Figure 4- 15 Analyze Foundation in IDA
Scroll to the top of IDA View-A, do you see “HEADER:2260A000” in the first line? This is
the origin of 0x2260A000.
Now that we’ve known “base address” means “starting address”, let’s talk about another
concept which is similar to “image base address”, i.e. “symbol base address”. Return to IDA and
search for “NSLog” in the Functions window, and then jump to its implementation, as shown in
figure 4-16.
Figure 4- 16 NSLog
Because the base address of Foundation is a known number, and NSLog is in a fixed position
inside Foundation, we can get the base address of NSLog according to the following formula:
base address of NSLog = relative address of NSLog in Foundation + base address of FoundationWhat does “relative address of NSLog in Foundation” mean? Let’s go back to figure 4-16
and find the first instruction of NSLog, i.e. “SUB SP, SP, #0xC”. On the left, do you see the
number 0x2261AB94? This the “address of NSLog in Foundation”. Subtract Foundation’s image
base address without offset, i.e. 0x2260A000 from it, we get the “relative address of NSLog in
Foundation”, i.e. 0x10B94.