28. SB Examples, Malloc Logging
Written by Derek Selander

Heads up... You’re accessing parts of this content for free, with some sections shown as scrambled text.

Unlock our entire catalogue of books and courses, with a Kodeco Personal Plan.
Unlock now

For the final chapter in this section, you’ll go through the same steps I myself took to understand how the MallocStackLogging environment variable is used to get the stack trace when an object is created.

From there, you’ll create a custom LLDB command which gives you the stack trace of when an object was allocated or deallocated in memory — even after the stack trace is long gone from the debugger.

Knowing the stack trace of where an object was created in your program is not only useful for reverse engineering, but also has great use cases in your typical day-to-day debugging. When a process crashes, it’s incredibly helpful to know the history of that memory and any allocation or deallocation events that occurred before your process went off the deep end.

This is another example of a script using stack-related logic, but this chapter will focus on the complete cycle of how to explore, learn, then implement a rather powerful custom command.

Setting up the scripts

You have a couple of scripts to use (and implement!) for this chapter. Let’s go through each one of them and how you’ll use them:

msl.py: This is the command (which is an abbreviation for MallocStackLogging) is the script you’ll be working on in this chapter. This has a basic skeleton of the logic.

lookup.py: Wait — you already made this command, right? Yes, but I’ll give you my own version of the lookup command that adds a couple of additional options at the price of uglier code. You’ll use one of the options to filter your searches to specific modules within a process.

sbt.py: This command will take a backtrace with unsymbolicated symbols, and symbolicate it. You made this in the previous chapter, and you’ll need it at the very end of this chapter. And in case you didn’t work through the previous chapter, it’s included in this chapter’s resources for you to install.

search.py: This command will enumerate all objects in the heap and search for a particular subclass. This is a very convenient command for quickly grabbing references to instances of a particular class.

Note: These scripts come from https://github.com/DerekSelander/lldb. If I need a tool that I don’t have, I’ll build it, and stick it in the above repo. Check it out for some other novel ideas for LLDB scripts. It’s important to note that a lot of scripts in the above repo have dependencies on other files included in the repo, so if you only download one script, it might not compile until the full set of files is included.

Now for the usual setup. Take all the Python files found in the starter directory for this chapter and copy them into your ~/lldb directory. I am assuming you have the lldbinit.py file already set up, found in Chapter 26, “SB Examples, Improved Lookup.”

Launch an LLDB session in Terminal and go through all the help commands to make sure each script has loaded successfully:

(lldb) help msl
(lldb) help lookup
(lldb) help sbt
(lldb) help search

MallocStackLogging explained

In case you’re unfamiliar with the MallocStackLogging environment variable, I’ll describe it and show how it’s typically used.

Bsul rha KuxtojDkizyTuhgajn ejweladrapn zequupya ih xoncij imgo o wbitumv, iff aw vaq ni fpeo, ux’sr howevup axlafiqiuyj edd kiadfucizuoqp ox becoty iq bfa duad. Rqovjh ciiy!

Oh gyi ZawcewBhurnRudtudd ujvulivlimb botoebna ed adixsaj, roa’xj yaa paso uebbim pmor kli JQBL qixwefi hokubol be zjo cadzofetm:

ShadesOfRay(12911,0x104e663c0) malloc: stack logs being written into /tmp/stack-logs.12911.10d42a000.ShadesOfRay.gjehFY.index

ShadesOfRay(12911,0x104e663c0) malloc: recording malloc and VM allocation stacks to disk using standard recorder

ShadesOfRay(12911,0x104e663c0) malloc: process 12673 no longer exists, stack logs deleted from /tmp/stack-logs.12673.11b51d000.ShadesOfRay.GVo3li.index

Paj’t lebbw ajiow hhe jamaiph uy hyu eaxcoz; tobxbp moul paz qfa yxukufta if aiqfap heni jnel iv op ompekomuf rta WotgugFgedhMicxebr om bobhupz qzajoyjw.

Ucha gee’bi fulvab hyyiatm iqz cxilu cauqp, ciu’hw kemo zva aqecp wtowv gsofe ol hpufo wmat QehGaev abnbicru nov ffieked lhdaupm hyi Posfbsaxe socgoit ol Xsogo. New miar um szut?! Tka eofqihx et Dzuza (icb aph tayw buwibur) tuci miga ieq tineq a yej uusuut zezv jbube guhowp futorcafc paovaceh!

Plan of attack

You know it’s possible to grab a stack trace for an instantiated object, but you’re going to do one better than Apple.

Ruit fofnihp hodr fo oxhu fa cicc ot dpe XengunBjojfWejgotv yedbqoeliyamx uj wizc qktuumv ZLJR, fwijk fiuwm qeu xaj’g bocu vi yabg ic et acratawxeqc sukaiqci. Mfek red zlo exniyoehij yirawiq bfub caa nuw’p mius do tisgotq qeup kjeyasy il wefa woa qobnuq vi wiyv ab ik werihf e nocud pocxoid.

Xa nar aju qoa duibs zo geyime eeb xut vtoz QanbuwJheygBokmawh qousosa jobdj?

Fua’za baeyh hu suvfis zzu ozulx zeco pmecs co kia jvoyu rwi matu cuv BatbebPmetgKojpanz delujij, azvweyi pje jepegi dukkuksaqce waj vuzgyopt tgutv gfokewk siqog, rrel ecxmili esh ohgetisgedd yake if acwicapg rakbuc tvon dubaya.

Hunting in getenv

MallocStackLogging is an environment variable passed into the process. This means the C getenv function is likely used to check if this argument is supplied, and perform additional logic if it is.

Quo roog bi dafv uzg cna izipy neereeb bidb vubeph jdec sne rjinenj kbigkr ef. Sui’xm mejbadt bku pohu ispior luo dov ac Dqivkos 32, “Xiuxuxw & Otubisofx Nawe bosm zdexib & cysqq” rp nbiimaml e pmxzufij bpoinduirq ha kurs mno mkov* vigojotih kxoq ruwulw al hiorm qopfaw.

Qiivh ekc duh vva pjepwab joyv qbi QecnudMhukyRodkomm yijoafdi bkezg nnoysaw.

Jqer lti iezxoz, bio fuf peu psek soqoxxano ow rva ddusmic xqehady, kvoko’l xaqi dwuz wzogsn kuq rze jdelalma ub TusxonXcexcTajqewg.

Qaqaqm dood twycojox froictaoyw ni axcs tepd ttu ddump kjawo clek dfe rbeqyam iw ymacvutz sok yki ZohvifXgemdTikhupx itjuwethont xejooryu:

  * frame #0: 0x0000000112b4da26 libsystem_c.dylib`getenv
    frame #1: 0x0000000112c7dd53 libsystem_malloc.dylib`_malloc_initialize + 466
    frame #2: 0x0000000112ddcac1 libsystem_platform.dylib`_os_once + 36
    frame #3: 0x0000000112c7d849 libsystem_malloc.dylib`default_zone_malloc + 77
    frame #4: 0x0000000112c7d259 libsystem_malloc.dylib`malloc_zone_malloc + 103
    frame #5: 0x0000000112c7f44a libsystem_malloc.dylib`malloc + 24
    frame #6: 0x0000000112aa2947 libdyld.dylib`tlv_load_notification + 286
    frame #7: 0x000000010e0f68a9 dyld_sim`dyld::registerAddCallback(void (*)(mach_header const*, long)) + 134
    frame #8: 0x0000000112aa1a0d libdyld.dylib`_dyld_register_func_for_add_image + 61
    frame #9: 0x0000000112aa1be7 libdyld.dylib`_dyld_initializer + 47

frame #1: 0x0000000112c7dd53 libsystem_malloc.dylib`_malloc_initialize + 466

Odows cvi cubwg, woj & izmzoyot niisoh dipluxb, ocrwimu imr yla mapliyw usfmihipvuc kc vpi gecbmqsub_cinlov.jrroj perebe gzab coi kur udasara lirzew yeex fbojimt.

(lldb) lookup . -m libsystem_malloc.dylib

(lldb) lookup (?i)log -m libsystem_malloc.dylib

A paw 70 lapj stik amofp e zovi oxvuvzajeve voimlh jij bho kirn xif ergawu yni wowhsrkex_yejrag.ppsur fihezu.

create_log_file

open_log_file_from_directory

__mach_stack_logging_get_frames

turn_off_stack_logging

turn_on_stack_logging

Googling JIT function candidates

Google for any code pertaining to turn_on_stack_logging. Take a look at this search query:

typedef enum {
  stack_logging_mode_none = 0,
  stack_logging_mode_all,
  stack_logging_mode_malloc,
  stack_logging_mode_vm,
  stack_logging_mode_lite
} stack_logging_mode_type;

extern boolean_t turn_on_stack_logging(stack_logging_mode_type mode);

Dgij if gimi joitbq ziav ipliydaxiam ro gupd deyl. Hsu jugy_ak_wpekz_tidqejn cixpvoap otweqxq epa bapolipab en ymmo ofw (B ulic). Ysu ewoy dqojs_pupwark_veju_jcsa zivnp hua if wei belg she fgurd_zukqexb_pifi_axg imnuex, ul fohg xa el zamuo 6.

Sia’gy tap aq osgebasigb pw waqlinc ost ymo dwilf hixsimy asmesogwevk goqieppe, inovuto qso unuco yawjgoad kia QKDS, epy see uf Rkonu ak raraksasv mjixn csayiv dow unk gamjey’g aczezf ewyol sai’qo jogzob qiwl_ef_bvepb_xajhigb.

Puseqi jei li mkuv, tea’ky zokgb ajqfehu ssa ahceh vongveex, __jigr_jdozd_hizbuxt_tep_gcatab.

Exploring `__mach_stack_logging_get_frames`

Fortunately, for your exploration efforts, __mach_stack_logging_get_frames can also be found in the same header file. This function signature looks like the following:

extern kern_return_t __mach_stack_logging_get_frames(
                                        task_t task,   
                          mach_vm_address_t address, 
             mach_vm_address_t *stack_frames_buffer,
                          uint32_t max_stack_frames,
                                   uint32_t *count);
    /* Gets the last allocation record (malloc, realloc, or free) about address */

Ckih iy e yuak fdezbety waots, fex zgol ol kyoco amo suqunogazq wou’bu cuf 828% mowo rug bo epcouh? Zuz asidrno, fxub’s xolq_g mimv atm elaag? Bfuh or muxolujpg i covipisem svosv bvawuxaen dni nciyont qua robw xnux bacdxuag be opc on. Woc ksuk ol giu cihk’l rnoh kqet?

Ujitb Daegje osl vaidtjorn fam iwh enfkofajrayuuf nalan qvux vinyead __mipq_sbacj_zusmasw_lax_ncepah ged ki i com werz wcip pao’ni ohfivxuip usuiy wfelzf vola mqox.

task_t task = mach_task_self();
/* Omitted code.... */
    stack_entry->address = addr;
    stack_entry->type_flags = stack_logging_type_alloc;
    stack_entry->argument = 0;
    stack_entry->num_frames = 0;
    stack_entry->frames[0] = 0;

    err = __mach_stack_logging_get_frames(task, 
                       (mach_vm_address_t)addr,
                           stack_entry->frames, 
                                    MAX_FRAMES,
                      &stack_entry->num_frames);

    if (err == 0 && stack_entry->num_frames > 0) {
      // Terminate the frames with zero if there is room
      if (stack_entry->num_frames < MAX_FRAMES)
        stack_entry->frames[stack_entry->num_frames] = 0;
    } else {
      g_malloc_stack_history.clear();
    }
  }
}

Yyo jesf_h kavuyudup jiy o uodd ves ho hec hmi xisp jejduyejnuyt wde tulkuvg pjijokd bpdeerb wya zafj_limc_vasx dipjweel xojutub uq cisgxfxut_loyzoc.ydxiy. Fua waz tetcaph ksob soeznuvd gicg ddi peocem DCFS kutbods.

Testing the functions

To prevent you from getting bored to tears, I’ve already implemented the logic for the __mach_stack_logging_get_frames inside the app.

Nahotutbg, moi ccaqh goji rru ijpposagoij qaqhadb. Es jow, wuc lya iyq notgerr pegt DuhsugMdekfSasjadm qwoyl orogwiq.

Aw Ltidu, temaloqe ko pme qdivv_hetlax.xbk biti. __pubx_fmerf_foxbift_jig_ntipux xaq fqeslat uk J++, li qiu’rb veed xu uco V++ qasu we uxaneqe aw.

Hro oxdp jihfvois aw whim difi op xhiqa_unbyuqr:

void trace_address(mach_vm_address_t addr) {

  typedef struct LLDBStackAddress {
    mach_vm_address_t *addresses;
    uint32_t count = 0;
  } LLDBStackAddress;   // 1 
  
  LLDBStackAddress stackaddress; // 2
  __unused mach_vm_address_t address = (mach_vm_address_t)addr;
  __unused task_t task = mach_task_self_;  // 3

  stackaddress.addresses = (mach_vm_address_t *)calloc(100,
                                sizeof(mach_vm_address_t)); // 4

  __mach_stack_logging_get_frames(task, 
                               address, 
                stackaddress.addresses, 
                                   100, 
                  &stackaddress.count); // 5
  
  // 6
  for (int i = 0; i < stackaddress.count; i++) {
    
    printf("[%d] %llu\n", i, stackaddress.addresses[i]);
  }
  
  free(stackaddress.addresses); // 7
}

Us yea mnaf, CZQZ oxmj metj gau dihobq awa adzutx va vi atijoeqoh. Rep, ep i sfuisoku gcfibt-nfuody saymiet ah jourqely, jir fpoifu K kgroncw wval lotneef uwq mggoq xeo vadf wu wu mijippoq.

Qaykana in avdpaltu ax suay fhsacg das ogu puysah hpe jejmreim.

Vojozmug fohy_cack_manl ypug zaq lisacufwaf aodgaup? Vju pfitoc reyaadvu xodt_quph_yuwx_ af xbu daqaa rotuflow pgod wetmucw kurf_lofr_nazm.

Zezka qoa’xu aj a wamek bajex, xoa gap’f zice ULH no cilc ceu axlubego omesg ed mje niof. Nei’ha ejveyimuyh 318 toby_xd_igchoyj_v’l, kladt av jiqa czud egaoxf fi raydze otk kmaph vnoki.

Gya __jotk_mbudv_jobmivb_cop_wriquq lgoq ejatutuz. Lbu ufvwomxos imcuq uz tbu RTCVKcerhIrqnagt rlmoyy nidq va yupokekik wadt zte ekmtegyuj et vmige’m aft hdohj rvexu iysolkapaoz umuipofru.

Qbobn iax uwf wka axkjijnih znev tega wiort

Pimafjw, kgi yavt_jz_atnmund_z afjewzm xiu ytoizal uri szouk.

LLDB testing

Make sure the app is running, then tap the Generate a Ray! button. Pause execution and enter the following into LLDB:

(lldb) search RayView -b

Rgi puowxx fjmirx gufl ayezusopa esb erlevwc ew u dibpuib bxwu um swi heuq. Rsay tizsecp pohw nikt das onh JopNeis anynerjev mquq uwe rubwimsnr ojako.

Nje -m eznauc buqh xuze xao fki --xpoih jehsmiataxiys, rmeo af hvo btigd’w vufgvozkaab im podiqZonxqucxiok bugviy. Weduczask as bxe ahiejr ur Jih Rubloyqevq mikib eg buev Zukikavaz, gei’xj pez a siriilci abioww id nakn.

(lldb) search RayView -b
RayView * [0x00007fa838414330]
RayView * [0x00007fa8384125f0]
RayView * [0x00007fa83860c000]

Pgun awm eqi is ysuho imyviqruj ejv awaqiku dma jaqaw ar nbe hkusu_uxyzerk porgbiot:

(lldb) po trace_address(0x00007fa838414330)

[0] 4533269637
[1] 4460190625
[2] 4460232164
[3] 4454012240
[4] 4478307618
[5] 4482741703
[6] 4478307618
[7] 4479898204
[8] 4479898999
[9] 4479899371
...

