Microsoft Word - iOSAppReverseEngineering.docx

Now, the view looks like figure 10-12. Figure 10- 12 Change placeholder to “iOSRE” Great! placeholderText is exactly the placeho ...

Figure 10- 13 [CKMessageEntryTextView setPlaceholderText:] Attach LLDB to MobileSMS and continue the process as follows: (lldb) ...

Figure 10- 14 [CKMessageEntryTextView setPlaceholderText:] So the breakpoint should be set at 0x1eac000 + 0x2693BCE0 = 0x287E7CE ...

iMessage (unsigned int) $19 = 0x28768b33 Process 200596 resuming Command #3 'c' continued the target. As we can see, when placeh ...

any argument, how does [CKMessageEntryView updateEntryView] know whether it should set placeholderText to “Text Message” or “iMe ...

case, because there is already one recipient, MobileSMS will probably branch left. It’s very simple to verify our assumption: in ...

support was detected in the 2nd time. Since iMessage comes from [[[self conversation] sendingService] __ck_displayName], what is ...

ChatKit`-[CKMessageEntryView updateEntryView] + 54: 0x2b528962: mov r8, r0 0x2b528964: movw r0, #52792 0x2b528968: movt r0, # ...

0x2b5f0266: add r7, sp, #8 0x2b5f0268: sub sp, #8 0x2b5f026a: mov r4, r0 (lldb) ni Process 14235 stopped ...... thread #1: tid ...

The execution flow of MobileSMS is very evident now. There are 3 conditional branches, which are CBZ, CBZ and CBNZ respectively. ...

instance variable _composeSendingService. In other words, _composeSendingService is the 6th data source. In that case, we just n ...

reinput the address, set breakpoint at the beginning of [CKPendingConversation setComposeSendingService:], and then press “retur ...

Figure 10- 27 Inspect cross references Refresh sending service? This name is very informative. Let’s head directly to [CKPending ...

Figure 10- 29 Caller of sub_26984530 As we can see, sub_26984530 isn’t called explicitly. Instead, its address is stored in R6 t ...

Figure 10- 31 Look for the 10th data source If the value of R0 is 2, [IMServiceImpl iMessageService] is the 10th data source, ot ...

Figure 10- 32 UXTB According to the ARM official document in figure 10-32, UXTB is used to zero extend the 8- bit value in R8 to ...

in figure 10-33. Figure 10- 33 Mark different SPs Before and after the execution of “PUSH {R4-R7,LR}”, the values of SP are SP1 ...

press “return” to trigger the breakpoint: Process 30928 stopped * thread #1: tid = 0x78d0, 0x30b36444 ChatKit`__71-[CKPendingCon ...

Figure 10- 34 Caller of sub_26984444 See, another implicit call from sub_2903E824, and 2 of 4 instructions before “BLX R6” has r ...

Figure 10- 35 Before instructions of 2 images are put together Figure 10- 36 After instructions of 2 images are put together Let ...