LLDB Cheatsheet#
Basic Commands#
| Command | Description |
|---|
lldb <program> | Launch LLDB with a specific program. |
run/r | Start or restart the program. |
quit/q | Exit LLDB. |
Ctrl+D | Exit LLDB. |
Process & Attach#
| Command | Description |
|---|
process attach --name <name> | Attach to a process by name. |
process attach --pid <pid> | Attach to a process by PID. |
process attach --name <name> --waitfor | Attach to process by name when it launches. |
Breakpoints#
| Command | Description |
|---|
breakpoint set --name <function> | Set a breakpoint at the specified function. |
breakpoint set -n <function> | Set a breakpoint at the specified function (short form). |
breakpoint set -a address <address> | Set a software breakpoint. |
breakpoint list | List all breakpoints. |
breakpoint delete | Delete all breakpoints. |
Note: Alias: b bp | |
Execution Control#
| Command | Description |
|---|
step/s | Step into the next line or function call. |
next/n | Step over the current line (skips stepping into functions). |
finish | Step out of the current function and return to the caller. |
continue/c | Resume execution until the next breakpoint or program ends. |
Stack & Frames#
| Command | Description |
|---|
thread backtrace/bt | Display the current thread’s call stack. |
frame info | Show information about the current stack frame. |
frame variable/v | Show all variables in the current frame. |
frame variable <name> | Show a specific variable in the current frame. |
Disassembly#
| Command | Description |
|---|
disassemble | Disassemble the current function. |
disassemble -f | Disassemble from the start of the current frame’s function. |
disassemble -p | Disassemble around the current PC. |
disassemble -n <function> | Disassemble entire contents of the given function name. |
disassemble -a <address> | Disassemble function containing this address. |
disassemble -s <start> -e <end> | Disassemble from start address to end address. |
disassemble -s <start> -c <count> | Disassemble <count> instructions starting at address. |
disassemble --force | Force disassembly of large functions. |
Note: Alias: di dis disas | |
Memory#
| Command | Description |
|---|
memory read <address> | Read memory at a specific address. |
memory read <start> <end> | Read memory from start to end address. |
memory read --binary --outfile <file> <start> <end> | Dump memory to a binary file. |
memory write <address> <value> | Write a value to a specific memory address. |
Watchpoints#
| Command | Description |
|---|
watchpoint set variable <var> | Stop execution when a variable is modified. |
watchpoint set expression -- <address> | Set a watchpoint on an address expression. |
watchpoint set expression -w write -s <size> -- <address> | Watchpoint on write with byte size. |
watchpoint list | List all watchpoints. |
watchpoint delete | Delete all watchpoints. |
Registers#
| Command | Description |
|---|
register read | Show all general-purpose registers. |
register read <reg> | Show a specific register. |
register write <reg> <value> | Write a value to a register. |
Expressions & Variables#
| Command | Description |
|---|
expr int $delta = 0xb3000 | Define a convenience variable with a value. |
expr $delta | Print the value of a convenience variable. |
expr $delta = 0xc4000 | Update the value of an existing convenience variable. |
expr (int)$delta + 0x1000 | Use a convenience variable in an expression. |
p/x $delta | Print a convenience variable in hexadecimal. |
breakpoint set -a $delta+0x1234 | Use a convenience variable in a breakpoint address. |
memory read $delta | Use a convenience variable as a memory address. |
Note: Convenience variables start with $ and persist for the entire debug session.
iOS Remote Debugging#
| Command | Description |
|---|
iproxy 6666 6666 | Forward port 6666 from device to localhost (on host). |
debugserver 127.0.0.1:6666 | Start debugserver on device listening on port 6666. |
frida-server -l 0.0.0.0 & | Start frida-server on device (background). |
| Command | Description |
|---|
platform select remote-ios | Select remote iOS platform for debugging. |
process connect connect://localhost:<port> | Connect to a remote debug server (e.g., debugserver). |
image list | List all loaded images/modules. |
image dump sections <name> | Dump sections of a specific module. |
p/x <runtime_address>-0x100000000 | Calculate ASLR slide from runtime base address. |
settings set target.process.stop-on-sharedlibrary-events 1 | Stop when shared libraries are loaded. |
settings set target.process.stop-on-sharedlibrary-events 0 | Don’t stop when shared libraries are loaded. |
Resources:#