Microsoft Word - iOSAppReverseEngineering.docx

Figure 10- 37 Mark SPs Then we should go through loc_2903ED6A from its 1st instruction to check how SP changes here. “LDR R3, [S ...

Because SP2 = SP1 - 0x14 and *SP1 = R1, Therefore, “STR R1, [SP,#0xA8+var_A8]” is the place where *(SP2 + 0x14) is written, and ...

0x30230d70: mov r1, r5 0x30230d72: blx r6 0x30230d74: movw r0, #26972 (lldb) p $r1 (unsigned int) $27 = 0 (lldb) ni Process 3747 ...

* thread #1: tid = 0x9265, 0x2db7647e ChatKit`__71-[CKPendingConversation refreshStatusForAddresses:withCompletionBlock:]_block_ ...

{ if (11thDataSourceB != 0) return YES; return NO; } As a result, we can ignore data source A and concentrate on the finding of ...

upon it. Now that both branches contain “MOVS R5, #1”, which is the actual one? Reinput the address and set breakpoints on both ...

Figure 10- 44 Pseudo IDA graph view From a macro point of view, this conditional branch is actually the 14th data source, right? ...

return value of objc_msgSend, let’s set a breakpoint here and see what method it is: Process 132234 stopped * thread #1: tid = 0 ...

Therefore, if R11 - R8 produces borrow, i.e. R8 is greater than R11, then MobileSMS will branch right, otherwise it will branch ...

Figure 10- 49 Branch The branch condition inside loc_2903E8E6 is R0. If R0 == 0, then branch left, meaning this address doesn’t ...

source of R0: Process 154446 stopped * thread #1: tid = 0x25b4e, 0x331f0900 IMCore`___lldb_unnamed_function425$$IMCore + 220, qu ...

__NSCFNumber (lldb) c Reproduce these 3 objc_msgSends into Objective-C methods, they are [NSArray removeObject:@"mailto:snakenin ...

Figure 10- 52 sub_2903E824 The 16th data source comes from R5, which is the 17th data source. The 17th data source is from R1, w ...

Figure 10- 54 Caller of sub_2903E824 To avoid any implicit calling, let’s first make sure the caller of sub_2903E824 is actually ...

(char *) $18 = 0x33274340 "_currentIDStatusForDestinations:service:listenerID:" (lldb) po $r0 <IDSIDQueryController: 0x15dcb0 ...

* thread #1: tid = 0x19052, 0x30230668 IMCore`IMChatCalculateServiceForSendingNewCompose + 688, queue = 'com.apple.main-thread, ...

Figure 10- 55 “Send” button We can send an iMessage by pressing “Send”, and the whole process will be animated on UI. Like what ...

10.3.2 Find response method of “Send” button using Cycript Since we’ve already known that the superview of “Send” button is a CK ...

Figure 10- 56 Hide “Send” Neat. After pressing this UIButton, an iMessage will be sent; a UIButton and its response action are a ...

Figure 10- 57 [CKMessageEntryView touchUpInsideSendButton:button] It first calls [[self delegate] messageEntryViewSendButtonHit: ...