2. 地址随机化 - 476139183/Learning-iOS GitHub Wiki

1. ASLR 地址随机化

每一次运行静态调用的函数地址都不一样

  1. Load Commands__TEXT 字段中, VM Address 就是 程序静态基地址
  2. 通过 image list 可以找到 程序运行首地址
  3. 通过 po [xxx _shortMethodDescription] 可以得到 xxx的函数列表 随机偏移地址: 可以通过 程序运行首地址-程序静态 得到
  4. 而静态函数的地址 = 符号表中函数地址 + 随机偏移地址

2. 验证

Xcode 12, iPhone 8 模拟器环境

通过断点,拿到程序首地址和函数地址

(lldb) image list
[  0] FAFD7D34-9FFF-38FB-854F-CD9199D348C7 0x000000010236c000 /Users/danamada/Library/Developer/Xcode/DerivedData/testKVO-hlagietkcjifgagsdrrauwrjymas/Build/Products/Debug-iphonesimulator/testKVO.app/testKVO 
[  1] 7446A633-055D-33C6-8CC1-A714959304A2 0x0000000104315000 /usr/lib/dyld 
[  2] 2A92FC99-72A9-38ED-8DDD-AF4C25080124 0x0000000102382000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/dyld_sim 
[  3] C2A18288-4AA2-3189-A1C6-5963E370DE4C 0x00007fff2071f000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/Frameworks/Foundation.framework/Foundation 
[  4] 583E6742-DE52-3E41-863C-CDC43AA76767 0x00007fff20174000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/libobjc.A.dylib 
[  5] AADDE1C0-ADA5-337F-BE0A-61116806671A 0x00007fff537bf000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/usr/lib/libSystem.B.dylib 
[  6] 9BFC8556-AF16-311F-874E-374FA485FE2E 0x00007fff20311000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 
[  7] 016F7133-D78E-35AD-8703-451AED94F067 0x00007fff4b5ae000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/Frameworks/UIKit.framework/UIKit 
[  8] B29346A0-AEDA-347B-B707-08FCAE600F76 0x00007fff588ea000 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/CoreAutoLayout.framework/CoreAutoLayout 
...省略

我们再打印函数地址

(lldb) po [Person _shortMethodDescription]
<Person: 0x1023717d0>:
in Person:
	Properties:
		@property (copy, nonatomic) NSString* name;  (@synthesize name = _name;)
	Instance Methods:
		- (void) teach; (0x10236dd20)
		- (void) teach; (0x10236da20)
		- (id) name; (0x10236da30)
		- (void) .cxx_destruct; (0x10236daa0)
		- (void) setName:(id)arg1; (0x10236da60)
(NSObject ...)

而 在 mach-o 中。

于是,我们可以拿到

静态基地址: 0000000100000000 程序首地址: 0x000000010236c000 符号表地址: 0x000000010236c000 静态函数地址: 0x10236dd20

而 地址随机化公式如下:

随机偏移地址 = 程序首地址 - 静态基地址 静态函数的地址 = 符号表中函数地址 + 随机偏移地址

得到 随机偏移地址 = 0x000000010236c000(程序首地址) - 0000000100000000(静态基地址) = 0x236C000

静态函数地址 = 0000000100001D20(符号表地址) + 0x236C000(随机偏移地址) = 0x10236DD20

这个正好与 前面打印的函数地址一致。

函数地址断点 : breakpoint set --address 0x00