Microsoft Word - iOSAppReverseEngineering.docx

0xee7a2: tst.w r0, #255
0xee7a6: bne 0xee7b2 ; ___lldb_unnamed_function299$$SpringBoard

130
0xee7a8: bl 0x10d340 ;
___lldb_unnamed_function1110$$SpringBoard
0xee7ac: tst.w r0, #255
(lldb) p $r0
(unsigned int) $0 = 0

Because the value of R0 is 0, BNE makes the process branch to the left:

(lldb) ni Process 731 stopped * thread #1: tid = 0x02db, 0x000ee7a6 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 118, queue = ‘com.apple.main- thread, stop reason = instruction step over frame #0: 0x000ee7a6 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 118 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 118:

130
0xee7a8: bl 0x10d340 ;
_lldb_unnamedfunction1110$$SpringBoard
0xee7b0: beq 0xee7da ; lldb_unnamed_function299$$SpringBoard

170
(lldb) ni
Process 731 stopped

thread #1: tid = 0x02db, 0x000ee7a8
SpringBoard

___lldb_unnamed_function299$$SpringBoard + 120, queue = ‘com.apple.main- thread, stop reason = instruction step over frame #0: 0x000ee7a8 SpringBoard

_lldb_unnamedfunction299$$SpringBoard + 120
SpringBoard`lldb_unnamed_function299$$SpringBoard + 120:

0xee7a8: bl 0x10d340 ;
_lldb_unnamedfunction1110$$SpringBoard
0xee7b0: beq 0xee7da ; lldb_unnamed_function299$$SpringBoard

170
0xee7b2: movw r0, #2174

Trigger that breakpoint again, change R0’s value to 1 by “register write”, and see if the

branch changes:

Process 731 stopped * thread #1: tid = 0x02db, 0x000ee7a2 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114, queue = ‘com.apple.main- thread, stop reason = breakpoint 3.1 frame #0: 0x000ee7a2 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114 SpringBoard`___lldb_unnamed_function299$$SpringBoard + 114:

0xee7a2: tst.w r0, #255

130
0xee7a8: bl 0x10d340 ;
___lldb_unnamed_function1110$$SpringBoard
(lldb) p $r0
(lldb) register write r0 1
(lldb) p $r0
(lldb) ni

Microsoft Word - iOSAppReverseEngineering.docx

Get our desktop app

Company

Features

Documentation

Resources