Hence, the base address of NSLog is 0x10B94 + 0x23c4f000 = 0x23C5FB94. I guess some of
you have already noticed that the formula
image base address with offset = image base address without offset + ASLR offsetWith tiny modifications, is a new formula for symbols:
symbol base address with offset = symbol base address without offset +
ASLR offset of the image containing the symbolLet’s verify this formula.
NSLog’s symbol base address without offset is 0x2261AB94, ASLR offset of Foundation is
0x1645000, add these two numbers and we get 0x23C5FB94.
By analogy, we can also get the formula for instructions:
instruction base address with offset = instruction base address without offset +
ASLR offset of the image containing the instructionNaturally, symbol base address is the base address of the first instruction of the symbol’s
corresponding function.
In the following content, base addresses with offset will be frequently used. Make sure you
understand all concepts in this section then keep in mind: Base address without offset can be
viewed in IDA, ASLR offset can be viewed in LLDB, add them together we get base address
with offset. As for where in IDA and LLDB to search for the values, I bet you’ll get it after
thoroughly reading this section.
- breakpoint
“breakpoint” is similar to “break” in GDB, it’s used to set breakpoints. In reverse
engineering, we usually set breakpoints like these:
b functionOr
br s – a addressOr
br s –a ‘ASLROffset+address’The former command is to set a breakpoint at the beginning of a function, for instance:
(lldb) b NSLog
Breakpoint 2: where = Foundation`NSLog, address = 0x23c5fb94The latter two commands are to set a breakpoint at a specific address, for instance:
(lldb) br s -a 0xCCCCC
Breakpoint 5: where = SpringBoard`___lldb_unnamed_function303$$SpringBoard, address =
0x000ccccc