(lldb) br s - a '0x6+0x9'
Breakpoint 6: address = 0x0000000fNote that the “X” in the output “Breakpoint X:” is an integer id of that breakpoint, and we
will use this number soon. When the process stops at a breakpoint, the line of code holding the
breakpoint hasn’t been executed yet.
In reverse engineering, we’ll be debugging assembly code, so in most cases we’ll be setting
breakpoint on a specific assembly instruction instead of a function. To set a breakpoint on an
assembly instruction, we have to know its base address with offset, which we have already
explained in details. Now let’s take -[SpringBoard _menuButtonDown:] for an example and set a
breakpoint on the first instruction as a demonstration.
-^ Find the base address without offset in IDA
Open SpringBoard’s binary in IDA, switch to Text view after the initial analysis and locate “-
[SpringBoard _menuButtonDown:]”, as shown in figure 4-17.
Figure 4- 17 [SpringBoard _menuButtonDown:]
As we can see, the base address without offset of the first instruction “PUSH {R4-R7, LR}” is
0x17730.
-^ Find the ASLR offset in LLDB
ssh into iOS to run debugserver with the following commands:
snakeninnysiMac:~ snakeninny$ ssh root@iOSIP
FunMaker-5:~ root# debugserver *:1234 -a "SpringBoard"
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Attaching to process SpringBoard...
Listening to port 1234 for a connection from *...