Figure 6-20 R0’s evolution
Similarly, before “BLX.W _objc_msgSend”, the latest assignment of R1 comes from “MOV
R1, R4”, thus R1 comes from R4; the latest assignment of R4 comes from “LDR R4, [R0]”, thus
R4 comes from *R0, i.e. “action” which is already commented out in IDA. The evolution of R1
is shown in figure 6-21:
Figure 6-21 R1’s change process
So after reproduction, the first objc_msgSend becomes [self action], and the return value is
stored in R0, right? Next, the process judges whether [self action] is 0. If it is 0, there will be no
actions; otherwise, it branches to figure 6-22: