dyld`_dyld_start:
0x1fec7000: mov r8, sp
0x1fec7004: sub sp, sp, #16
0x1fec7008: bic sp, sp, #7
0x1fec700c: ldr r3, [pc, #112] ; _dyld_start + 132
(lldb) image list -f
[ 0] /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/usr/lib/dyld
Right at this moment, MainBinary is not run yet, and we are inside dyld. Next, keep
entering “ni” until LLDB outputs “error: invalid thread”:
(lldb) ni
Process 450336 stopped
* thread #1: tid = 0x6df20, 0x1fec7004 dyld`_dyld_start + 4, stop reason = instruction
step over
frame #0: 0x1fec7004 dyld`_dyld_start + 4
dyld`_dyld_start + 4:
0x1fec7004: sub sp, sp, #16
0x1fec7008: bic sp, sp, #7
0x1fec700c: ldr r3, [pc, #112] ; _dyld_start + 132
0x1fec7010: sub r0, pc, #8
(lldb)
Process 450336 stopped
- thread #1: tid = 0x6df20, 0x1fec7008 dyld
_dyld_start + 8, stop reason = instruction step over frame #0: 0x1fec7008 dyld_dyld_start + 8
dyld`_dyld_start + 8:
0x1fec7008: bic sp, sp, #7
0x1fec700c: ldr r3, [pc, #112] ; _dyld_start + 132
0x1fec7010: sub r0, pc, #8
0x1fec7014: ldr r3, [r0, r3]
......
(lldb)
error: invalid thread
No more “ni” when the error occurs; now dyld begins to load MainBinary. Wait a moment,
the process will stop again, and we are inside MainBinary, it’s okay to debug then:
Process 450336 stopped
* thread #1: tid = 0x6df20, 0x1fec7040 dyld`_dyld_start + 64, queue = ‘com.apple.main-
thread, stop reason = instruction step over
frame #0: 0x1fec7040 dyld`_dyld_start + 64
dyld`_dyld_start + 64:
0x1fec7040: ldr r5, [sp, #12]
0x1fec7044: cmp r5, #0
0x1fec7048: bne 0x1fec7054 ; _dyld_start + 84
0x1fec704c: add sp, r8, #4
Check out ASLR offset of Foundation.framework:
(lldb) image list -o -f
[ 0] 0x000fc000 /private/var/tmp/MainBinary(0x0000000000100000)
[ 1] 0x000c6000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/usr/lib/dyld
[ 2] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/Frameworks/Foundation.framework/Foundation
......