Microsoft Word - iOSAppReverseEngineering.docx

#"<CKComposition: 0x160b79d0> text:'iMessage {\n}' subject:'(null)'" It’ s an object of CKComposition, which clearly conta ...

Figure 10- 61 branch “nextMediaObjectToTrimInComposition:”? Is “media object” referring to image, audio or video kind of things? ...

Figure 10- 64 loc_268D4604 Whether iOS “isSendingMessage”? We don’t know if the timing is before or after pressing “Send” button ...

Figure 10- 67 Branch The branch condition R0 comes from the return value of the 2nd objc_msgSend. Search upwards, we can find R5 ...

sendMessage:], as shown in figure 10-69. Figure 10- 69 [CKTranscriptController sendMessage:] Another method full of branches. Bu ...

Figure 10- 70 [CKTranscriptController _startCreatingNewMessageForSending:] Again, it’s a method full of branches. Overview the i ...

Figure 10- 71 [CKTranscriptController _startCreatingNewMessageForSending:] Take a look at the implementation of this method, as ...

Figure 10- 73 [CKConversation sendMessage:onService:newComposition:] The execution flow of this method is more straightforward t ...

Figure 10- 75 loc_2691f726 The instruction “LDR R5, [SP,#0xA4+var_98]” decides R5. Well, what’s [SP,#0xA4+var_98]? Do you rememb ...

10-78 to 10-80) rather than texts as references for you to follow: ...

Figure 10- 78 Inspect cross references Figure 10- 79 [CKConversation setChat:] Figure 10- 80 [CKConversation sendMessage:onServi ...

So the argument of [[self chat] sendMessage:] is exactly the first argument of [self sendMessage:onService:newComposition:]. Wel ...

there’re any clues in class-dump headers. To compose objects of IMChat and IMMessage from scratch, we need to see if there’re an ...

<IMChat 0x1594f7e0> [Identifier: [email protected] GUID: iMessage;-;[email protected] Persistent ID: snakeninny@ic ...

[CKConversationList _handleRegistryDidRegisterChatNotification:]; you’ll see in your IDA that this time IMChat is from [notifica ...

Binary file /Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5//System/Library/PrivateFrameworks/I MCore.framework/IMCore matc ...

Figure 10- 84 Inspect cross references Figure 10- 85 [IMChatRegistry _registerChatDictionary:forChat:isIncoming:newGUID:] Accord ...

frame #0: 0x33235944 IMCore`___lldb_unnamed_function2048$$IMCore IMCore`___lldb_unnamed_function2048$$IMCore: 0x33235944: pus ...

Figure 10- 86 IMChatRegistry.h According to line 44, we know that IMChatRegistry is a singleton, we can get the registry by call ...

IMCore anymore. Like we’ve just said, we’re jumping between IMCore and ChatKit, and ChatKit’s ASLR offset happens to be 0xa1b200 ...