0x2fd65e: ldrsb.w r0, [r0]
(lldb) c
Process 731 resumingThe base address without offset of “movw r0, #33920” is 0x226654, as shown in figure 4-21.
Figure 4- 21 SpringBoardaccessibilityObjectWithinProximity0
This instruction is inside the _SpringBoardaccessibilityObjectWithinProximity0
function. That’s to say, the “si” command has gone inside the function, which is the meaning of
“go inside a function or not”.
- register write
“register write” is used to write a specific value to a specific register, hence “modify the
program when it stops, and observe the modification of its execution flow”. According to the
code in figure 4-22, the base address with offset of “TST.W R0, offset #0xFF” is known to be
0xEE7A2, if R0’s value is 0, the process will branch to the left, or to the right if R0 is not 0.
Figure 4- 22 Branches
Set a breakpoint here to see the value of R0 as follows:
(lldb) br s - a 0xEE7A2
Breakpoint 3: where = SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114,
address = 0x000ee7a2
Process 731 stopped
* thread #1: tid = 0x02db, 0x000ee7a2
SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114, queue = ‘com.apple.main-
thread, stop reason = breakpoint 3.1
frame #0: 0x000ee7a2 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114
SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114: