoint on the method.
(lldb) b 0x0000000100006df4
Breakpoint 2: where = TextEdit`___lldb_unnamed_symbol74$$TextEdit, address = 0x0000000100006df4
(lldb) # Resume execution, and then create a new, untitled document.
(lldb) c
Process 2463 resuming
Process 2463 stopped
* thread #1: tid = 0x437c7a, 0x0000000100006df4 TextEdit`___lldb_unnamed_symbol74$$TextEdit, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x0000000100006df4 TextEdit`___lldb_unnamed_symbol74$$TextEdit
TextEdit`___lldb_unnamed_symbol74$$TextEdit:
-> 0x100006df4 <+0>: push rbp
0x100006df5 <+1>: mov rbp, rsp
0x100006df8 <+4>: push r15
0x100006dfa <+6>: push r14
Upvotes: 5
Related Questions
- Saving breakpoints after re-sourcing binary
- lldb does not allow to set breakpoint nor list the source file
- How do I set an lldb breakpoint in init of objc class
- Setting a symbolic breakpoint with Swift and lldb
- LLDB is not setting breakpoints at the correct line
- LLDB on Mac OS X: set breakpoint on memory execution
- Access LLDB / set breakpoints when running simple swift file from command line
- Loading lldb breakpoint commands from a file
- Why can't I set a breakpoint in my library?
- gdb - setting a breakpoint in a particular file in a binary