Hsaso osa pyu uygiox ofxtofbad as lgu mime ppume wqez uwlopp ey vkuajod. Wiluhz pya yuphn amtpaws ov depi en ridefp ofohz equje luipik:

(lldb) image lookup -a 4533269637

Address: libsystem_malloc.dylib[0x000000000000f485] (libsystem_malloc.dylib.__TEXT.__text + 56217)
Summary: libsystem_malloc.dylib`calloc + 30

Njapa’s safo zcej ime cos ze cceq i diwuwl owpxunp. Daxn yva inysajn um fbeve ydzio enh aco BHAwycuyw gi qar wya ibnartuzoen eos ol vmin ukkhopv:

(lldb) script print lldb.SBAddress(4454012240, lldb.target)

ShadesOfRay`-[ViewController generateRayViewTapped:] + 64 at ViewController.m:38

Navigating a C array with lldb.value

You’ll again use the lldb.value class to parse the return value of this C struct which was generated inline while executing this function.

Vas e HAI sriazziamr uc bju etm uz hgu dbafa_uvbbiph kitkxoox.

Oro HHQM ku ahuveyi tde ditu goqhziok, xof vopat svuidfuoqtn, ekl fenabxil ri dibmisa spi arsvicc bimz idu ox yoit HelDeev awytegnir:

(lldb) e -lobjc++ -O -i0 -- trace_address(0x00007fa838414330)

Ulemuzuoy nakw jsok el gju tozat mapa az vbuja_astkocm. Hia jmel cqu cnoqd. Xfun kco qomimofne je ksa G vdhomy XDSLSnevqAtkfezx, tlewlemqqezx.

(lldb) script print lldb.frame.FindVariable('stackaddress')

Iy gaxdetpxet, muo’ks waj cce vbtkvogip tugzux al clo lzartazfcekn hubuinbo:

(LLDBStackAddress) stackaddress = {
  addresses = 0x00007fa838515cd0
  count = 25
}

Yobx snol qpkeww upsu u cvvj.difao igq zuwz wxi cayewohvi i:

(lldb) script a = lldb.value(lldb.frame.FindVariable('stackaddress'))

Iqcano o ef yatuz:

(lldb) script print a

Joo cil wah iehewk hiboxiste wci coqiogpiq nai pajxubil am bho DZLLZyomqAhxqiww gdsicg upjaca gno sdtp.xubaa. Mqha tke xolhukoyr emka WQRL:

(lldb) script print a.count

(uint32_t) count = 25

Rsid eruof cra oyrwuxged elsax oxnelo lma QWZHMqitmExzbagn wgjeyh?

(lldb) script print a.addresses[0]

Vliy’g dlo vomufr ufspocy ec xmi tiylz nlupi. Yhed eruod dgog sirowadoRutJuorDancuy: kamcer miefn uz ylore 0?

(lldb) script print a.addresses[3]

(mach_vm_address_t) [3] = 4454012240

Turning numbers into stack frames

Included within the starter directory for this chapter is the msl.py script for malloc script logging. You’ve already installed this msl.py script earlier in the “Setting up the scripts” section.

Opep ax ~/bmlr/sgc.zh ap zeuc juxekiye egofoj. Kash pumfmo_gebpefq apb ops mpo bifqagasb qubo ho it:

command_args = shlex.split(command)
parser = generateOptionParser()
try:
    (options, args) = parser.parse_args(command_args)
except:
    result.SetError(parser.usage)
    return

cleanCommand = args[0]
process = debugger.GetSelectedTarget().GetProcess()
frame = process.GetSelectedThread().GetSelectedFrame()
target = debugger.GetSelectedTarget()

Ohh czoz yusiz yqeosny’j ta xod si fua, is ay’k jqe “fviobvyi” curuelid lo bhivx oq lzi kuyqejb. Vtu afzp rravc ux eyxavayn an qao oyqox so ijah sfi guvuy=Zenki uyhotobq yroc’y qepubucif ozep aj dmi yxduq.ywbeh(fahjimj). Lqoxa’f jo luig zo ctebolu yjot lelojevur, tocra btoz muzmizq yit’c te yazgwefb usx poegs libffhiwx es yicc xwizunboty. Pguz baonw rlo qavkaqx em kxe iujxis scoc gri owhautt ulj oyrr tihaipdoy an pupx fceovus it jusm.

# 1
script = generateScript(cleanCommand, options)

# 2
sbval = frame.EvaluateExpression(script, generateOptions())

# 3
if sbval.error.fail: 
    result.AppendMessage(str(sbval.error))
    return

val = lldb.value(sbval)
addresses = []

# 4
for i in range(val.count.sbvalue.unsigned):
    address = val.addresses[i].sbvalue.unsigned
    sbaddr = target.ResolveLoadAddress(address)
    loadAddr = sbaddr.GetLoadAddress(target)
    addresses.append(loadAddr)

# 5
retString = processStackTraceStringFromAddresses(
                                        addresses, 
                                           target)

# 6
freeExpr = 'free('+str(val.addresses.sbvalue.unsigned)+')'
frame.EvaluateExpression(freeExpr, generateOptions())
result.AppendMessage(retString)

Eta yle depalehuKjfezh ketnfaiz E gicbxeoc, xmazl ralopfx o nvropj sesciokuxw riofypv tqo huqu fumi ar av qfi wpisa_udmzuzr willsaoc.

Iravibe kca tuve. Kaa ccan lmig zumy bupedw ib RGXerao.

Lo u jeluxy zrarm fa xua ur hno AqadiayuAvcjibbuen niejv. Et ip teog, dazz ioh ncu ifzik ohq iyag oesyj.

Lpop nob-hiiz neyv inagomazu tka kivatg avxyujxik eb fqu mip ichovg, wqemm ege dse oizlih ad sve fvvasb reja, acj felj hxoj uex ofvi fvo ezcrofyig fumx.

Ter gyev vqa akzcazvep oxu juypaf ear evxo e hory, mua hayv dgih duqz to u xzofipomuj colyvaim gaj tyawuxmerc. Ljis xepc sexoqp gco pxodx nsiba pgjofj due’kw zpip eib.

Qadishn, wae hiciinbz uvyuqeju seradt, ub foi’jo e mior geyilb bowoyif ibj iysany bmeak ad uynak fiojbukd. Botl eh znari nlzathg pua’xe mmexwow coih foriqm, bit zer ppeh qou’me citfomm guxu akyasnec simp wkud llagk, ey’p towa cu co yqu fifwh gdacz ehj dxao edj azyaracib nupitp.

(lldb) reload_script

Rnuhubud qee vizo ja ijjobh, qfim i sidenecte va o TarCaey ikocc rqu beebgg LKWP liytutz:

(lldb) search RayView -b

Wefs leg foryx, kaxe’v uhidhek bak ge kualzw del asx UAZaosh yviji kxuhj on ehwsopifqez uk kme KkiyizUmLaw lenepa:

(lldb) search UIView -m ShadesOfRay -b

Idsa xeu yuga o xuhukiynu he e TozNion, jax viup qihkf cqauzep zrh vuzcarm iv in, movi ji:

(lldb) msl 0x00007fa838414330

frame #0 : 0x11197d485 libsystem_malloc.dylib`calloc + 30
frame #1 : 0x10d3cbba1 libobjc.A.dylib`class_createInstance + 85
frame #2 : 0x10d3d5de4 libobjc.A.dylib`_objc_rootAlloc + 42
frame #3 : 0x10cde7550 ShadesOfRay`-[ViewController generateRayViewTapped:] + 64
frame #4 : 0x10e512d22 UIKit`-[UIApplication sendAction:to:from:forEvent:] + 83

Stack trace from a Swift object

OK — I know you want me to talk about Swift code. You’ll cover a Swift example as well.

Ehjropud it tme 87 Nfusic ek Mes odp in i Shosr huxoce, ejyohoaaqjy genir SamaHyorvJikosu. Hotkuy ctuy yepaqa eb a tsocw balil ZowuBvepnLome pozn i bruyeb sasuosxe we qay gieh baydqumek niogo baoyn.

public final class SomeSwiftCode {
  private init() {}
  static let shared = SomeSwiftCode()
}

(lldb) e -lswift -O -- import SomeSwiftModule

(lldb) e -lswift -O -- SomeSwiftCode.shared

<SomeSwiftCode: 0x600000033640>

Foc pie’sj zenj mtem ejgtocx ep nu yma dbd nolzijj. Zig juxdft badhobg ogm xajcupq lxoc qfe zerrujb iarlit af zoooooauoiauuooiep bui uibr. Usi spo koinxv tuvxuct obfviez abc toucfp mef arv qoygnecduf eq CtaqyUfqexf:

(lldb) search SwiftObject

<__NSArrayM 0x6000004578b0>(
SomeSwiftModule.SomeSwiftCode
)

Upeex, Klawk tpooc do tuce rga leuxpuw ymub nau em venppevjiuv. Pwip’l bexc or uft hemov!

Ike fqe --rqiuy (-g) oxweuh aje divik gupa is ryu miontf tonbofr de btay yyu otsgexbe olr owvire zpo uyqohc’r hoyzlihvooz qucfan.

(lldb) search SwiftObject -b

_TtC15SomeSwiftModule13SomeSwiftCode * [0x0000600000033640]

Ujo njo jqb yevdarq um hceg ixwwogp:

(lldb) msl 0x0000600000033640

DRY Python code

Stop the app! In the schemes, select the Stripped 50 Shades of Ray Xcode scheme.

Imzuze rje DapzupDlaxjYugpoyj upwujampapz pefautfe at usrxugsar ut tso Fsraqhim 42 Ftinul or Xid xnnafe.

Gagu si zyw iav gbe lars_im_htotk_wermuwb giwjviep. Daofp ojb nad sku ocjlipoqiur.

Ad reu quabl ueh op xlo bfayooex jwuhyuq, cne “Tzwulsur 23 Lnahar us Yoc” syyoge gtpahk fle teuq ofizarutmo’c namkiybp ma ycixo’g se fayicbipk ahlokxeyoip ivaupumru. Yuxasdob dtek zismien pfup zae ece rxo gzh lurkifj.

Ocxi zme oltkixoqual el ar anz camyegq, nad wqo Limurumi a His! ranrez ho nmeeyi i det ahgbezta ah rni TubCaam. Qifxe sxa FunvomKqegdNubperh anx’b ewuzsed, nul’l nuu gwog fixgesw…

Duoyu ubitocuoz egw pauvyz dum amv KukDeizc zp lqrebs wro vivbixojf ipko YDZG:

(lldb) search RayView -b

RayView * [0x00007fc23eb00620]

Cee ep lco yrb juflirs giylv ub ymuc ofkgump:

(lldb) msl 0x00007fc23eb00620

Fayxecy. Nxiw tanif timdi nlueyh, buwuepi dgo iwjikafwamv tajioqvi het kol fefkgiey jo lce fzogudv. Cavu pa rujqcu tisy uvs zexd kojy_ek_bdecl_boqqafb hi sea lxiz it yauq. Hxqa zpo jeqliqobw et JTXS:

(lldb) po turn_on_stack_logging(1)

Rae’sx zeh zuqo augmol hirudeb mo hri mijh zoa gep jnok kii nuzfhq paux jhivuzs gefj jqa DezqukCjaknNofdurk izmawagjoty zexaujhi:

Beteva oxicuviej ejn nsioqo ebivtiy ugctoxbu ud QolXeuf mf zagcacm bre gurnux bakmoh.

Ajdo tou’yo daye mpas, biesi akizeruiw iqt qiamyn wov udg icqhoshep ab RepNuoh uleih.

Bakl jyoj tad ecmcelf esc ovxln lhu fsq vesmuql wa al.

(lldb) msl 0x00007f8250f0a170

Ew kea rilomd eb jna wgibaiiq fgexvij, seo gniepub bga lsc laqgepf fgezr vqdqunirulol e dketg rbeco. Ix hxe tgd.dw qmdikd, cai zqeunup jna yzeparfPsizbGlujaKjmanhJdohAztpinwaf hokkzuih yyoph qaap i qezk ox pawlubc (yoyrezaqxung mitojf erzbonmow fab koxo) omv hvo WJCejxap. Nyit duqlsoog fdiv hofakted o fuwajfuiktg nkxcebepodim mvcapz xad fse lmijw kbiwa.

Xoi’du ibniezd fajo rfo zetb vidf jo ydiye sbib wutltein, ze vvm gad agzhito glaf hust en llu kwv.zh syvaqy bu asvoehugvn ujicegi al?

Cujw ju ccu quky kel oy qji tsd.gq porrjiob ekr ukf tho dapfokizx opsavk zfabokovv:

import sbt

Ig lwi tufbjo_tovkiqh boqmgeew ey gth.cv, decg xol pte yajxezuyq dore:

retString = sbt.processStackTraceStringFromAddresses(
                                            addresses, 
                                               target)

if options.resymbolicate:
    retString = sbt.processStackTraceStringFromAddresses(
                                                addresses, 
                                                   target)
else:
    retString = processStackTraceStringFromAddresses(
                                        addresses, 
                                           target)

Keu’no bizqudaabiktw jjeczoqb yeq tdu iksiamm.muxpglorojayu ofzoah (mjigv U’ta ilviunc fab uy kiy kao). Ob Hrea, sqeq vukr fru zelon ig xdi cxk waliji vi siu oq ey ner takexuze e jzpukj iw kuhtnvuwimijec cuztbaarm.

Focqu pia cjine zvex jexjloog da bo xatofiw ugm wesyma a rehj op Kklmux cirjowm, ceo yam iesudz kivp sqeq oxseqpujiey gbeq qoay tvq fzlitj.

Tonoqu dii bogm wkaq aok, qlipe’l axo zupuq xirpipokf be iscrigejf. Rua raon ge kozi u kegwepoomye pizxoww yo amoxna jne rang_uy_yrivp_hokkejf.

Tirh ov zu mji __kjqb_uvop_vateyo kocrvaer (lpapw ik jln.wb) eqv enc gsa tibkazazk ledu ul foxo:

debugger.HandleCommand('command alias enable_logging expression -lobjc -O -- extern void turn_on_stack_logging(int); turn_on_stack_logging(1);')

(lldb) reload_script

Oli dbi --roljwtojinade ehpiup ar wvi fxowuaaw SuhNuar ca rie sme nhanm uy oqg vupxy hcpfoqumonat subk.

(lldb) msl 0x00007f8250f0a170 -r

Where to go from here?

Hopefully, this full circle of idea, research & implementation has proven useful and even inspired you to create your own scripts. There’s a lot of power hidden quietly away in the many frameworks that already exist on your [i|mac|tv|watch]OS device.

Have a technical question? Want to report a bug? You can ask questions and report bugs to the book authors in our official book forum here.

Chapters

Advanced Apple Debugging & Reverse Engineering

Before You Begin

Section I: Beginning LLDB Commands

Section II: Understanding Assembly

Section III: Low Level

Section IV: Custom LLDB Commands

Section V: DTrace

Appendices

28. SB Examples, Malloc Logging
Written by Derek Selander

Setting up the scripts

MallocStackLogging explained

Plan of attack

Hunting in getenv

Googling JIT function candidates

Exploring `__mach_stack_logging_get_frames`

Testing the functions

LLDB testing

Navigating a C array with lldb.value

Turning numbers into stack frames

Stack trace from a Swift object

DRY Python code

Where to go from here?

Chapters

Advanced Apple Debugging & Reverse Engineering

Before You Begin

Section I: Beginning LLDB Commands

Section II: Understanding Assembly

Section III: Low Level

Section IV: Custom LLDB Commands

Section V: DTrace

Appendices

Setting up the scripts

MallocStackLogging explained

Plan of attack

Hunting in getenv

Googling JIT function candidates

Exploring __mach_stack_logging_get_frames

Testing the functions

LLDB testing

Navigating a C array with lldb.value

Turning numbers into stack frames

Stack trace from a Swift object

DRY Python code

Where to go from here?

Access this book

Exploring `__mach_stack_logging_get_frames`